Menu Icon Icon of three lines stacked on top of each other. Menu
Search Icon Icon of a magnifying glass. Search Icon
Menu Close
Search Icon Icon of a magnifying glass. Search Icon
Discussions > Third-Party Risk Management > Third Party Risk Resolution

Third-Party Risk Management

Discuss third-party issues and trends impacting today's organizations.

Nirupama Pillai
Nirupama Pillai posted
Nov. 20, 2017, 7:55 p.m.
Third Party Risk Resolution
Hello everyone. Just wanted to gather some best practices around third party risk management. Once you obtain results from your screening and some red flags are indicated, who in the company takes the final call on whether this is an acceptable risk and how is this typically documented? Thanks in advance.
Nirupama Pillai
Nirupama Pillai
Nov. 20, 2017, 7:55 p.m.
Third Party Risk Resolution
Hello everyone. Just wanted to gather some best practices around third party risk management. Once you obtain results from your screening and some red flags are indicated, who in the company takes the final call on whether this is an acceptable risk and how is this typically documented? Thanks in advance.
Jacqui Merrill Martin
Jacqui Merrill Martin commented
Nov. 21, 2017, 9:31 a.m.
Hi Nirupama. This is a great question. First, depending on which department is conducting the initial screening, it is important to ensure a segregation of duties when it comes to clearing red flags. For example, if the operations department runs the entity through the initial screening database and the search yields red flags, the adverse results should be escalated to a mid-level manager outside of the operations department (e.g. compliance or legal). If the red flags present relatively low risk, it is fine to give the (adequately trained!) mid-level manager authority to bless the transaction. However, as you noted, it is very important to document the rationale behind the decision. If the mid-level manager determines that circumstances present higher risk, he or she should elevate to the compliance officer/GC. If at that point the compliance officer or GC is apprehensive about making the call, it is always smart to obtain an advise of counsel memorandum for your files. Outside counsel may provide mitigation recommendations as part of the documentation in order to further protect the company. Hope this helps!
Jacqui Merrill Martin
Jacqui Merrill Martin commented
Nov. 21, 2017, 9:31 a.m.
Hi Nirupama. This is a great question. First, depending on which department is conducting the initial screening, it is important to ensure a segregation of duties when it comes to clearing red flags. For example, if the operations department runs the entity through the initial screening database and the search yields red flags, the adverse results should be escalated to a mid-level manager outside of the operations department (e.g. compliance or legal). If the red flags present relatively low risk, it is fine to give the (adequately trained!) mid-level manager authority to bless the transaction. However, as you noted, it is very important to document the rationale behind the decision. If the mid-level manager determines that circumstances present higher risk, he or she should elevate to the compliance officer/GC. If at that point the compliance officer or GC is apprehensive about making the call, it is always smart to obtain an advise of counsel memorandum for your files. Outside counsel may provide mitigation recommendations as part of the documentation in order to further protect the company. Hope this helps!
Nirupama Pillai
Nirupama Pillai commented
Dec. 14, 2017, 10:30 p.m.
Thank you, Jacqui!
Nirupama Pillai
Nirupama Pillai commented
Dec. 14, 2017, 10:30 p.m.
Thank you, Jacqui!