Develop Third-Party Risk Calculator together with HSLU – Call for project partners

Are you a Swiss-based company interested in quantifying your third-party risk? Or would your company be interested in developing the third-party risk management tool together with us?

Contact us for more details and become part of our Innosuisse application team!

From Dr. Sandra Stupar, Lecturer and researcher at the CC Risk & Compliance, Institute of Financial Services Zug, Prof. Dr. Imke Keimer, FRM, Professor at the CC Accounting & Controlling, Institute of Financial Services Zug, and Prof. Dr. Stefan Hunziker, Professor for Risk Management and Internal Control and leader of the CC Risk & Compliance, Institute of Financial Services Zug.

Numerous companies nowadays are constantly faced with problems that need to be solved fast and reliably. Often internal resources are missing, or one-off problems appear, for which the knowledge in the company is lacking. Solving problems externally has become part of business as usual, in both SMEs as well as large enterprises. The size of the consulting market in 2019 was 160 billion USD, with some decrease in the subsequent year due to the corona pandemic (Statista, 2022).

Outsourcing to third parties occurs in many ways, some examples including:

• Creating a business model by an external company’s team
• Qualitative or quantitative analyses performed by a third-party
• Building of a whole product by an external vendor/partner
• Consulting by an external company on the best way to solve a problem or on the executive decisions to be taken

Outsourcing, however, comes with risks that should not be overlooked. Third-party risk management (TPRM) has become an ever more important topic in recent years (see e.g., (Deloitte, 2022), (Baumann & Hunziker, 2022)). Risks involved when deciding on an external/vendor solution can include (not exclusively) the following:

• Security and privacy risk – are the data kept secure externally
• Reputational risk (is the third-party carefully chosen)
• Financial and quality risk of using an external supplier/solution
• Continuity risk (if the outsourcing company stops existing or asks for more money)
• Vendor locking and dependency risk (overly high costs of changing the vendor)

Problem statement
Our goal is to help companies reach a decision and quantify their risk when trusting a third-party with a certain task. With our Third-Party Risk Calculator framework, we will aim to, qualitatively and quantitatively, map risks a company is taking by outsourcing a product or a service solution. The risk output type is still to be determined depending on the model used – risk on a scale, as a category, or as a probability. A third-party grading tool could be a possible implementation.

Benefits for your company

• Quantifying a company’s third-party risk brings numerous security, financial and reputational advantages. In the 2022 KPRM report, TPRM was rated a strategic priority by 85 percent of 1263 business professionals questioned (KPMG, 2022).
  
• Joining our project would provide your company with diverse benefits:

1. HSLU brings know-how in the risk and analytics area, broad knowledge and network access, as well as long-term experience in leading high-quality Innosuisse projects.
2. Our team would help you create a business case for a Third-party Risk Calculator, that would bring your company financial and strategic benefit.
3. We would be responsible for the model development and an MVP formulation, and your company’s chosen team would decide and work on the practical implementation of the developed risk framework.

How will the project be conducted
In the first part, we will collect the data by conducting pools, questionnaires, and conversations with the stakeholders. This will have the aim of defining the risk factors required to make a predictive analysis. Risk factors involved could include (see e.g., (Onetrust, 2021)):

• Number of times the third-party was hired by the company
• The experience of the third-party in providing the solution needed
• The size of the third-party team working on the problem
• Type and privacy level of data the company is providing to the third-party
• Security of the third-party being hired
• Are the third-party principles in alignment with that of the company

In the second part of the project, we will use risk factors previously defined to build a model that rates the final risk. By interviewing the companies and vendors, and getting access to historical information, we will aim to collect enough data to be used in our training and testing sample. We will consider a few models, depending on the amount and quality of data. Simple machine learning techniques like regression or decision trees, weighted averages with SMEs weights, and similar models would be considered.

Get in touch to find out more!

Bibliography

• Baumann, C., & Hunziker, S. (2022). Third party risk management.
• Deloitte. (2022). Global TPRM Survey.
• KPMG. (2022). Third Party Risk Management Outlook.
• Onetrust. (2021). Onetrust.com. From https://www.onetrust.com/blog/third-party-risk-management/
• Statista. (2022). statista.com. From https://www.statista.com/statistics/466460/global-management-consulting-market-size-by-sector/

The following could also be of interest to you:

• CAS Governance, Risk and Compliance
• Specialized Course Corporate Risk Management