For many businesses, working with high-risk vendors is unavoidable. Yet, if and when you do so, there are expectations for extra precautions and additional levels of screening, due diligence, and monitoring. When red flags do occur, you must be able and ready to make decisions and take actions to minimize your risk. I had the opportunity to discuss best practices for managing high-risk third-party vendors with Dan Hartnett, Director of Third-Party Risk Intelligence with LSEG (formerly known as Refinitiv). It is my pleasure to share this conversation with you.
LOREN: We are seeing more dependency on third parties than ever before. Most businesses would probably underestimate how many third parties they have. But there’s a reason that people are depending on more and more third parties. They are engaging with them to hire out things that they can’t do themselves. Businesses can bring in a third party that has experience, expertise, and the efficiencies built-in already that may take a business years to develop if they handled things internally.
DANIEL: We hear a lot about changing supply chains, reshoring, nearshoring, onshoring, and ‘friend-shoring.’ At the same time, there’s still reliance on third parties, just in different locations. They are continuing to increase.
LOREN: There’s been a lot of discussion recently about friend-shoring: reassessing who you’re doing business with, their own networks, and how can you make sure that you’re working with not just friendly nations and businesses, but also securing that supply chain to be more relationship-based.
We’re also seeing risks that were systemic are now moving out of the traditional swim lanes, including third-party risk. They’re not so easily categorized, or easily put in arbitrary lanes that don’t change, and you can no longer assign one team to assess it and to manage it. These types of risks are much broader for a business, affecting multiple teams and multiple strategies.
DANIEL: These swim lanes are silos that functioned fine previously, but no longer work in today’s world. For example, we hear about procurement officers who are acting as the first line of defense, assessing their third parties before they move forward with onboarding. They need to look at everything from ESG risk to cyber risks to geopolitical risks. They’re having to become a jack of all trades in order to do that initial assessment. That presents a lot of challenges to them and their teams.
This is a dynamic and changing market. It’s moving at a constant rate. Many companies are struggling to keep abreast. They’re dealing with more issues, more regulations around the globe, more types of risk, and new third parties.
It seems that every couple of months there’s a new regulation touching on third-party risk, but the regulations don’t really define exactly what to do. They leave it up to interpretation; how much due diligence is enough? A lot of companies struggle with that fine line between spending too many resources on lower-risk third parties while missing the high-risk ones. Regulations don’t tell you what to do, they just tell you that you have to do something.
LOREN: Sometimes you must work with high-risk third parties, and sometimes there are situations that you can’t predict. In these cases, you may have long-term dependent engagements that are hard to pull out of or replace. How do you enable your organization to make the best decisions for the business when it comes to these high-risk third parties?
DANIEL: The way I see it is, in the past you wouldn’t just buy on price, you might also look at speed or other factors. Risk is just another factor to be considered in your decision on whether to work with them. Are there alternatives out there? If there are then you can lower that threshold. If not, then you raise it.
You look at it in a holistic picture along with other things like price, speed, and quality. Then you get that 360-degree view, and you can make your decision in an informed way.
Risk is not static. It changes once you’ve onboarded the third party, particularly if you have a long-term relationship with that vendor. You need to continually monitor them. We see it all the time when an event occurs six months after a client onboarded their third party. In a perfect world, you would have knowledge of that instantaneously or in advance with predictive analytics, but we’re not quite there yet. You want to know as soon as possible so you can react appropriately.
So, how often should you reassess a higher-risk third party? It depends on the nature of your relationship. The closer that relationship, if it’s a more interdependent relationship, you may want to do it on a more frequent basis. Regulators do not like it when you rescreen everyone every four years. You want to have a balance in there, so maybe every year or twice a year for your riskier ones. For lower-risk ones, you might be able to push it out every three or four years.
LOREN: Regulators know that there are third parties that are higher risk than others. You should know where your highest risks are and what you need to put in place to best defend against them. You need to have the right approach in place with a defensible program.
There are far too many companies that are running their risk management programs on office productivity solutions and other tools that are not made to do this kind of thing. Risk management is much too sensitive to leave in the hands of a solution that isn’t designed to deal with it.
You need to have the risk identification process, the control development, the scoring, and the kind of stratification, surfacing of risks so you can take action on the things that really matter.
DANIEL: I warn people that regulators will take a very negative view of using Excel or other Office productivity solutions. It’s a two-dimensional relational database that is not going to help you manage risk in a dynamic environment. It’s prone to human errors. I love Excel for certain things, but not for managing third-party vendors.
I think the other thing to highlight is the idea of a defensible risk-based approach. One size does not fit all. You must have it tailored so that you are optimizing your limited resources. Focus on your highest risks. Know who those high-risk third parties are and focus your efforts on them so that your due diligence spend goes there. So, that risk-based approach is critical. And you really can’t do that in an Excel file.
LOREN: We’re seeing people who are taking this more seriously across businesses where it’s considered more of a strategic advantage for businesses to dive deeply into risk intelligence. More software systems are being built to bring in that risk intelligence and bring in the insights and knowledge you need to run the right program. There are fewer excuses now to engage with a party around which you have concerns.
DANIEL: There are different systems out there for sure. Companies don’t have an excuse to not leverage them to their advantage. They are cost-saving in the long run because they allow people to do their work more efficiently while focusing on more important tasks than updating logistics information in an Excel file. It’s critical that you have a good management onboarding system, some type of platform that will allow you to minimize the administrative burden.
LOREN: With all the options, you want to have the right program in place that can support your program, while helping you evolve and scale. This is a rapidly evolving market, but there’s increasing scrutiny, increasing regulations, and increasing seriousness in it.
This interview has been edited for length and clarity.
Share with Your Friends:
