Companies can’t do it all in terms of managing every risk from every possible third party, panelists discussed during a session on due diligence at Compliance Week’s virtual Third-Party Risk Management (TPRM) and Oversight Summit.

To begin, businesses must define their vision and strategy, said Samira Duijnmayer, compliance manager and regulatory and financial crimes officer at Booking.com.

“Decide what’s your north star and work toward it,” Duijnmayer said. For example, if you want to mitigate bad financial outcomes, make sure to do what’s needed in the risk process to achieve that goal, she said.

It’s also important to define the scope of your risk management and how far it will go, given the risk profiles of your vendors and the resources of your organization, Duijnmayer said.

“One thing that torpedoes companies is not defining the scope,” agreed session moderator Kristy Grant-Hart, chief executive of consultancy Spark Compliance.

Know how much risk is acceptable and incorporate that into your initial screenings and later due diligence of higher-risk third parties, said Rodney Campbell, head of TPRM at Valley National Bank.

Campbell also recommended knowing who your regulator is and what they expect.

“That tells you absolutely what needs to be done versus not,” he said.

Start screening by determining which vendors are critical for the company to have a relationship with, Duijnmayer said. Think about the risks they present and categorize them into high-, medium-, and low-risk categories.

For example, “Look at where they are located and whether labor laws are poor,” she advised, adding it’s important to apply the same risk assessment to all vendors.

“Be very transparent about what your company needs. Then suppliers understand what is expected of them.”

Samira Duijnmayer, Compliance Manager and Regulatory and Financial Crimes Officer, Booking.com

Consider whether the supplier will interface directly with your company and whether its employees will interact with governments on behalf of your company, Campbell said. If so, that represents a higher level of risk, he warned. Also, consider if there are heightened cyber and privacy risks from any of your suppliers.

Campbell reminded practitioners to identify all the subcontractors involved in delivering products and services, including who they are and where they are, and whether their geographical location raises their risk.

“We all have limited resources. Think about how they can be deployed most effectively,” Duijnmayer said. You can use credit ratings, sanctions screenings, and press reports to aid in discovery.

As part of due diligence efforts, design questionnaires for third parties in each risk category and consider breaking them into subcategories by size, Duijnmayer recommended. Your questionnaires should reflect the scope of your risk management, she said.

You don’t want to overload your suppliers unnecessarily with questions about risk and overload your company’s resources, Duijnmayer advised.

“Don’t give a mom-and-pop shop 1,000 questions,” she said.

If vendors argue they don’t need to cooperate with the questionnaire because they are a health or financial institution and heavily regulated, make clear “that isn’t an option,” Campbell said.

“It’s no different whether you are heavily regulated or not. You want to do what’s right … to preserve your reputation,” Duijnmayer said.

If you’re considering skipping your own questionnaire and accepting information a potential vendor provided to its other clients, tread carefully, Campbell warned.

“Get off the email and pick up the phone,” Campbell said. “That’s the way to get the documentation you need.”

When bringing third parties on board, Duijnmayer relies on a contract to make clear with the other party how her business envisions managing risks, including cybersecurity and privacy.

“Be very transparent about what your company needs,” she said. “Then suppliers understand what is expected of them.”

A contract also helps protect your company’s reputation in case of any breaches or ethics scandals on the supplier side, she added.

Ask potential vendors to share their code of conduct as you hand them yours to tell if your two organizations are on the same page, Campbell said.

If the sales team or business owners are initiating new vendor relationships, they ideally are aware of risk management protocol and follow it. However, that’s not always the case, Duijnmayer said. A workaround for this situation is to require suppliers to agree to the company’s supplier code of conduct before proceeding with the relationship.

In the end, Duijnmayer stressed patience. Creating an effective risk management system is a venture that often takes years.

“It’s not a one-and-done process,” Campbell agreed.