All businesses work with third parties, and all third parties bring certain risks to that business relationship. This means that effective third-party risk management is crucial to modern corporate compliance programs, and to succeed in business generally.
Compliance professionals already understand that fundamental point. The actual design and implementation of a third-party risk management program, on the other hand — that’s a lot more ground to cover.
What is Third-Party Risk Management?
Conceptually, third-party risk management is your ability to assess, reduce, and monitor the risks that third parties bring while they are in a business relationship with your enterprise.
For example, many global businesses need to work with local agents when doing business overseas. Sometimes working with a local agent is required by another country’s laws; sometimes it’s just good business sense. Regardless, working with that local agent exposes your company to risk. The local agent might bribe government officials in that country, which would expose you to the enforcement of the U.S. Foreign Corrupt Practices Act (FCPA) or other anti-corruption statutes.
Corruption risk, litigation risk, reputation risk, financial risk, cybersecurity risk: third parties can bring them all to your company’s doorstep, and your business needs to address them all somehow.
The challenge for compliance officers is how to assess, reduce, and monitor third-party risk at scale — since most businesses now have at least dozens of third parties, and large companies will have many thousands. Each one can bring any combination of the risks we just outlined.
A challenge of that magnitude requires a third-party risk management program, to bring rigor and consistency to your oversight of third parties. Without that disciplined program and the right due diligence solution, you’ll never keep up with the risk, and your compliance program is doomed.
What Makes a Third-Party Risk Management Program Successful?
Clear roles and responsibilities
All risk management begins with knowing who in the enterprise is responsible for doing what tasks in your risk management program, so begin by defining those roles and responsibilities clearly.
For example, compliance officers might compile a due diligence questionnaire for third parties. Each operating unit of your business, meanwhile, should be responsible for putting that questionnaire to the third parties it uses — or be held accountable for working with third parties before due diligence is complete.
Proper inventory of third parties
To manage your third parties at scale, you need to know who your third parties actually are. So a crucial element of third-party risk management is maintaining an inventory of all your third parties. That inventory should include several points of data for each party, such as:
- All possible names of the party: “John Smith Inc.” as well as “J. Smith Inc.” and other abbreviations.
- Category of the business relationship: local agent overseas, joint-venture partner, supplier, professional services vendor, technology vendor, and so forth.
- Any risk rating you might assign to the third party after completing due diligence.
A risk management framework
A framework is a methodology to help compliance officers and other employees work through the risk mitigation that’s necessary to bring risks down to acceptable levels. (We recently reviewed compliance frameworks, if you want to take a deeper dive into the subject.)
A risk management framework will help compliance officers understand the policies and procedures they should have to manage third-party risk and to map out the mitigation necessary to close the gap between that ideal state of risk management and the company’s current state.
Workflows to assess and mitigate risk
Workflows organize compliance-related tasks into a logical sequence so they can be executed more efficiently — and ideally in an automated fashion, so that employees have the minimal burden necessary imposed on them.
Workflows alleviate compliance burdens on employees and generate data on the performance of the third-party risk management program for senior management. The more you can embrace workflows, the better.
Monitoring and reporting tools
A third-party risk management program should generate data that provides a complete, accurate picture of how well the program is working. That data can then feed into automated reports or alerts about third-party risk that the compliance officer can use to identify troubling trends, brief senior managers on third-party risk, or launch new mitigation efforts to strengthen weak parts of the program.
Why is Third-Party Risk Management Important?
As we mentioned earlier, third parties bring a host of risks to your company. Without an effective third-party risk management program, the odds increase that one or more of those risks will strike your company somehow — with all the financial costs, operational distraction, and reputation damage that follows. The result: management ends up spending all its time responding to those risk management meltdowns, rather than pursuing its business objectives. For those reasons alone, third-party risk management is important.
Moreover, third-party risk management is important because regulators say it’s important. For example, the U.S. Justice Department has published extensive guidance about effective corporate compliance programs, and the ability to manage third party risk is a major theme. Regulators in Britain, France, and elsewhere have published similar guidance, and those documents also cite third-party risk management as crucial to compliance success.
So without effective third-party risk management, your company faces all the practical fallout we mentioned above, plus the threat of regulators imposing more monetary penalties. Those penalties could easily run to many millions of dollars, plus the internal costs of working with regulators during their investigation.
What Common Problems Do TPRM Programs Face?
A good way to answer this question is to review the elements of a successful program, mentioned above, and consider how each could go wrong.
Roles and responsibilities aren’t clear
This means tasks that should be done end up ignored or done poorly. Remediation work falls behind schedule, emerging risks go undetected, controls don’t address the risks they should. Even worse: with no accountability for third-party risk management, employees will feel emboldened to disregard the program and let all manner of third-party risk build up within your enterprise.
The inventory of third parties is incomplete
Without an understanding of all the third parties your enterprise has, or what purpose those relationships serve, your compliance program can’t apply the proper internal controls to govern a third party wisely.
Incorrectly using risk management frameworks or tools
Both of these errors lead to the same outcome: your risk mitigation work (developing policy and procedure, testing controls, performing due diligence, documenting actions, and so forth) will require more labor and be less effective at the same time. A third-party risk management program must work at scale, which means disciplined, rigorous processes, automated as much as possible.
Poor monitoring and reporting
If compliance officers can’t monitor risk management activity with accuracy, they can’t understand how well the program is or isn’t working. That means the compliance officer won’t reach the correct conclusions about improvements that should be made; and worse, won’t be able to brief senior executives (or the board, or regulators) with confidence about the company’s risk management posture.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.