Seventy-five percent of respondents in the 2016 Ethics & Compliance Third Party Risk Management Benchmark Report rejected at least one third party as a business partner last year because of high risk factors identified in due diligence. This reinforces the theme that third-party risk management is a risk reduction and mitigation tool. Of course it is –it wouldn’t be in the name if it wasn’t. But what is too often lost in the discussion around third-party risk is the business case for robustly and diligently assessing and monitoring third parties in a risk-based manner.
Managing third-party risk isn’t just about staying out of trouble.
Today, more third parties are handling more critical tasks in more far-flung locations, constantly exposing organizations to new and greater risks of running afoul of the law, especially overseas. But managing third-party risk isn’t just about staying out of trouble. Third parties are business partners. Vendors, consultants and contractors are as vital to a company’s success as its employees. That means third-party risk management is key to third party management and critical to nurturing important relationships that have a direct impact on the bottom line.
According to the Third Party Risk Benchmark Report, less than half (45 percent) of organizations screen all of the third parties they engage with. This is concerning when considering the open door it creates for risk from those unexamined partners, but also when weighing the business value lost by not taking the opportunity to get to know your partners before engaging them and giving them an opportunity to impact your organization’s hard earned reputation.
The report also shows that compliance professionals broadly feel their third-party programs are under-resourced, and struggle to articulate the value of third-party risk management, including due diligence. Many see this as trying to prove a negative. Demonstrating the value of your program only in terms of risk is hard to quantify as not all risk is created equal. You can, however, make a strong business case for investing in third-party due diligence by pointing to the revenue associated with third parties, the cost of those partnerships and the advantages of establishing long-term relationships with trusted partners.
The best evidence of ROI may be in the impact of reducing legal and regulatory cost and fines. While 32 percent of survey respondents reported legal or external regulatory actions involving third parties, this impact was lowest when the organizations used a third-party provider to continuously monitor third parties. Automated due diligence may be more than paid for from the savings realized by reducing fines and legal actions.
There is clearly risk working with third parties, and that risk is likely to go up as more companies plan to increase the number of third parties they work with. So we need to stay diligent with our third-party risk management but we cannot continue viewing it just as a contingency plan for potential litigation but as a necessary step for third party selection.
Other key findings in this year’s report:
- Conflicts of interest is compliance officers’ top concern in managing third-party risk, followed by bribery and corruption and cybersecurity. It’s not clear what propelled conflicts to the top of the list, but it’s possible that bribery and corruption programs have matured enough to dampen concerns. Or that smaller organizations are beginning to believe that they are unlikely to be targeted by regulatory officials.
- The complexity of the due-diligence process is the top challenge for managing third-party risk. And lack of resources for adequately managing third parties is the top concern that compliance officers face internally.
- Nearly 60 percent of respondents say they will either increase the number of third-party engagements or expand their existing relationships in the next year.
- But 59 percent of respondents say their organizations’ budgets for third-party risk management will stay the same; another 8 percent say their budgets will decrease.
- Forty percent of respondents use no automated system to manage third-party risk. But automated systems are far more prevalent among organizations with maturing or advanced third-party systems.
To view the full set of results from this years’ survey, download you own copy of the 2016 Ethics & Compliance Third-Party Risk Management Benchmark Report.
What’s your business case for third party risk management?
Our third party risk management software, RiskRate, works around the clock so you don’t have to. Get a customized demo to start transforming your third-party due diligence.