Identify and mitigate third-party risk 5 essential steps to identify and mitigate third-party risk
How well do you really know your clients, vendors, distributors or local representatives? Many companies underestimate the risks and overestimate the quality of their third-party risk assessment. It’s time to reassess the risks and invest in Third Party Risk Management before the damage is done.
Businesses are under intense scrutiny as government and modern society’s expectation for impeccable business integrity continues to grow. Extending to the choice of Third-Party Intermediaries (TPIs), such expectations demand a high standard of ethical behavior. It’s crucial to have the right information before engaging in a new relationship with financial intermediaries, wealth management customers, vendors, sales agents or local representatives or any other third party you work with.
Get the right information on third-parties
Performing an effective due diligence for your TPIs can be tough. KPMG’s latest Global Anti-Bribery and Corruption Survey found this holds true especially for cross-border relationships. Global businesses struggle with great variability in the:
- quality and volume of available information
- collection processes and sources
- language skills required to process and analyse the information.
Such difficulties may arise when considering foreign candidates or entities. But considering domestic residents with a professional or educational past abroad or local entities that are active in other jurisdictions can also cause problems. Moreover, the sheer volume of public information complicates the collection of comprehensive intelligence and can exhaust resources if you don’t take a systematic approach.
It’s essential to invest in prevention and detection and to set up an appropriate, systematic approach. Ignorance isn’t an accepted excuse, so your selection of TPIs must be based on complete information. When shortfalls are detected by regulators, penalties range from fines to being barred from government contracts. The company may also suffer a hit to its reputation and/or waste management time and valuable resources to address the deficits after the fact.
Check the status quo
Start by assessing your current universe of TPIs. Keep in mind, the complete global pool of TPIs may be unknown for some companies because they use multiple local procedures that are misaligned. A disorganized approach complicates the accurate identification and appropriate application of controls to rank high, medium and low risk TPIs.
Once you have an overview of your organization’s TPIs, gather data on your current situation, analyze its implications and assess the complexity of your business needs, locations and solutions/products.
When addressing the status quo in your organization, consider the implementing the following best practices in third-party risk management:
- Establish a Third-Party Risk Management (TPRM) process that is credible, consistent, effective and efficient. This is achieved by setting up a transparent, centralized, risk-based and globally applicable approach that exploits partly automated solutions.
- Avoid overreliance on a single source of information. lll-advised decisions can have harmful consequences. It’s essential to expand beyond commonly relied upon sources such as World-Check and Factiva so that you’re not dependant on a single corporate database.
- Take advantage of specialized intelligence solutions that track tens of thousands of sources from around the globe.
- Reassess any red flags. Inclusion in such a list or database doesn’t imply guilt of any crime. Nevertheless, red flags allow you to review potential risk and reassess the actual risks your organization may be exposed to.
Take a country-specific approach to global third-party risk due diligence
Although the Internet has increased the availability of information, the quality and type of information varies greatly from country to country. Country-specific expertise is essential to effectively assess information on individuals and entities.
Some of the most common challenges global enterprises face regarding mitigating third-party risk across country locations include:
- The accuracy, availability and verification process varies a lot internationally, making it difficult at best to compare information across jurisdictions. In Switzerland, for example, credit reports are provided on a cantonal level by a government body and in the United States of America you will receive a credit report from one of the credit report agencies recommended by the US Government.
- You can’t rely exclusively rely on English searches. Language barriers may mean distinct language skills are needed to adequately identify information linked to the individual or entity of interest.
- Manual data gathering can be effective, but it’s labour intensive. Ensuring the exhaustiveness of the collected information and the recurrent updating of information requires a substantial effort, which in turn drives up the costs.
- Country-specific expertise is also required to adequately evaluate the findings in context given the different business environments with varying regional customs and conventions.
- Inconsistencies arising from ambiguous procedures can undermine integrity and compliance with regulatory requirements. They distort the results, diminish the comparability of the findings and impede the reliability of your due diligence efforts.
Mitigate cognitive bias
If your risk assessment process is not well-defined, your outcome may be unduly shaped by cognitive biases. For example, it’s well known that people barely distinguish between marginal differences and frequently err when evaluating probabilities – the former leaving a blurred line for decision making and the latter directly twisting the risk analysis. These are just two of the possible issues when relying on predominantly manual corporate intelligence.
One way to mitigate such bias is to employ partly automated solutions with a rigorous framework and a proven methodology. You can customize these tools to fit your business needs, satisfy your risk appetite and make sure you get an accurate picture of the risks. Setting transparent, pre-defined assessment criteria will increase the credibility of your TPRM by minimizing discretion.