Identify and mitigate third-party risk 5 essential steps to identify and mitigate third-party risk

How well do you really know your clients, vendors, distributors or local representatives? Many companies underestimate the risks and overestimate the quality of their third-party risk assessment. It’s time to reassess the risks and invest in Third Party Risk Management before the damage is done.

Businesses are under intense scrutiny as government and modern society’s expectation for impeccable business integrity continues to grow. Extending to the choice of Third-Party Intermediaries (TPIs), such expectations demand a high standard of ethical behavior. It’s crucial to have the right information before engaging in a new relationship with financial intermediaries, wealth management customers, vendors, sales agents or local representatives or any other third party you work with.

Performing an effective due diligence for your TPIs can be tough. KPMG’s latest Global Anti-Bribery and Corruption Survey found this holds true especially for cross-border relationships. Global businesses struggle with great variability in the:

• quality and volume of available information
• collection processes and sources
• language skills required to process and analyse the information.

Such difficulties may arise when considering foreign candidates or entities. But considering domestic residents with a professional or educational past abroad or local entities that are active in other jurisdictions can also cause problems. Moreover, the sheer volume of public information complicates the collection of comprehensive intelligence and can exhaust resources if you don’t take a systematic approach.

It’s essential to invest in prevention and detection and to set up an appropriate, systematic approach. Ignorance isn’t an accepted excuse, so your selection of TPIs must be based on complete information. When shortfalls are detected by regulators, penalties range from fines to being barred from government contracts. The company may also suffer a hit to its reputation and/or waste management time and valuable resources to address the deficits after the fact.

Start by assessing your current universe of TPIs. Keep in mind, the complete global pool of TPIs may be unknown for some companies because they use multiple local procedures that are misaligned. A disorganized approach complicates the accurate identification and appropriate application of controls to rank high, medium and low risk TPIs.

Once you have an overview of your organization’s TPIs, gather data on your current situation, analyze its implications and assess the complexity of your business needs, locations and solutions/products.

When addressing the status quo in your organization, consider the implementing the following best practices in third-party risk management:

• Establish a Third-Party Risk Management (TPRM) process that is credible, consistent, effective and efficient. This is achieved by setting up a transparent, centralized, risk-based and globally applicable approach that exploits partly automated solutions.
• Avoid overreliance on a single source of information. lll-advised decisions can have harmful consequences. It’s essential to expand beyond commonly relied upon sources such as World-Check and Factiva so that you’re not dependant on a single corporate database.
• Take advantage of specialized intelligence solutions that track tens of thousands of sources from around the globe.
• Reassess any red flags. Inclusion in such a list or database doesn’t imply guilt of any crime. Nevertheless, red flags allow you to review potential risk and reassess the actual risks your organization may be exposed to.

Although the Internet has increased the availability of information, the quality and type of information varies greatly from country to country. Country-specific expertise is essential to effectively assess information on individuals and entities.

Some of the most common challenges global enterprises face regarding mitigating third-party risk across country locations include:

• The accuracy, availability and verification process varies a lot internationally, making it difficult at best to compare information across jurisdictions. In Switzerland, for example, credit reports are provided on a cantonal level by a government body and in the United States of America you will receive a credit report from one of the credit report agencies recommended by the US Government.
• You can’t rely exclusively rely on English searches. Language barriers may mean distinct language skills are needed to adequately identify information linked to the individual or entity of interest.
• Manual data gathering can be effective, but it’s labour intensive. Ensuring the exhaustiveness of the collected information and the recurrent updating of information requires a substantial effort, which in turn drives up the costs.
• Country-specific expertise is also required to adequately evaluate the findings in context given the different business environments with varying regional customs and conventions.
• Inconsistencies arising from ambiguous procedures can undermine integrity and compliance with regulatory requirements. They distort the results, diminish the comparability of the findings and impede the reliability of your due diligence efforts.

If your risk assessment process is not well-defined, your outcome may be unduly shaped by cognitive biases. For example, it’s well known that people barely distinguish between marginal differences and frequently err when evaluating probabilities – the former leaving a blurred line for decision making and the latter directly twisting the risk analysis. These are just two of the possible issues when relying on predominantly manual corporate intelligence.

One way to mitigate such bias is to employ partly automated solutions with a rigorous framework and a proven methodology. You can customize these tools to fit your business needs, satisfy your risk appetite and make sure you get an accurate picture of the risks. Setting transparent, pre-defined assessment criteria will increase the credibility of your TPRM by minimizing discretion.

Specialized tools for corporate intelligence boost efficiency, improve the thoroughness of your analysis and make continuous monitoring of existing risks much easier. Such technology, automate part of the search for negative press and media, detect litigation, conduct background checks on directors and main shareholders, monitor sanction lists and many other critical elements to a third-party due diligence. You gain access to a multitude of individuals and trusted sources in a variety of languages and countries which increases the coverage of your data collection, boosts trust in its completeness and saves costs by minimizing the search effort of manual intelligence gathering.

Using the tools to conduct ongoing comparisons with new entries allows you to adjust to changes – so you can be confident in your assessment at any time. Moreover, the global harmonization of the process will lead to consistent and comparable results – a great foundation for good decisions.

For accuracy, make sure the solution is based on a proven methodology that considers your business environment and the present risks of the respective domain. The potential efficiency gains resulting from partly automated solutions for corporate intelligence can more than offset the considerable efforts to revamp your TPRM.

Considering the risks your organization may unnecessarily be exposed to by flawed procedures, it’s my professional advice, in most cases, to invest in prevention and detection to avoid nasty surprises. Protect your organization both from financial and reputational damages by implementing a robust third-party due diligence procedure:

1. Start with your current situation and universe of TPIs. You must know the people and entities you’re working with before the relationship starts and monitor the risks over the course of the engagement to detect red-flags as early as possible.
2. Define a robust TPRM strategy that considers the actual business environment and your specific business needs.
3. Apply a risk-based approach and profit from tools with proven methodology to reach your goals efficiently – not only effectively.
4. Monitor the risks periodically or continuously, verify the initial findings and reassess your risk exposure based on the latest facts.
5. Commit to a high level of business integrity, mitigate risk exposure and strengthen your overall compliance for the benefit of your organization.