A recent Thomson Reuters survey report entitled “Third Party Risk: Exposing the Gaps” indicates that 62 percent of survey participants perform initial third party due diligence (usually only for defined higher risk tier parties), but only 36 percent are monitoring for changes to the risk profile once third parties are put in place.

When asked what prevents them from taking steps to detect ongoing risks, participants define several key challenges, with the most significant being lack of data and resource constraints. So, many choose to put controls in place and only update the risk assessment annually by using one external source of information, such as a database that tracks sanctions and watch lists. Others simply rely on annual self-certification renewals or audits for higher-risk parties.

But there isn’t such a clear end point for due diligence when we are talking about vetting third parties who will continue to present risks even after they are brought on board. A limited annual review is not sufficient to satisfy today’s best practices and may lead to liability when risks aren’t timely identified and managed. Changes in data, technology and automation have turned third party risk management on its head. Emerging threats such as cyber security, geopolitical challenges, and ever more opaque webs of related entities make the need for a holistic risk profile greater than ever before.

OCEG and Thomson Reuters have developed a new installment in OCEG's GRC Illustrated Series to outline the best practices your organization should have in place to ensure ongoing, integrated due diligence of your third party risks.