Skip to content

BlogCompliance Tech

Integrating third-party data into your third-party risk management (TPRM) program - Integrating with third party systems

By Matt Kelly tagged third-party risk management, data privacy

We’ve explored the need for better third-party risk management many times on this blog, and for good reason - “TPRM” is now a central pillar of effective compliance platforms, and poor TPRM is a constant source of compliance risk.

Still, building an effective third-party risk management program is tricky. The average large corporation could easily have thousands of third parties in extended enterprise, and those parties are providing a wider range of services than ever before.

This means that even after you identify all your third parties and determine what types of information you want from them (daunting tasks unto themselves), you still have the technical challenge of “curating” all that data — that is, validating the completeness and accuracy of the information you receive, and transforming it into a single format that you can use to actually manage your third-party risk.

What are the data challenges in TRPM?

The fundamental challenge for compliance officers is that the information you receive from third parties is, for lack of a better word, messy. Your compliance program ends up with piles of data, but no easy way to wrestle those piles into a single source of truth that you can use to understand your third-party risks and manage them appropriately.

For example, you might have third-party data arriving in too many channels and too many formats. Some parties might fill out due diligence questionnaires you send to them; others might submit their own standard forms. Some parties might report financial numbers in their own currencies; others might convert them to U.S. dollars or euros but forget to tell you. In extreme cases, you might get photocopied documents or handwritten forms faxed to you.

From that challenge flows the next one - your compliance team spends too much time chasing down and processing third-party data. If that data is scattered across various databases (or worse, individual employees’ computers), someone will need to find it and transfer it into your compliance IT systems, transforming it into a single format along the way. The more inconsistent your third-party data is, the longer this will take and the less efficient your compliance efforts will be.

Those two dysfunctions set the scene for a third and even more serious challenge. If you don’t have a disciplined approach to managing third-party data, you can’t manage your third-party risks. For example, screening high-risk parties is more elusive because the IT might miss that “J. Smith” and “John Smith” are the same person. Reporting your risks (say, to the board or regulators) becomes more difficult because you can’t be sure you’ve captured all relevant data.

In other words, without strong data management capabilities, you can do all the labor of third-party risk management and still be exposed to third-party risks. Good luck explaining that to the board if a compliance failure then happens.

How should TRPM programs handle data?

If those are the shortcomings of poor data management in your TPRM program, then from there we can reverse-engineer the capabilities your TPRM program does need to integrate all that data and put it to good use identifying and managing risks.

First, the system should be able to handle multiple types of data, which might arrive in multiple formats. For example, you might receive data that uses different formats to express calendar dates; or your third parties might use different labels for the same type of data (say, “name” and “identity” for the owner of the business). Your TPRM system must be able to extract all that data and normalize it according to whatever standards and categories you define.

Second, your TPRM system will need to preserve all that data in a single location — the “single source of truth” that we talk about so often. When you consolidate all third-party risk data into a single repository, that assures the completeness and accuracy of your information. The compliance officer can be more confident in data analysis you might undertake to find weaknesses in your program, and in the reports you pass along to management about the company’s overall risk profile.

Moreover, a single source of truth allows for better documentation and evidence relevant to your TPRM program. That’s useful when regulators want to review your compliance program during an investigation. It’s even more useful when demonstrating your compliance capabilities to potential customers — because they are just as worried about third-party risk as you are. The better your company is at third-party risk management, the more attractive your company will be as a third party to potential customers.

All of those capabilities will, ultimately, lead to better screening against multiple watch lists. That’s going to be vital in 2023 and beyond, as countries around the world keep using sanctions as a tool for law enforcement and foreign policy; and as countries also keep increasing their enforcement of anti-corruption statutes. Strong data management and integration capabilities will also help the chief compliance officer with better risk assessments and better ongoing monitoring of third parties, which will be invaluable as corporations increase their use of third parties for a host of needs.

Leveraging data for transparency and ethics

Strong management of third-party risk data can also help compliance officers get ahead of potential compliance risks. That is, not only will you be able to identify (and report) troublesome transactions more quickly; you’ll gain more visibility into your third-party ecosystem overall — and then you can shape that ecosystem toward more ethical behavior in the first place.

For example, you’d have more ability to identify the characteristics of high-risk third parties in your extended enterprise, and then strengthen due diligence and onboarding policies to weed them out. Or you might conclude that your company needs better ethics and compliance training for First Line operating employees, or different incentive compensation structures, or some other reform. Our point here is simply that better management of third-party risk data lets you find deeper insights about those third parties, so you can build a better TPRM program.

As a bonus, your TPRM program focused on compliance risks might also uncover other supply chain issues that your company could address. For example, the company could streamline the number of suppliers it has, or develop better contingency plans for what to do when key suppliers become high-risk parties that need to be disconnected from your enterprise.

Conclusion

Strong third-party risk management programs are no longer just about compliance risks. Rather, a good TPRM program is now vital for managing a wide range of enterprise risks and for strategic planning as well.

The challenge is in automating the tasks of third-party risk management, so you can manage the risks at scale. That means any fit-for-purpose TPRM effort must be able to integrate a wide range of third-party risk data, and consolidate all that information into a single source of truth for better risk assessments, screening, documentation, and reporting.

Only then will chief compliance officers be able to navigate today’s highly regulated business environment, and have more productive conversations with the rest of the management team so the company can make better decisions.

That’s the goal here, and it all depends on the data.