Define Your Risk Profile
Honestly assess your organisation’s risk and tolerance for risk. Note your industry, your facility locations, the regulatory environment in which you operate, the number of people you employ, the likelihood of your employees and third parties working with government officials anywhere around the world.
Identify Your Third Party Risk
Define your key evaluation criteria and weigh whether or not to engage with individual third parties based on their risk factors. Use a consistent evaluation model to score relative risks related to each third party. Include criteria that defines the financial commitment to each third party and the risk it represents, the type of third party, the regional and country location of the third party, and prioritise your investigations and alignment with each third party based on the nature and level of the risk associated with it.
Use a risk management software solution to manage your current and potential relationships. An automated solution allows you to centralise data collection, score relative risks, view all of your third parties through a single dashboard, plan and execute onboarding, business justifications, questionnaires, screenings and reputational monitoring. Programme sophistication is not dependent on expenditures and employee resources, but on the discipline applied to structuring an effective programme. These relationships can come from your industry, regulatory authority, and other areas. Third party risk management software will help you rate and prioritise the most critical risks to your business.
Once you screen a third party, a percentage of your screening will result in “red flags” that indicate potential issues with that third party. In those cases, you need to define whether to continue with your engagement, or to conduct a more robust due diligence analysis of the third party. Due diligence, often defined as “boots on the ground” research, reveals additional detail about your third parties and allows you to make engagement decisions based on a more complete data set. A due diligence analysis may result in your approval of the engagement, a requirement of the third party to align to your expectations, or a denial of the engagement.
Once you have defined your most critical third party risks and have screened and monitored your third parties, you are well-positioned to mitigate these risks. Your continuous monitoring allows you rapid insight to changes in your third party’s status and allows you to take action to reduce impact on your organisation before status changes create risk for you.