In a global marketplace, third-party relationships are a crucial component of day-to-day business. However, while those relationships bring operational advantages they also pose an array of potentially significant risks. In order to address those risks and ensure compliance in an increasingly complex regulatory environment, organizations must think carefully about their approach to third party risk management (TPRM), implementing appropriate measures and controls to protect themselves against threats.
Accordingly, an organization’s third party risk management solution should be built on an understanding of best practice, and incorporate automated tools and technology to increase accuracy and efficiency.
What is Third Party Risk Management?
While most organizations develop a reliable understanding of the risks that they face directly, when they enter into relationships with third parties those risks may be more difficult to understand or predict. The complexity of third party compliance regulations exacerbates that risk, and requires organizations to carefully monitor the behavior of the third parties with which they do business, including examining their prior business relationships and historical actions.
Third party risks are diverse, reflecting factors such as business sector, internal policies and controls, and the level of regulatory oversight applied in a given jurisdiction. A third party may have connections to or involvement in criminal activities, may be subject to international sanctions, or may have inadequate cyber-security measures in place to protect customer data.
With those factors in mind, TPRM essentially involves the identification, mitigation, and reduction of the risks of doing business with third parties. An organization should seek to develop standardized policies and controls to facilitate TPRM, as part of a wider risk management solution that is calibrated to their operational environment.
The Risk Based Approach
TPRM requires organizations to collect and analyze vast amounts of data – a process which can be time consuming, costly, and adversely affect customer experiences during onboarding and throughout a relationship. In order to reduce the negative impact of risk management, most regulatory authorities require organizations to implement a risk-based compliance response.
The risk-based approach is required by regulatory compliance in jurisdictions around the world and is fundamental to the anti-money laundering guidelines set out by the Financial Action Task Force (FATF). Under the risk-based approach, organizations must adjust their compliance response based on an assessment of the specific risks that they face. Accordingly, following a risk assessment, an organization would deploy an enhanced compliance response for third-parties that present a higher risk, and a simplified response, for lower risk third parties.
The risk based approach enables organizations to economize the resources they deploy in response to third party risks, tailoring their response on a case-by-case basis rather than deploying comprehensive and costly compliance measures and controls for every third party relationship.
Third Party Risk Management Best Practices
To optimize your compliance solution, it is important to understand TPRM best practices:
- Onboarding focus: Third party risk must be established prior to the beginning of a business relationship, which means conducting suitable screening and due diligence processes during the onboarding process. The due diligence process should capture a range of third party data, including names, addresses, company incorporation documents, beneficial ownership, industry certifications, and contractual obligations.
- Risk priorities: The risk-based approach relies on organizations being able to efficiently determine the level of risk that specific third parties present. With that in mind, following a risk assessment, third party relationships should be grouped by their risk profile, with higher risk third parties prioritized over medium risk third parties, and so on. Organizations should develop a suitable internal policy to calculate and assign risk, based on industry benchmarks and other contextual data points.
- Standardized processes: When different departments develop siloed risk management strategies, an organization’s collective third-party risk response may develop redundancies and inefficiencies, with frequent failures to share crucial data and insight. Accordingly, organizations should seek to standardize their third-party risk management strategy, setting out consistent, defined screening and due diligence procedures, and establishing a centralized repository of third-party risk data which all departments may access.
- Ongoing monitoring: The level of risk posed by third parties will inevitably change over time. To manage changing risk levels, organizations should ensure that they perform ongoing risk monitoring procedures to maintain accurate risk profiles ideally, that monitoring should be conducted in real time, and involve suitable Know Your Customer (KYC) measures, such as due diligence processes, sanctions screening, and adverse media screening. TPRM solutions should also be tested for efficacy on an ongoing basis.
- Adverse media: One of the best indicators of third party risk is involvement in adverse or negative news stories. Those stories might set out, for example, a third party’s financial difficulties, connections to criminal activity, or involvement in government investigations (amongst other types of risk) – all of which may be reported by news sources prior to any official confirmation. Accordingly, organizations should implement an adverse media screening solution capable of capturing data from traditional screen and print media sources, and from online sources.
TPRM Automation Solutions
Effective third party risk management requires the collection and analysis of vast amounts of data. To optimize that process, organizations should seek to leverage technology as part of their TPRM solution wherever possible.
Practically, this means implementing a suitable TPRM software solution that fits both the business and risk management needs of a given operating environment. Technology tools add automated speed, efficiency, and accuracy to risk assessment, monitoring, and screening processes, reducing reliance on ad-hoc data collection and the potential for costly human errors. The advantage of technology to TPRM is significant, and regulators around the world expect organizations to implement suitable software solutions in order to meet their compliance obligations. The US Office of Foreign Assets Control (OFAC), for example, now mandates “technology solutions” as part of TPRM where those solutions “address the organization’s risk profile and compliance needs”.
There is no one-size-fits-all approach to TPRM and, beyond its practical data handling benefits, automation enables organizations to purpose-build and calibrate their compliance solution to the specific business environments in which they operate. Automated TPRM solutions also allow firms to better apply the best practice principles outlined above, including the need to share important data between departments, to monitor adverse media channels, and to centralize and standardize the collective company response to third party risk.
TPRM Applications: Working in collaboration with Accenture and Royal Dutch Shell, Ripjar recently demonstrated the effectiveness of a TPRM solution powered by technology. Leveraging Accenture’s industry experience, Shell integrated Ripjar’s AI screening solution to enhance risk screening across its third party supply chain transactions. The technology is intended to deliver accuracy and efficiency benefits to Shell’s risk screening process and to reduce data-reporting errors by around 80% in comparison to legacy systems.
Accenture managing director Adam Markson emphasized the importance of tackling third party risk challenges, including criminal activity, cybersecurity, and fraud, as reasons for integrating Ripjar’s solution but also pointed out that the AI technology would add valuable data insights and “give management complete audit capabilities and accountability over the entire screening process.”