Third-party risk management is a constant challenge for corporate compliance programs — but why, exactly? Why does third-party risk continue to be such a headache for corporations, when regulators have been clear about the need for effective third-party risk management for at least a decade?
We can point to several factors. First is the volume of new regulation, from sanctions to privacy to antitrust and more; those new regulations can create new burdens for third-party risk management that hadn’t existed before. Second, your enterprise might enter new lines of business that create new third-party risks.
There’s also the chance that your own due diligence processes don’t work as well as they should, or that the compliance team lacks visibility into your company’s entire third-party population.
Any of those scenarios can give rise to unmanaged third-party risk floating around your enterprise. That’s the threat you need to tame, with an agile, scalable third-party risk management program.
A closer look at unmanaged third-party risk
To better understand the compliance capabilities necessary to manage third-party risk, it’s good to start with a close analysis of how unmanaged third-parties arise in the first place. Understanding those gaps in your compliance program is crucial to understanding how they should be sealed up.
- They emerge because you don’t know the party is there. This means the business unit working with a third party can avoid your due diligence and vendor onboarding procedures. You don’t have a full view of your third-party population.
- They emerge because you missed a regulatory change. Sanctions risk is a good example of this point. As regulators add persons or companies to their watch lists, if your screening tool doesn’t reflect those updates, your risk is evolving faster than your ability to monitor it.
- They emerge because the relationship has changed. For example, an overseas subsidiary might move from using a local law firm to scout real estate locations (a low risk) to using that firm to complete bids on government contracts (a high risk). If the compliance function doesn’t understand the evolving nature of that third-party relationship, you can’t identify evolving risks.
- They emerge because you lack the right tools. Especially at large corporations, it’s also quite possible that the necessary data for third-party risk management does exist somewhere in the enterprise — but the compliance function either doesn’t know about it or can’t easily capture and incorporate that data into your program. In other words, your program isn’t versatile and scalable.
There’s also the additional threat that whatever specific weakness might be allowing unmanaged risk, the weakness goes unaddressed. That is a recipe for eventual disaster: you’ll have some sort of compliance failure caused by third-party risk, and regulators won’t look kindly at the company letting its compliance capabilities fall behind the risks at hand.
Which brings us back to our original point: compliance officers know that third-party risk is a constant concern; so what can you put in place to assure that unmanaged third-party risk finally gets tamed?
How to keep third-party risk under control
A robust and scalable third-party risk management system has several core components.
First and foremost, develop strong policies and procedures for both the onboarding of third parties and the ongoing management of that relationship. Some of those policies and procedures should be self-evident, such as a requirement that all third parties complete a due diligence questionnaire before the contract begins. Other policies and procedures should be forcing mechanisms to drive compliance, such as the ability to block payments to any third party that hasn’t completed its due diligence review.
Beyond onboarding, however, your policies and procedures should also support monitoring of the third-party relationship. That includes assigning a “ relationship owner” within your enterprise who is responsible for the third party, and requirements for periodic assessments to see whether that relationship has changed.
Those policies, procedures, and controls will generate substantial volumes of data, so you must also assure that all third-party risk data is consolidated into one location — the famed “single source of truth” about risk and compliance efforts in your enterprise. This can involve some potentially daunting IT integration issues, so be sure you choose a platform that can handle multiple data formats and can work with any existing IT processes (say, for collecting due diligence questionnaires) that you already have.
Third, assure that you have solid visibility into all that data: dashboards that let the chief compliance officer see the entire picture of third-party risk, and allow versatile reporting so you can work with senior management and business units to address problems. For example, you might want to answer questions such as:
- Which relationships have changed into something riskier?
- What new regulations have arrived that need to be swept into our due diligence and monitoring?
- Which parties are reluctant to complete certifications in a timely manner?
All of those capabilities will, in turn, help the CCO have better conversations about third-party risk with the rest of the enterprise. You’ll be able to see where risks are changing, and work with leaders in the First and Second lines of defense to implement changes as necessary — rather than let those third-party risks escape into something unknown and unmanaged.
If any single word sums up the secret for effective third-party risk management, it’s agility. Compliance programs will need a keen ability to detect how risk has changed, and then implement a swift response.
In practice, that means you’ll need strong technology capabilities. You’ll need technology that can easily scale with your growing third-party population and can fit into existing business processes seamlessly to pull together relevant data and to enforce the policy. Manual processes (read: spreadsheets, email, and the like) simply can’t meet those needs. They are anything but agile, and will inevitably increase the drag on your compliance program operations.
Third-party risk is only going to get more expansive and complicated; technology is what will allow you to keep pace. Otherwise, those unmanaged risks will only get worse, and nothing good will come from that — not for your company, your compliance program, or even your job security.