Third-Party Risk Management Decisions Need Context to Maximize ROI

nelson pratt

This maximizes impact by minimizing noise, which is key to logical, risk-based decision making 

Effective third-party risk management has evolved beyond just identifying red flags. Today, mature programs know how to surface as well as prioritize their risk. Prioritization enables programs to apply resources and due diligence appropriately to each unique risk that a third party represents.

Programs are doing this by properly identifying sources for risk intelligence, vetting results and filtering that intelligence through unique organizational risk profiles. This ability to risk-rank each third party is called stratification. That’s a 10-dollar word that can be boiled down to “context.”

Stratification employs contextual cues to focus risk mitigation efforts on key areas of interest. This maximizes impact by minimizing noise, which is key to logical, risk-based decision making. This is also how third-party risk management programs maximize their ROI, by accurately allocating their investment of time and resources.

Creating the Context for Third-Party Risk Decision Making

Programmatic context is defined by three major risk management components: known risks, business justification and information from reputational screening.

Your known risks are defined by regulatory bumpers such as the Foreign Corrupt Practices Act (FCPA) or Transparency International’s Corruption Perception Index. If your organization subscribes to the FCPA Guide, your known risk will be colored by geography, type, contract value, and relationship with governmental agencies.

These risks need to be measured alongside your organization’s original business justification for working with a third party. Do these regulatory standards apply to the scope and complexity of your third-party engagement? If so, can the engagement be modified to address the potential risk? Determining the answers to these questions is why we need to go beyond the traditional red flag.

Finally, organizations need to source the right information from reputational screening. This includes adverse media, sanctions and politically exposed person (PEP) lists. This is one of the more trying aspects in the decision making process. According to NAVEX Global’s annual Third-Party Risk Management Benchmark Report, “Finding reliable information among a large volume of potential sources” is the top challenge for due diligence programs.

context gives you the right composition of intelligence to make proper decisions on third-party engagements

When all information is collected and weighted equally, third-party risk management programs struggle to hear the signal through the noise. There are no definitive indicators for how to prioritize legitimate and illegitimate risks. It’s the business justification and known risks that create the context in which you can confidently vet the information sourced through reputational screening.

This informed perspective ensures data is not skewed and decisions are not made under assumptions from false positives. It also makes high volumes of data more manageable. Only data and data sources that have been categorized as reliable get the investment of a thorough review. In either case, context gives you the right composition of intelligence to make proper decisions on third-party engagements.

Therefore, any single component of your third-party risk management program viewed in isolation does not provide enough clarity on which to act with confidence. Viewed together, however, they enable an organization to score third parties and position each accurately in the organization’s risk hierarchy. Whether you call it context or stratification, this is how programs shrewdly maximize their return on actionable, measurable third-party risk management.


Calculate your program’s ROI. Plug your organization’s information into the Third-Party Risk Management ROI Calculator to see your results.  


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.


The New Voice of The Whistleblower

Seven years after the launch of the U.S. Securities and Exchange Commission’s (SEC) whistleblower program, the voice of the whistleblower is starting to sound very different. It’s a little stronger, a little bolder, and a little louder. Learn what the landscape of modern whistleblower reporting looks like in 2018.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

We Need to Talk About Gray Areas When Addressing Sexual Harassment #YCDEthics

Although most people can agree on what clearly violates the law or company policy on the issue of sexual harassment, reasonable people can disagree on the gray areas. This general notion has shown up most recently in the debate surrounding an allegation against actor Aziz Ansari. Leaders in the workplace need to make sure they’re asking enough hard questions of their own organizations, and that includes everything from the clearly illegal to the gray areas that can lead to problems later.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Comments

Email Signup