In the complex landscape of procurement and third-party risk management (TPRM), one of the most pervasive challenges is the extended time required to onboard or engage suppliers. Conversations with senior executives in leading financial institutions confirm that the primary source of frustration is the cumbersome and often redundant risk due diligence processes. These processes are marked by numerous disjointed touch points across the organization, involving departments such as procurement, legal, TPRM (first and second lines of defense), business continuity, cybersecurity, compliance, and more.

The lack of a centralized “air traffic control” function to guide both users and third parties through the end-to-end process exacerbates the inefficiency. The absence of clear SLA expectations further compounds the problem, often resulting in onboarding timelines that stretch into months, or even over a year—an untenable situation in today’s fast-paced business environment. Companies find themselves in a difficult position, striving to balance increasing regulatory and audit requirements with the need to mitigate risk effectively, all while maintaining a competitive edge.

While challenges such as inefficient processes, inadequate oversight, and internal politics can contribute to these delays, the root cause often lies in the reliance on outdated, “unintelligent” processes. Organizations frequently turn to TPRM and procurement technology solutions with the hope of streamlining these processes and reducing time to market. However, automating inefficient processes only leads to expensive and ineffective outcomes. Process inefficiencies inadvertently lead end-users and third parties to bypass risk due diligence procedures to avoid inherent delays. Consequently, suppliers are onboarded only at the invoicing stage—an approach that occurs too late in the process and significantly increases the business's exposure to risk.

What’s needed is a paradigm shift—a move towards embedding intelligence within the process before automation. Effective risk due diligence should be driven by a framework that considers individual third-party risk profiles over time, aligning with the organization's risk appetite and tolerance. For instance, consider a scenario where a management consulting firm is engaged for six months to develop a go-to-market strategy. Naturally, a risk assessment is warranted to evaluate the firm's access to proprietary systems, data, and secure facilities. However, if a subsequent engagement occurs with the same firm for a different purpose shortly thereafter, most organizations will likely subject the business and the third party to the same rigorous and often redundant risk assessment procedures.

While adherence to regulatory and risk requirements is crucial, such redundancy can be avoided if risk profiles are accurately identified and monitored over time, in alignment with the organization’s risk parameters.

At Hatfield Advisory, we collaborate with clients to design ‘smart’ processes that can reduce third-party onboarding and engagement cycles by up to 50%. To discover how we can help your organization achieve this transformation, reach out via our contact page or contact me directly at frank.wadsworth@hatfieldadvisory.com.