The U.S. Department of Justice (DOJ) 2020 Update to the Evaluation of Corporate Compliance Programs devotes an entire section to third-party risk management, with particular emphasis on a “risk-based due diligence” approach. In this case, “risk-based” means that you will evaluate and manage each third party differently, depending on the nature and level of risk that they present to your company.
Consider a company undergoing the risk management process with a database of several thousand third parties. According to the DOJ’s guidance, it’s necessary to prioritize due diligence, questionnaires, and contracting with the third parties that present highest risk – and manage those relationships differently on an ongoing basis – before tackling low-risk relationships. Triage is how you determine where each third party falls in that ranking of priorities.
“Risk-Based and Integrated Processes – How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?”
—DOJ’s 2020 Update to the Evaluation of Corporate Compliance Programs
The appropriate risk priority for each third party depends on company size, transaction, and type of third party. These categories and several others may determine how you choose to design your triage process. Consider the following common factors that influence the level of risk that a third party may represent:
Each option within the categories above should have a value or risk level attached to it. For example: you may rank the level of risk within each country on a scale from 1-5. Take the same approach to contract values and your other risk categories. When assigning a priority level to a potential or existing third party, measure how they stack up in the categories listed above. You may choose to evaluate each category independently or apply a formula to aggregate risk across all categories or some combination of categories. For example, maybe your highest-risk relationships are contracts of a certain size within a certain country – and any third parties that meet those criteria fall into your high-priority category.
Undergoing this process with your existing third-party relationships should help you narrow down which third parties require immediate due diligence, versus which third parties are lower risk and can be evaluated later or less comprehensively. The goal is to end up with a small group of third parties that are high-priority, so you can move forward with evaluating your highest-risk third parties first. If you end up with a large group of high-risk third parties, consider refining your criteria for high-risk versus medium- or low-risk.
Depending on how you’ve designed your triage process and priority criteria, you may decide that low-risk third parties require a less stringent due diligence process or may not require a questionnaire. DOJ guidance states that prosecutors “should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners,” so it is essential that you can show the process by which you determine each third party’s risk level and the risk-based due diligence approach you follow thereafter.
The goal of the triage process is to have a sustainable, scalable, risk-based third-party risk management strategy.
Looking for a tool to help you automate a risk-based due diligence process? OneTrust’s third-party due diligence software empowers you to automate onboarding, conduct compliance checks and screening, analyze risks, and keep all third parties in a convenient, centralized directory that’s prioritized by automated risk tiering.