Vendor risk management and, in particular, third party risk management has become one of the toughest issues companies face—especially after a string of high-profile compliance failures in recent years. The majority of compliance professionals have a solid understanding of the potential liability associated with third parties. They struggle, however, with how to deal with that risk.
To better understand this growing problem, we’ve recently released our first Third Party Risk Management Benchmark Report.The research, conducted in a partnership with an independent firm, seeks to address questions surrounding third party risk, including:
- Who owns third party risk management and due diligence activities?
- How are organizations using vendors to assist with third party due diligence?
- How does continuous, automated due diligence affect ROI and exposure to risk?
We surveyed 321 individuals responsible for ethics and compliance programs in their organizations. Below are just a few of the key findings from the report. To see all the findings, and get additional analysis and insights, click here to download the full report at any time.
1) Top E&C Concerns
It is not a huge surprise that bribery, fraud and conflicts of interest top the list of third party concerns. Many such cases carry large fines and penalties along with civil and criminal sanctions, including debarment—some against individuals and insiders in the organization.
However, though many organizations know which third party failures they should fear, other report findings show that they have not yet built sufficient programs—with appropriate FTEs, budgets, risk-based third party management approaches and more—to protect themselves from those risks.
2) Number of Third Parties Organizations Work With
While 50 percent of respondents manage between 100 and 4,999 third parties, and an additional 20 percent manage fewer than 100, eleven percent of respondents don’t know how many third parties their organization manages.
The 11 percent of respondents who aren’t sure is concerning. It may mean that their third parties haven’t all been identified or that they are not tracked in a meaningful way. It could also mean that within those 11 percent of respondents, there are ongoing third party engagements without any risk or compliance oversight. If an organization cannot identify all of their third parties, they cannot possibly assess risk accurately.
3) Approach to Third Party Due Diligence
The report reveals a surprising number of organizations—32 percent of respondents—don’t evaluate third parties before engaging with them despite serious concerns about bribery and corruption, fraud and conflicts of interest.
Third party risk attaches at the time of engagement. So, while conducting due diligence after a disclosure may be better than nothing, anything that occurred prior to it will be indefensible. Organizations that do not conduct due diligence before engaging with third parties are exposing themselves to significant risk.To learn more about how our third party due diligence software RiskRate can help, get in touch with a solutions expert to discuss, or schedule a demo.
Ready to read the full report? Download your copy here to see how your organization ranks among those surveyed. To learn more about RiskRate, NAVEX Global's third party risk management software visit our website, or request a demo today.