When building a framework for a third party risk management program, a good solution must cover the ongoing due diligence of third parties.
Due diligence requires deeper dives into areas of risk such as IT security, financial stability, corruption and bribery etc. This can be accomplished through multiple activities, including the use of in-depth questionnaires, the screening of third parties against external databases such as World-Check, Dun and Bradstreet for financial standing and the scheduling and documenting of activities such as on-site visits, phone interviews etc.
It is estimated that 90% of the risk management team’s time will be spent on activities around existing vendors and third parties. On-going due diligence is essential to the success of the program and an area where automation can make a significant contribution.
The priority is to execute a defined monitoring program to protect against reputational and regulatory risk. Any vendors or business partners who are classified as high risk must be monitored more closely and an automated system allows firms to do this efficiently.
Once the ongoing due diligence program is active, start to look at specific tasks such as certifications and attestations to ensure firm policies are being followed through by all parties.
Click below to learn more about the other essential elements of a third party vendor risk management framework.
Third party data and contracts repository
Overcoming data dispersion to create a single integrated data pool is vital.
One of the principal challenges initiating the process to more effectively manage your third parties is the probable dispersion of
Missing third party data
It is highly probable that you will not have all the data you need from internal sources to conduct your risk assessment on the third parties. You will need to be sure that your platform is capable of gathering data from multiple external data sources.
To learn more about the different external data sources you will need, click here.
Risk scoring and assessment
Consistent risk assessment, scoring and classification are foundation activities.
Once you have your initial data about the third party, it is time to assess the risk and assign a risk classification to each vendor or third party. You will need to be methodological in your approach as regulators are expecting to see a robust, well-designed structure.
Onboarding and terminating third parties
Onboarding of new third parties is a key process for the firm and implementing procedures to ensure that the correct third parties are on-boarded is critical.
It is an important part of your
Oversight, reporting and analytics of third parties
Good oversight delivers better management and program control.
Issue and case management of third parties
A robust solution must be able to handle and help you to resolve your issues and cases.
When you are classifying the risks and conducting due diligence you also need a robust system that can manage those occasions when a supplier or third party does not meet the standards set out in your policy documents.