Business practices are evolving rapidly to include relationships with an ever-increasing range of suppliers and service providers. Many organizations have thousands of different vendors and partners with whom they do business. Third-party risks are now among the largest and most complex risks that organizations must manage.
Recently, credit details of more than five million Saks Fifth Avenue customers were obtained through a third-party point of sale system. Credit card information was also compromised at BestBuy and Delta, all via a third-party customer chat vendor that was hacked.
These examples show that the failure of third parties to perform as expected can have dramatic impacts on an organization. Third parties also frequently depend on other parties, creating chains of relationships that need to be considered by risk managers.
Internal auditors have the necessary knowledge and skills to delve into third-party risk management and identify gaps and improvements. Executives and boards rely on internal auditors to provide assurance that third-party risks are detected and assessed, that internal controls are in place, and that timely risk information is available to drive decisions.
All of this means that effective management of third-party risks is vital for achieving organizational goals. Many organizations have yet to develop efficient and effective third-party management processes. Internal audit can play a critical role in achieving this.
Current technology and automation solutions present an opportunity to rethink and optimize how third-party risks are managed. Here are some ways that auditors and risk managers can employ automation and data analytics to third-party risk management.
1. Create a centralized repository of third parties
A centralized repository of third-party information makes it possible for internal auditors to better understand the third-party risk environment, and to identify high-risk areas effectively. There are advantages to having all third-party relationships categorized and maintained within a central database. This allows for relationships among third parties to be more easily considered as part of an overall risk assessment process.
2. Create a centralized repository of risk types
Each type of third-party risk needs to be defined and described in terms of potential impact. The different categories of risk typically include, for example, reputational, operational, IT, financial, legal, political, and regulatory.
3. Assess and score risks by magnitude and type
All third-party risks need to be assessed and scored/weighted to reflect the magnitude of risk and probability of occurrence. A centralized, technology-driven approach to assessing risks allows multiple stakeholders to contribute their perspective and arrive at a consistent risk-ranking process. Modern technology solutions like ACL provide options for risk-scoring workshops within the tool, informed by real-time KPIs and KRIs.
4. Define policies and processes
Policies and processes need to be developed which support the full third-party life cycle. This includes screening, onboarding, due diligence, documentation, monitoring, surveys, and audit. A centralized approach allows processes to be easily compared for each type of relationship and risk.
5. Design workflow that supports the processes
Technology plays a key role in enabling workflow around the processes for each type of third-party relationship. Much of the workflow can be automated to ensure that gaps or process breakdowns are identified. For example, traditional checklist approaches may result in weak due diligence during the screening and onboarding of new third parties. An automated workflow can easily ensure that no third-party relationships are established without completion of all requirements.
6. Collaborate among third-party stakeholder teams
Third-party risk management is more effective when auditors and risk managers collaborate and share information. One team may focus on a third party’s compliance with labor laws, while another is concerned solely with the quality of manufactured parts. To fully assess the risks related to each third party, every team should have visibility into the overall state of a relationship. They can then collaborate and respond to any risks. For example, linking third-party risk assessments to audit plans avoids redundancies in third-party risk processes. It also provides management teams and boards with a holistic view of third-party risk.
7. Distribute and collate questionnaires and surveys
Managing third-party relationships often involves suppliers regularly completing questionnaires confirming, for example, regulatory compliance. A traditional approach to managing this process is often time consuming and prone to errors. Automating the distribution, gathering, and collating of third-party questionnaires dramatically improves efficiency and reduces resource requirements.
8. Monitor vendor activities using internal and external data
One of the challenges of effective third-party risk management is knowing, as soon as possible, when a relationship is showing signs of a problem. Analysis of vendor-related data, as well as external data (e.g., government-managed sanctions lists) helps identify risk indicators. Examples include the ongoing monitoring of data and performance metrics for different categories of third-party risks (e.g., IT service levels, defective product returns, or delays in receiving items). Fully automated analytics provide opportunities to monitor risks in close to real time, avoiding the drawback of late discovery of issues. Auditors can also use all of this data to evaluate decision-making processes around third parties to determine alignment with the company’s strategic objectives.
9. Manage issues and alerts
There is no value to monitoring tenor-relationship data if risk indicators are ignored or are not actioned. Automating third-party monitoring enables alerts to be generated whenever risk indicators reach a specified threshold. An automated workflow can then also help manage the process of responding to issues. This includes determining whether effective resolution has occurred, and if not, automatically escalating notifications to senior roles.
10. Reporting and dashboards and management assurance
Visual dashboards and reporting help internal audit build management’s confidence in the strength of third-party risk management processes. When using spreadsheet-driven systems, the reporting process is typically time-consuming and unreliable. Third-party management software can easily produce up-to-the-minute reports and dashboards of the overall status of all third-party risk management activities. Dashboards give management ongoing insights into the number, severity, and status of third-party risks. This enables those with overall responsibility to focus on addressing the most significant risks.
11. Integrate third-party risk management with overall ERM
Technology provides the ability to easily integrate third-party management as one component of the overall risk profile and assessment process. In most cases it makes sense for third-party risk management processes to be comparable to risk management and assessment processes for other risk areas. This allows executives to view third-party risks in the context of all risks being managed by the enterprise.
Technology improves third-party risk management
Third-party risk management technology helps organizations manage risks in ways that more traditional approaches can’t. Once the third-party management process framework is established, automated workflows and monitoring transform processes, reducing resource requirements. Organizations also significantly reduce the risk of damage from third-party relationships. This provides easy justifications for changing traditional third-party management processes and embracing an automated technology-driven approach.