Infuse Third-Party Risk Intelligence into Your TPRM Program
June 25th, 2019 •
posted by Aravo • Reading Time: 4minutes
The need for true third-party risk intelligence – data that provides companies with important insights into the relative levels of risk within third-party relationships – is accelerating. As third-party risk management (TPRM) discipline matures, regulators, investors, and other stakeholders want to know that organizations are managing risks and are operationally resilient in the face of change. Organizations need the agility to quickly detect and respond to alterations in the risk profiles of third parties.
In the past, third-party risk data was usually used manually – analysts would research certain pieces of information when they were doing due diligence on a new relationship, for example. Even just a decade ago, the kinds of vendor information that might be examined would have been fairly limited – perhaps just financial information and a quick online search.
Today, all that has changed. There is a new understanding of the potential sources of risk that third-party relationships can pose and the ways in which a loss event can happen. In addition, new kinds of risks have emerged, such as cyber risk and the type of reputational risk posed by social media. Lastly, these risks are evolving at speed, and that velocity seems to be accelerating. As a result, the kinds and timeliness of data that are available for TPRM programs have grown too – giving organizations the intelligence to manage these risks with the nimbleness required.
Exploring TPRM Intelligence
So what kinds of third-party risk intelligence can be integrated into a TPRM program’s technology platform today? Understanding the types of data is an important first step in seeing the possibilities of this approach. Key data types include:
Financial Performance – Understanding how well, financially speaking, a third party is managed is essential information. For example, signs of financial difficulties, such as late payments, can signal increased risk in the relationship. The sooner this is flagged, the more quickly the issues can be examined and managed. Companies such as Accuity, Dow Jones, RapidRatings, and Dun & Bradstreet provide this kind of data.
Company Information – Alterations in geography, ownership, and board membership – all information that can be gleaned from corporate filings – can signal a change in risk profile. Sources for this kind of information are broad and can include open information, such as that from Companies House and Companywatch, as well as providers such as Kompany, Bureau Van Dijk, and Dun & Bradstreet.
Cybersecurity – Intelligence about the information security performance of third parties is available through companies such as BitSight Security Ratings and SecurityScorecard. These companies continuously update cyber ratings on the companies on the companies they follow using externally observable data to assess cyber risk.
Financial Crime – Today there is a wide range of different kinds of financial crime that must be evaluated as part of any third-party relationship. These include anti-money laundering (AML), anti-bribery and corruption (ABAC), and economic sanctions. The cost of getting these wrong can be significant financial and reputational damage. Providers that monitor these risks include Refinitiv and LexisNexis.
Reputational Information – In today’s fast-paced world, reputational damage can be inflicted overnight. So, it’s important to keep on top of what’s being said about third parties, but this is very difficult to achieve manually. Companies such as Polecat provide reputational risk information, derived from social media sentiment, on third parties.
Environmental, Social, and Governance – Also known as ESG, this kind of data is relatively new to many third-party risk programs. However, ESG investing is gaining ground fast, and some jurisdictions are implementing explicit ESG reporting. In other jurisdictions, such as the US, new regulatory reporting technical standards mean this information will be easier to access. Working with ethical vendors is very important – monitoring for ESG issues is becoming a new essential, and companies like EcoVadis provide real-time environmental, social, and governance ratings.
Many of the partners that Aravo works with provide a range of different types of third-party data to complement information gathering and decision making. The examples listed above can help organizations begin the exploration process for finding third-party data that meets their needs.
Connecting TPRM Intelligence
The “secret sauce” to TPRM intelligence is how these data feeds are linked to the TPRM platform, so that the information is flowing in real time into the right places, including workflows, dashboards, and reports. This TPRM intelligence is useful in many stages of the third-party relationship, including
Selection – TPRM intelligence, through automated data feeds, can enable risk professionals to complete research and analysis of potential vendors much more quickly than through manual methods. Automated lists of vendors that the organization has decided not to engage with can also be created and kept current through automated feeds.
Due Diligence – Information provided in risk assessments can be validated automatically through TPRM risk intelligence, saving time and resources.
Continuous Monitoring – TPRM risk intelligence feeds can be set up to detect changes in a vendor’s risk status, triggering workflow actions. For example, an alert can be sent out to specific individuals in the organization if a vendor’s information security score drops below a certain threshold.
Fourth-Party Management – Keeping track of risks within fourth parties, fifth parties, and so on, is nearly impossible to achieve manually. The scope of the work required is just too great. TPRM intelligence can make fourth parties more discoverable, and also flag fourth party risks.
In summary, manual approaches to TPRM research and analysis are no longer appropriate. Automated data feeds can power a whole new approach to TPRM intelligence, enabling organizations to recognize risk sooner and respond with increased operational resilience.