The value-add of leveraging data analytics to mitigate third-party risk is, at this point, common knowledge. Access to real-time data updates and adverse media alerts as well as a single source of truth up and down the chain of command are just a few advantages. Many technology solutions are now equipped with prebuilt integrations, artificial intelligence, and natural language processing.

Still, a tool is a tool. You must know how to wield it to make good use of it—and avoid injury.

A panel of experts at Compliance Week’s virtual Third-Party Risk Management and Oversight Summit last week offered compliance practitioners a how-to primer on just that.

Tips for beginners

The panel began with a sensible preface: Compliance teams cannot expect modern-day technology to replace old-fashioned due diligence.

An understanding of the company’s third-party risk landscape is a precondition to leveraging data analytics, said Ali Ikram, chief operating officer for the office of ethics and compliance at software company SAP. Otherwise, the technology will not work effectively, “and you’re probably going to fail to some degree,” he warned.

Secondly, manage your expectations. Between customers, suppliers, and business partners, the ocean of data flowing through an organization is bottomless. No technology can tackle everything at once. It is necessary to take a targeted approach: identify the company’s greatest source of third-party risk, set objectives tied to it, and assess solutions against those criteria.

In other words, know what data you want to capture at the outset.

“What are the answers you’re looking for from the tool?” asked NS Rao, integrated risk management principal at software-as-a-service company Workiva.

“Any technical implementation will have any number of features. You can … automate so many manual processes,” he said, “but if the system is not giving you the data you’re looking for in the form of being present on the report, then it is not serving its purpose.”

There is no shame in starting small.

“It’s extremely important to have the monitoring on a daily basis, if not every hour. Those are the kind of times that we are living in.”

NS Rao, Integrated Risk Management Principal, Workiva

“One of my favorite analogies I like to make with my colleagues is, ‘Let’s not try to build that Lamborghini at the first round.’ Build something more practical and scalable as an onset,” said Ikram.

Beyond defining the end goal, focus on good data management practices and controls before deciding which information to manipulate in a technology solution.

“If it’s garbage in, it’s going to be garbage out,” Ikram said. “There’s going to be a lot of great talent and resources in your own company, whether it’s in the IT organization or some other structure who understands the data and where the reliable information is.”

Know your internal sources of data, like customer relationship management systems or accounts receivable/accounts payable ledgers, to name a few.

“When you get those sources, identify the holes in the data because either you’re going to be pulling data into your analytics tool from those sources or … you’ll be able to get [a solution] that integrates with those core systems [in] real time and can help you analyze data in real time as well,” said Ikram.


Moderator Michael Rickman, retired vice president of compliance and ethics at The Goodyear Tire and Rubber Company, asked panelists what the lessons or “lookouts” were for companies about to engage in data analytics. The anthem of advice was test and retest.

As companies implement continuous monitoring systems, they should not expect data analytics results to be perfect the first time around, said Ikram. Retesting will help users grow comfortable with learning how to set parameters that generate quality results and, likewise, minimize false positives that bog down resources.

Further, while a continuous monitoring system offers real-time risk alerts, “the reality is that it’s at a point in time,” said Ikram. “It’s not going to offer long-term comfort that your third parties are acting in an ethical and compliant manner.”

Initial and recurring due diligence are, therefore, a must.

“It’s extremely important to have the monitoring on a daily basis, if not every hour. Those are the kind of times that we are living in,” added Rao.