How to Manage and Measure Third-Party Risk

These days, there is so much data available to us. Overburdened by choice, determining exactly which metrics to measure and report on can feel like a daunting and endless task. How can you satisfy regulators without spending every waking moment conducting risk assessments?

Since the updated guidance from the Department of Justice (DOJ) emphasizes the importance of ongoing activity and conduct monitoring in the third-party relationship lifecycle, static evaluation is no longer an option. The DOJ’s guidance now asks, “does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?” Precise and ongoing monitoring, as well as an emphasis on the supporting relationship management activities required to execute those activities, are now officially the name of the game.

No matter if you’re a seasoned compliance pro or totally new to the world of risk assessment, today we’ll be unpacking the three crucial steps to manage and measure third-party risk.

Step One: Risk Assessment

The first step in third-party relationship management is understanding your unique third-party landscape by conducting risk assessments. If you want to become a trust-based business, protect your brand’s reputation, and ensure compliance, you’ll need to vet and monitor your third-party relationships. But since it is impossible to vet and monitor every individual third-party relationship, especially with limited resources, you’ll need to prioritize the highest-risk relationships first. Take the time to conduct a thorough risk assessment in order to triage your third-party relationships and supporting due diligence activities.

Third-Party Relationship Management

Since third parties aren’t governed by your organization’s oversight, the importance of relationship management cannot be overstated. Businesses, as the first line of defense, need to understand the risks their third-party relationships present by embedding risk management into general business operations. Kick off this process by assigning a relationship manager to every third party your organization does business with. This employee will be responsible for the management, maintenance, evaluation, and reporting on the relationship between your company and the third party. These vital tasks will be essential to the next two steps in the third-party risk monitoring process, detailed below. They must be knowledgeable enough to tackle the following:

• Regular contact with the third party
• Annual meetings with the third party to review their company compliance obligations
• Annual reports summarizing services provided by the third party
• Assist the company’s management and leadership with any related third-party issues

Want to reduce third-party risk? With an industry-leading third-party risk management solution, you’ll be able to automate workflows, calculate and mitigate risk, monitor your business relationships in real time, and get complete visibility into risks, trends and other key metrics. Request a free demo today.

Step Two: Initial Due Diligence and Review

Since the DOJ emphasized the need for “risk-based due diligence,” your third-party evaluation should never be one-size-fits-all. After the initial risk assessment is completed and your high-priority relationships have been identified via triage, risk-based due diligence can begin. The 2020 Update to the Evaluation of Corporate Compliance Programs lays out guidance for prioritizing due diligence questionnaires and contracting, requiring high-risk relationships to be managed on an ongoing basis.

The DOJ Update asks, “How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?” If you’ve ended up with a small group of high-priority third parties, then you can evaluate them first. But if you end up with a large group of high-priority parties, you may want to go back and refine your criteria in the triage process. Remember that the DOJ will look at your processes, so you must be able to explain your process and show your work.

Step Three: Ongoing Third-Party Risk Reporting

Do you remember those old infomercials with the tagline, “Set it and forget it?” We sure do, but unfortunately, if your third-party risk reporting has any hope of being accurate and reliable, it must be constantly monitored and reported on. But this isn’t just busy work – it will end up being the sharpest tool at your disposal if properly done. In order to objectively determine exactly how your compliance terms and conditions are followed, your ongoing monitoring needs to be systematic, independent, and easily documented. Reporting on your data will become second nature if you consistently capture, report, and analyze your third-party risk. A minimum baseline for third-party monitoring should include the following metrics:

• Existing compliance programs and code of conduct effectiveness
• The origin and legitimacy of any funds paid
• All disbursements made for or on behalf of the company
• All funds received in connection with work performed and services/equipment provided

What Does Comprehensive Third-Party Risk Assessment Look Like?

Beyond the basic third-party monitoring metrics listed above, consider the following list for additional metrics to measure and report on:

• Compliance training program review, both program content and attendance records, to determine program effectiveness
• Third-party hotline program review
• Employee expense report review for employees in high-risk positions or high-risk countries
• Gift, travel, and entertainment (GT&E) spending limits given to or accepted by governmental officials—were there any related overages?

The work isn’t done once you’ve started your oversight and monitoring; the health of your third-party management program depends on regular review. If you want to stop compliance issues in their tracks, the strength and dependability of your fortified program will eradicate issues before they become full-blown Foreign Corrupt Practices Act (FCPA) violations. For any regulator to test your report, stay consistent and fully document the steps you’ve taken. Whenever you conduct an audit of your compliance program, your meticulous metrics will help with any self-assessments down the road.

Want to see what a comprehensive third-party risk management tool looks like in action? The OneTrust team is ready to walk you through a free demo of our third-party risk software solution.

Streamline intake and compliance checks, centralize third-party profiles, automate risk assessments and flagging, monitor compliance and minimize risk with Third-Party Due Diligence from OneTrust’s unified platform for Trust Intelligence. Request a free Third-Party Due Diligence demo today.