With every passing year, effective corporate compliance depends more and more on the successful use of technology. There’s just no practical way to meet the demands of modern regulatory compliance without it. Take for example software for third-party risk assessment.
Let’s consider how compliance officers can approach a common technology task: How should you choose the right software for third-party risk assessment? We’ll begin with what a third-party risk assessment should accomplish, and then move to how technology can support that effort.
What is a Third-Party Risk Assessment?
A third-party risk assessment examines and documents all the ways that one of your business partners—a vendor, a local distributor, a customer, a joint venture partner, and others—might bring risk to your business. Some of those risks might be regulatory, where misconduct by the third party brings legal liability to your company. Others might be operational, where a failure by a third party somehow disrupts your business operations. Third parties can also bring risk to your supply chain, reputation, and finances.
Most compliance professionals already know a common example of corruption risk: an overseas agent working on your company’s behalf bribes foreign government officials to secure business. That is a violation of the U.S. Foreign Corrupt Practices Act (FCPA) and other anti-bribery statutes around the world; and now your company faces FCPA liability thanks to that third party.
Technology solutions can pose security or privacy risks. Suppliers can pose reputation risks (perhaps they use forced labor to make components, and that news is shotgunned onto Twitter) or operational risks (you cut ties with the supplier and suddenly need to source substitute parts). Many times, a third party will pose multiple risks to your business.
A third-party risk assessment tries to evaluate all the ways a third party’s conduct might bring risk to your organization, so that you can then implement appropriate controls to reduce those risks to acceptable levels.
Why is a Third-Party Risk Assessment Important?
Without an assessment of your third-party risks, you cannot manage those risks to any useful degree. That invites all sorts of trouble.
Foremost, you won’t meet the standards for an effective corporate compliance program as dictated by guidance from the U.S. Justice Department. That guidance devotes an entire section to how a business should oversee its third parties; assessing the risks of them is the first step in the task. So without third-party risk assessment, your compliance program isn’t effective—which can bring a much more severe response from regulators (larger monetary penalties or an outside compliance monitor, for example) if your business ever comes under investigation.
Second, your business faces the risk of greater operational disruption. An unreliable vendor might fail at a critical moment, leaving your employees unable to work or causing valuable data to disappear forever. An unreliable supplier might leave your operations stuck without mission-critical supplies, wasting your money, and costing you sales. A third-party risk assessment brings those issues to light early, rather than you discovering those threats the hard way.
Third, a company that can’t manage its third-party risks is less attractive to customers than rivals that can manage their third-party risks—because your third parties are your customer’s fourth parties, and your customers want assurances that those far-flung parts of the supply chain won’t affect them. A business that can assess, document, and manage its third-party risks brings that much more assurance to the marketplace when it tries to woo customers.
How Do You Do a Third-Party Risk Assessment?
All third-party risk assessments follow the same basic steps:
- Inventory the third parties your business has: who those third parties are, the services they provide to your business.
- Identify the various risks each third party could pose to your organization, given the services it provides. For example, overseas agents pose corruption risk whereas technology vendors typically do not.
- Use a risk-assessment questionnaire or checklist as a first step to assess the extent of a third party’s risk. For example, ask overseas agents whether they have any family or business ties to any government officials.
- For high-risk third parties, such as local agents in highly corrupt countries or vendors that provide mission-critical services, try to confirm their risks through independent means. This could include conducting background checks on the third party’s senior leaders, having your IT team run a penetration test on a tech vendor, or researching adverse media reports on key suppliers.
- Where necessary, implement appropriate internal controls to bring a third party’s risks down to acceptable levels: no payments to a high-risk agent unless the check is approved by the compliance team; regular security audits; contracts with backup suppliers; and so forth.
- Document all the assessment and internal control work for any future audits or regulatory reviews.
In one form or another, all third-party risk assessments follow this process. The question for large organizations—which will routinely have thousands of third parties working within their enterprise—is how to manage third-party risk assessment at scale. Which brings us to how compliance officers should use technology.
What to Look For in Third-Party Risk Management Software
Every business will have its own specific factors to consider when looking for third-party risk management software. The best way to narrow the field from many potential vendors to the few that will work best for you is to focus on a few broad questions.
First, does the software actually work? That is, can the software vendor meet your needs and deliver what it promises? Begin by checking with other compliance officers to ask what they’ve experienced with the vendor. Determine what the software does well, identify any gaps in the offering, and understand customizations can be made to tailor the solution to fit your needs.
Does the software help you execute compliance tasks? Third-party risk management involves many individual tasks for a potentially huge range of third parties. Does the software help you and your team to manage that work? Can it provide reminders to perform certain steps (due diligence checks, internal control testing) at the proper times? Can it provide alerts when certain tasks aren’t done, such as failing to complete a risk assessment questionnaire? Can it analyze third-party data in bulk, to provide compliance officers with a comprehensive view of the company’s third-party risks? Understanding the impact the software will have on current operations is key.
How does the platform handle enhanced due diligence? Many platforms provide basic workflows for bringing a third party through your risk assessment process, but what happens when enhanced due diligence needs to take place? Find a solution that integrates higher level reports directly into the platform to avoid this becoming a manual process that can get lost in the mix.
What are the Benefits of Using Third-Party Risk Management Software?
Above all, third-party risk management software brings consistency and discipline to what can otherwise be a complicated, messy task. A manual approach to third-party risk management—where the compliance team chases down third parties, risk assessments, and documentation through emails and spreadsheets—is simply too burdensome and prone to error. People will lose track of individual parties, or overlook incomplete risk assessments, or forget to confirm that necessary internal controls were implemented.
Third-party risk management software brings structure to that chaos. You can design workflows to guide employees through the risk management process. Tasks will run faster thanks to the automation of tedious steps such as due diligence or alerts about incomplete controls. Documentation can be generated in a consistent format, which is something regulators want to see; analytics can happen and drive better insight into where your risk management needs improvement. Reporting can be more accurate, allowing for better discussions with the C-suite, the board, or business partners about how well your third-party risks are controlled. The right technology solution has the potential to transform your program so ensure you select the best tool possible for your organization's needs.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.