This maximizes impact by minimizing noise, which is key to logical, risk-based decision making
Effective third-party risk management has evolved beyond just identifying red flags. Today, mature programs know how to surface as well as prioritize their risk. Prioritization enables programs to apply resources and due diligence appropriately to each unique risk that a third party represents.
Programs are doing this by properly identifying sources for risk intelligence, vetting results and filtering that intelligence through unique organizational risk profiles. This ability to risk-rank each third party is called stratification. That’s a 10-dollar word that can be boiled down to “context.”
Stratification employs contextual cues to focus risk mitigation efforts on key areas of interest. This maximizes impact by minimizing noise, which is key to logical, risk-based decision making. This is also how third-party risk management programs maximize their ROI, by accurately allocating their investment of time and resources.
Creating the Context for Third-Party Risk Decision Making
Programmatic context is defined by three major risk management components: known risks, business justification and information from reputational screening.
Your known risks are defined by regulatory bumpers such as the Foreign Corrupt Practices Act (FCPA) or Transparency International’s Corruption Perception Index. If your organization subscribes to the FCPA Guide, your known risk will be colored by geography, type, contract value, and relationship with governmental agencies.
These risks need to be measured alongside your organization’s original business justification for working with a third party. Do these regulatory standards apply to the scope and complexity of your third-party engagement? If so, can the engagement be modified to address the potential risk? Determining the answers to these questions is why we need to go beyond the traditional red flag.
Finally, organizations need to source the right information from reputational screening. This includes adverse media, sanctions and politically exposed person (PEP) lists. This is one of the more trying aspects in the decision making process. According to NAVEX Global’s annual Third-Party Risk Management Benchmark Report, “Finding reliable information among a large volume of potential sources” is the top challenge for due diligence programs.
context gives you the right composition of intelligence to make proper decisions on third-party engagements
When all information is collected and weighted equally, third-party risk management programs struggle to hear the signal through the noise. There are no definitive indicators for how to prioritize legitimate and illegitimate risks. It’s the business justification and known risks that create the context in which you can confidently vet the information sourced through reputational screening.
This informed perspective ensures data is not skewed and decisions are not made under assumptions from false positives. It also makes high volumes of data more manageable. Only data and data sources that have been categorized as reliable get the investment of a thorough review. In either case, context gives you the right composition of intelligence to make proper decisions on third-party engagements.
Therefore, any single component of your third-party risk management program viewed in isolation does not provide enough clarity on which to act with confidence. Viewed together, however, they enable an organization to score third parties and position each accurately in the organization’s risk hierarchy. Whether you call it context or stratification, this is how programs shrewdly maximize their return on actionable, measurable third-party risk management.