Triage: The First Step for Effec...
Triage: The First Step for Effective Thi...

Triage: The First Step for Effective Third-Party Due Diligence

Prioritize your third parties, ensure they align with your values, and comply with DOJ guidance

Jenna Thomas Senior Manager, Content Marketing

clock4 Min Read

Featured Image

The U.S. Department of Justice (DOJ) 2020 Update to the Evaluation of Corporate Compliance Programs devotes an entire section to third-party risk management, with particular emphasis on a “risk-based due diligence” approach. In this case, “risk-based” means that you will evaluate and manage each third party differently, depending on the nature and level of risk that they present to your company.

Consider a company undergoing the risk management process with a database of several thousand third parties. According to the DOJ’s guidance, it’s necessary to prioritize due diligence, questionnaires, and contracting with the third parties that present highest risk – and manage those relationships differently on an ongoing basis – before tackling low-risk relationships. Triage is how you determine where each third party falls in that ranking of priorities.

“Risk-Based and Integrated Processes – How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?”

DOJ’s 2020 Update to the Evaluation of Corporate Compliance Programs

How to design a third-party triage process

The appropriate risk priority for each third party depends on company size, transaction, and type of third party. These categories and several others may determine how you choose to design your triage process. Consider the following common factors that influence the level of risk that a third party may represent:

  • Type of third party (bank, consultancy, reseller, etc)
  • Contract value
  • Country
  • Government interaction
  • Industry

Each option within the categories above should have a value or risk level attached to it. For example: you may rank the level of risk within each country on a scale from 1-5. Take the same approach to contract values and your other risk categories. When assigning a priority level to a potential or existing third party, measure how they stack up in the categories listed above. You may choose to evaluate each category independently or apply a formula to aggregate risk across all categories or some combination of categories. For example, maybe your highest-risk relationships are contracts of a certain size within a certain country – and any third parties that meet those criteria fall into your high-priority category.

Putting your third-party triage process into practice

Undergoing this process with your existing third-party relationships should help you narrow down which third parties require immediate due diligence, versus which third parties are lower risk and can be evaluated later or less comprehensively. The goal is to end up with a small group of third parties that are high-priority, so you can move forward with evaluating your highest-risk third parties first. If you end up with a large group of high-risk third parties, consider refining your criteria for high-risk versus medium- or low-risk.

Depending on how you’ve designed your triage process and priority criteria, you may decide that low-risk third parties require a less stringent due diligence process or may not require a questionnaire. DOJ guidance states that prosecutors “should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners,” so it is essential that you can show the process by which you determine each third party’s risk level and the risk-based due diligence approach you follow thereafter.

The goal of the triage process is to have a sustainable, scalable, risk-based third-party risk management strategy.

Key takeaways for third-party triage:

  • Design a triage process that surfaces high-risk third parties as determined by a set of common factors.
  • Assign each current and potential third party a priority level based on risk.
  • Assess your highest-risk third parties first.

Looking for a tool to help you automate a risk-based due diligence process? OneTrust’s third-party due diligence software empowers you to automate onboarding, conduct compliance checks and screening, analyze risks, and keep all third parties in a convenient, centralized directory that’s prioritized by automated risk tiering.

Request a Third-Party Due Diligence Demo

You Might Also Be Interested In


NOVEMBER 28, 2022

From Sapin II to Sapin III: France’s anti-corruption fight

NOVEMBER 25, 2022

7 myths about SOC 2 compliance

NOVEMBER 18, 2022

What every Chief Privacy Officer should know  about third-party risk management

NOVEMBER 17, 2022

The role of disclosures in risk assessment and mitigation 

NOVEMBER 15, 2022

US climate risk rule could affect more than 5,700 federal suppliers

NOVEMBER 14, 2022

The COP27 climate summit: What to expect and why it matters

NOVEMBER 10, 2022

CSRD update: EU approves new ESG disclosure rules

NOVEMBER 9, 2022

SOC 2: Starting your audit process

BackToTop
Onetrust All Rights Reserved