With ever growing compliance requirements across industries, many more companies are upgrading or preparing to implement more vigorous management of their third parties. Available lists providing Anti-Money Laundering (AML), Politically Exposed People (PEP), Beneficial Ownership data are just examples of areas to consider when setting up Third Party Risk Management.
Not all Third Parties are equal.
What third parties are important to spend time on? If you are buying office supplies from a local company, the risk is small. If you are dealing internationally with vendors or customers for sensitive commodities or products, the risk is much greater and the costs for researching the third party are more justifiable. To effectively account for the differences, you need to create a risk profile for each third party based on your specific business. Components of the profile need to be relevant to your situation.
What countries are riskier? What contract value thresholds are relevant? What products or services are you contracting for? These are just examples of what makes up the risk profile.
Once you determine the components of your Company’s risk profile, you then need to assess and categorize a third party based on the relationship you have with them. Collecting the requisite information can come from individuals in the business, data from systems like your CRM or ERP, or a combination. In all cases, you need a process to request and control the collection and use of profiling information about the third party.
Based on your risk profile you then determine what third parties to rigorously review. You may also have to request and manage the receipt of more granular information from the third party that will be used to compare against one or more data sources for risk. Information like banking relationships, stakeholders in the business, executive names and operating locations are just a few examples.
After obtaining more granular third-party data, you then need to compare the data against available information sources to determine if you are exposed by having a relationship with the third party. Multiple data sources are sold through subscriptions, some are specific to certain global regions and others are specific to some aspect of business operations like financial reporting, criminal records, court cases and other compliance reporting domains. It is important to assess what data sources you need and which are best for your business.
Again, the process is important to initially review the third party and to have a mechanism to continually review those third parties with the greatest risk to your business. For smaller organizations, you can manually control this process and have staff directly access available databases of compliance data. For larger organizations, you can implement a system like Symfact to manage all aspects of your Third Party Risk reviews. Any system you implement must be able to support your processes, your risk profiles and your selected resource databases from initial assessment to full review and continuous monitoring.
Other items to consider are what activities start a third-party review. Is it a proposal or awarded contract? Who in the organization can provide initial assessment data? Who determines when you need to sever a third party relationship, and what is it based on? Is enhanced due diligence needed for some third parties, and what are the rules and costs involved?