Best practices in third-party risk management

Prudent risk and compliance officers who want to see how their third-party risk management programs stack up against their peers and catch up on the latest best practices will want to have a look at NAVEX Global’s fourth annual third-party risk management benchmark report, released Oct. 16.

The findings in this year’s report pull from 1,200 survey respondents who influence or manage an ethics and compliance program, 500 of whom directly influence or manage a third-party risk management (TPRM) function. “Given the rapid, global expansion of supply chains along with agent and partner relationships, it’s never been more important to be strategic about mitigating exposure to third-party risk,” NAVEX Global President and Chief Executive Officer Bob Conlin said in a statement. “Smart companies recognize third parties as an extension of their own organizations, and therefore manage third-party compliance as rigorously as internal compliance.”

As in previous years, survey respondents were asked to assess the maturity of their TPRM programs based on one of four buckets: reactive, basic, maturing, or advanced. “To ensure that these maturity assessments aligned with actual program design and performance, respondents did not self-evaluate,” NAVEX explained in its report. “Instead, they were asked individual questions on program elements—including risk-management practices, technologies and methodology used—from which a program’s effectiveness was determined.”

Based on their responses, most respondents' TPRM programs were either mature (41 percent) or advanced (17 percent). Another 17 percent, on the other hand, were rated as basic, and 11 were categorized as reactive.

Using these four buckets as a baseline, the report provides a clear picture of what distinguishes mature and advanced TPRM programs from those that are basic or reactive, which are discussed in greater detail below.

Due diligence practices. Companies with advanced TPRM programs are far more likely to apply a risk-based approach to third-party due diligence than less mature programs, based on the nature and level of risk that their third parties present. Specifically, 69 percent of advanced programs apply a risk-based approach to third-party due diligence, while maturing programs use either a risk-based approach (45 percent) or apply the same procedure to all third parties regardless of risk level (31 percent).

“One of my biggest arguments to everybody is we’ve got to be automated. That’s where compliance is going.”
Michael Volkov, Defense Attorney, Volkov Law Group

Many ethics and compliance officers might think their organizations take a risk-based approach, “but when they describe the program, it’s often not a risk-based approach,” Stephen Gooding, director of product specialists at NAVEX Global, said during a recent Webinar discussing the findings. “It’s a one-size-fits-all model. It’s a screening tool.” It may be that not all companies properly understand what it means to take a risk-based approach, he said.

Essentially, making risk-based decisions ensures that the ethics and compliance function is allocating its resources wisely and effectively when assessing, prioritizing, and mitigating third-party risk, rather than attempting to boil the ocean. The risk profile of a third party will depend on several factors, many of which the NAVEX Global report covers, including:

The geographical region of the third party;

The nature and extent of that third-party’s interaction with foreign government officials, including its interactions with a state-owned enterprise or government agency;

The nature of the third party’s operations (i.e., commercial agents, distributors, and resellers tend to represent higher risk than consultants and contractors);

The extent to which the third party generates revenue and engages in large contracts for the company; and

The past performance of that third party, where a historical relationship between the company and that third party exists.

In some cases, companies may find that they have no choice but to engage with a high-risk third party, whereas for other companies it’s a risk they choose to take on. “Retaining a high-risk third party can be justified, provided that the organization applies a robust due-diligence review based on an accurate risk-ranking, monitors the third party’s conduct and reputation, and audits the third party,” NAVEX said in its report.

If the company identifies any red flags during the due-diligence process—whether during the initial business justification, preliminary risk assessment, or during screening or monitoring—it should “review its risk policies, procure additional relevant information, and decide whether the red flag is a deal killer or not,” NAVEX Global said.

TPRM program challenges. Taking a risk-based approach to third-party risk management is particularly important when you consider what compliance and risk professionals cite as the top challenges to managing third-party risks: “consistently monitoring third parties” and “lack of internal resources” (both people and budget).

Program Maturity

Findings: More than half of responding organizations (58%) have a Mature (41%) or Advanced (17%) third-party risk management program. Almost a third (31%) have programs that are Basic and 11 percent categorized their program as Reactive.
Analysis: This year’s survey is the third year in which we asked respondents to self-assess the maturity of their third-party risk management program. In our prior reports, we noted that respondent’s self-assessments did not align with actual program design and performance. To avoid this gap, we included individual questions and responses to accurately reflect program elements and overall maturity.
A key finding is that mature, well-run third-party risk management programs outperform less mature programs and those still developing their programs. A mature program is based on the organization’s approach to third parties, current third-party risk management practices, technologies used to manage third-party risk and methodology to assess the third-party risk management program’s effectiveness.
Maturity Level for Third-Party Risk

Those with reactive or basic TPRM programs were significantly more likely to cite “lack of resources” as a top challenge, compared to those with maturing and advanced programs. Those with advanced programs, in comparison, listed their top three challenges as “consistently monitoring third parties,” “training our third parties and getting attestation on our policies,” and “the number of third parties we manage.”

Third parties by the numbers. “When implementing a robust third-party risk management program, most organizations underestimate the number of third parties they engage, especially when they consider agents, resellers, and contractors, and the level of risk each of these types of third parties create,” the NAVEX report states. This is relevant, because how many third-party relationships a company manages is another important factor.

Overall, 58 percent of all respondents said their companies engage more than 100 third parties, and 29 percent engage more than 1,000 third parties. By no surprise, the larger the company, the larger number of third parties it manages, with 45 percent engaging more than 5,000 third parties, compared to only nine percent of mid-sized entities, and two percent of small entities.

TPRM program effectiveness. According to the NAVEX Global report, the most common measures for managing third-party risk across all levels of program maturity are screening (70 percent) and monitoring (61 percent). Advanced programs, however, tend to employ a wider variety of approaches to third-party risk management, including:

Performing enhanced due diligence on third parties (85 percent); 

Sending questionnaires and putting documents and other information from third parties in a centralized location (80 percent);

Automating enhanced due diligence based on the organization’s definitions of high, medium, and low risk (71 percent); and

Advising the organization on the company’s third-party due diligence program structure and effectiveness (70 percent).

The most common approaches used to assess effectiveness of third-party due diligence programs are periodic risk assessments (46 percent) and program audits or legal reviews (30 percent). Proactive identification and mitigation of third-party risks (27 percent); and onboarding and screening efficiencies (25 percent) are other ways that companies are assessing the effectiveness of their third-party due diligence programs.

TPRM through automation. According to the report, technology adoption varies markedly by TPRM program maturity. Specifically, 49 percent of advanced organizations said they use a purpose-built third-party solution, while those with less mature programs rely on solutions not designed specifically to manage third-party risks.

Among companies that use an automated third-party risk management solution, 75 percent said they monitor program effectiveness. The four most common assessment methodologies used by TPRM programs employing software solutions are periodic risk assessment (46 percent); program audits or legal review (30 percent); proactive identification and mitigation of third-party risks (27 percent); and onboarding and screening efficiencies (25 percent).

“One of my biggest arguments to everybody is we’ve got to be automated,” Michael Volkov, a former federal prosecutor and a white-collar defense attorney with the Volkov Law Group, said on the Webinar. “That’s where compliance is going.”

When getting buy-in to invest in a TPRM solution, don’t focus on how such a solution can help the company avoid an enforcement action, Volkov said. Instead, focus on how a third-party software solution can protect the company from reputational harm and promote a culture of integrity and trust. “We’re trying to protect culture by managing risk,” he said. “To the extent you manage your third parties and reduce your risk, you’re promoting and protecting your culture.”