These days, there is so much data available to us. Overburdened by choice, determining exactly which third-party risk metrics to measure and report on can feel like a daunting and endless task. How can you satisfy regulators without spending every waking moment conducting risk assessments?
Since the updated guidance from the Department of Justice (DOJ) emphasizes the importance of ongoing activity and conduct monitoring in the third-party relationship lifecycle, static evaluation is no longer an option. The DOJ’s guidance now asks, “does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?” Precise and ongoing monitoring, as well as an emphasis on the supporting relationship management activities required to execute those activities, are now officially the name of the game.
No matter if you’re a seasoned compliance pro or totally new to the world of risk assessment, today we’ll be unpacking the three crucial steps to manage and measure third-party risk.
Step one: Risk assessment
The first step in third-party relationship management is understanding your unique third-party landscape by conducting risk assessments. If you want to become a trust-based business, protect your brand’s reputation, and ensure compliance, you’ll need to vet and monitor your third-party relationships. But since it is impossible to survey and oversee every individual third-party at one time, especially with limited resources, you’ll need to prioritize the highest-risk relationships first. Take the time to conduct a thorough risk assessment in order to triage your third-party relationships and supporting due diligence activities.
Third-party relationship management
Since third parties aren’t governed by your organization’s oversight, the importance of relationship management cannot be overstated. Businesses, as the first line of defense, need to understand the risks their third-party relationships present by embedding risk management into general business operations. Kick off this process by assigning a relationship manager to every third party your organization does business with. This employee will be responsible for the management, maintenance, evaluation, and reporting on the relationship between your company and the third party. These vital tasks will be essential to the next two steps in the third-party risk monitoring process, detailed below. They must be dependable and knowledgeable enough to tackle the following:
- Implement key performance indicators (KPIs) to properly measure the objectives and success of your risk management team over time
- Enable key risk indicators (KRIs) to measure third-party risks, reflecting actual risk exposure
- Initiate regular contact with the third party
- Conduct annual meetings with the third party to review their company compliance obligations
- Prepare annual reports summarizing services provided by the third party
- Assist the company’s management and leadership with any related third-party issues
Step two: Initial due diligence and review
Since the DOJ emphasized the need for “risk-based due diligence,” your third-party evaluation and KRIs should never be one-size-fits-all. After the initial risk assessment is completed and your high-priority relationships have been identified via triage, risk-based due diligence can officially begin. The 2020 Update to the Evaluation of Corporate Compliance Programs lays out guidance for prioritizing due diligence questionnaires and contracting, requiring high-risk relationships to be managed on an ongoing basis.
The DOJ Update asks, “How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?” If you’ve ended up with a small group of high-priority third parties, then you can evaluate them first. But if you end up with a large group of high-priority parties, you may want to go back and refine your criteria in the triage process. Remember that the DOJ will look at your processes, so you must be able to explain your actions and show your work.
Step three: Ongoing third-party risk reporting
Do you remember those old infomercials with the tagline, “Set it and forget it?” We sure do. Unfortunately, if your third-party risk reporting has any hope of being accurate and reliable, it must be constantly monitored and reported on. No “one and done” data allowed here. But this isn’t just busy work – if properly done, it will end up being the sharpest tool at your disposal. To objectively determine exactly how your compliance terms and conditions are followed, your ongoing monitoring needs to be systematic, independent, and easily documented. Reporting on your data will become second nature if you consistently capture, detail, and analyze your third-party risk. A minimum baseline for third-party monitoring should include the following metrics:
- Existing compliance programs and code of conduct effectiveness
- The origin and legitimacy of any funds paid
- All disbursements made for or on behalf of the company
- All funds received in connection with work performed and services/equipment provided
What does comprehensive third-party risk assessment look like?
Beyond the basic third-party monitoring metrics listed above, consider the following list for additional data to evaluate:
- Compliance training program review, both program content and attendance records, to determine program effectiveness
- Third-party hotline program review
- Employee expense report review for employees in high-risk positions or high-risk countries
- Gift, travel, and entertainment (GT&E) spending limits given to or accepted by governmental officials — were there any related overages?
KPIs to consider for a successful third-party risk management program
Remember that the measurements don’t stop with your third-party vendors; your KPIs will detail your program’s success overtime. Own the process by documenting the impact and effectiveness of your internal third-party risk management metrics. A few of these KPIs to consider are listed below as a jumping-off point. Tailor your risk management metrics to fit your specific organization.
