Improving risk management for third parties has been a constant concern of compliance officers in their work as responsible for an anti-corruption program. At the beginning of each year, the results of the management are evaluated and some organizations make great efforts to improve the risk management of third parties, it cannot be hidden that third parties are increasingly posing greater threats.
For this reason, we believe that it is a good idea to share here a series of suggestions to improve risk management for third parties, which will undoubtedly be one of the primary objectives of an anti-corruption program.
How to improve risk management for third parties?
One of the reasons for concern about third-party risk management is the cycle of the process, which in many organizations is carried out in reverse. These establish a commercial relationship with a contractor or a supplier, which acquires access to critical systems such as billing or communications, and then carries out the risk assessment.
Of course, this is the wrong approach. The risk assessment for third parties must be prior to the establishment of a commercial relationship, or of any other type. In fact, this management must be continuous and carried out with the periodicity that the conditions of each third-party demand.
This is part of the purpose of improving third party risk management. But we can take other measures:
Have the right people
Risk management for third parties requires the participation of the people who have interference in the issues over which the third party has scope. For an information and technology service provider, it is natural for the CISO to be involved rather than the CEO.
In some cases, a professional from the compliance area is the most indicated, but in others, the participation of the directors of the commercial area may be preferred.
Prepare a list of third-party risks
Typically, third-party risks are identified when they appear. Of course, it is already too late. But if making a list of the organization's risks, it is a complex task and much more complex to try to identify the risks that each third party implies. It is almost like multiplying the task done in the organization by the number of third parties.
However, there is a methodology that we can recommend: the idea is that those in charge of each area, prepare lists of risks of third parties that are related to their department.
Next, a committee is formed in which these directors of each area participate, with the mission of reducing the list to only ten main risks. The process, of course, goes through an intense debate that can take many hours. But the result, if done with dedication, is reliable.
Define a risk assessment process
Compliance officers apply due diligence to third parties to prevent corruption risks. This includes certifications, training, research etc. The process to improve risk management for third parties is not very different.
Forming an internal third-party risk committee is of great importance at this point. This committee must have the input of executives and area directors, especially in the drafting of policies and procedures to follow for the engagement of third parties.
Implement an effective reporting system
Reports are more than just documents containing data and conclusions. It is necessary to think about indicators, key risks, procedures etc. But, above all, it is necessary that the reports define to what extent the risk posed by a certain third party can be tolerated. A reporting system is required that shows third parties with a high risk of corruption, but also those third parties that represent a lower or no risk.
Improving risk management for third parties means preventing rather than remedying. Information, of course, is a decisive tool in the success of the task. Automated anti-corruption programs exhibit much higher levels of performance than those that still run-on spreadsheets and email accounts.
Automated solutions also make it easier for third parties to comply with your requirements. Instead of continuously asking people working in the organization about what they need to do to comply with, they can simply access the third-party risk management system and look at all the requirements.
Businesses also get a lot more data if they have a third-party risk management solution in place. They can track the historical performance of all their third-party vendors to determine which vendors are the most problematic and need to be replaced with more trusted vendors. It is also easier to follow up on issues which are previously occurred, because the record of those issues exists within the third-party risk management solution being used by the organization.
Comments