Missing Third Party Data
Building a framework for a third party vendor risk management program.
Comprehensive data sets are essential to ensure effective control.
It is highly probable that you will not have all the data you need from internal sources to conduct your risk assessment on third parties. You will need to be sure that your platform is capable of gathering data from multiple external data sources.
The external data you need can come from either (a) generic external data sources e.g., company, market data, news items (b) from the third parties themselves, or (c) potentially internal employees that have relationships with the third parties. You will need a system that has the ability to capture data from:
- External sources, including feeds from firms like Thomson Reuters, Standard & Poor's (S&P), and Dun & Bradstreet. These feeds allow you to automatically run checks on any third party or business partner, and ideally, they should be integrated into the system and run off the same platform.
- Questionnaires and profile data completed by the third party themselves.
- Questionnaires completed internally by relationship managers or other internal staff that have insights on the third parties being monitored.
The ability to push out information requests to third parties is an essential element in a dynamic vendor risk management solution. It should have good questionnaire functionality (Think SurveyMonkey® on steroids) and have features for assurance of completion. The better this type of functionality is, the more efficient your data gathering process will be.
Gathering data is only one part of an effective
Click below to learn more about the other essential elements of a third party vendor risk management framework.
Third party data and contracts repository
Overcoming data dispersion to create a single integrated data pool is vital.
One of the principal challenges initiating the process to more effectively manage your third parties is the probable dispersion of
Risk scoring and assessment
Consistent risk assessment, scoring and classification are foundation activities.
Once you have your initial data about the third party, it is time to assess the risk and assign a risk classification to each vendor or third party. You will need to be methodological in your approach as regulators are expecting to see a robust, well-designed structure.
Third party due diligence
This part of the process requires deeper dives into areas of risk such as IT security, financial stability, corruption and bribery etc.
This is accomplished through multiple activities including the use of in-depth questionnaires, the screening of third parties against external databases such as World-Check, Dun and Bradstreet for financial standing and the scheduling and documenting of activities such as on-site visits, phone interviews etc.
Onboarding and terminating third parties
Onboarding of new third parties is a key process for the firm and implementing procedures to ensure that the correct third parties are on-boarded is critical.
It is an important part of your
Oversight, reporting and analytics of third parties
Good oversight delivers better management and program control.
Issue and case management of third parties
A robust solution must be able to handle and help you to resolve your issues and cases.
When you are classifying the risks and conducting due diligence you also need a robust system that can manage those occasions when a supplier or third party does not meet the standards set out in your policy documents.