How to Manage and Measure Third-Party Risk

Identifying and reducing risks relating to the use of third parties

With so much data available to us, determining exactly which third-party risk metrics to measure and report on can feel like an endless task. How do you satisfy regulators and not spend every waking moment pulling together reports? Thankfully, the DOJ has declared that the final step in the third-party relationship lifecycle is a key metric for the evaluation of third parties. If you’re thinking your boilerplate language will be sufficient, think again. The name of the game is focused and precise action, including terminating business relationships once a partner demonstrates their disrespect for laws and policies. Regardless of where that partner is geographically located, your grasp on partner compliance must remain steadfast. You must manage, measure, and report on your third-party risk, ensuring both your compliance and theirs at the same time. Unsure of exactly where to start and what to measure? Keep reading for some expert advice for measuring and managing risk exposure with third-party relationships.

Third-Party Relationship Management

Every third party your organization does business with should be assigned a Relationship Manager. Identify an employee who is responsible and knowledgeable enough to manage, maintain, evaluate, and report on the relationship between your company and the third party. This individual, as your Relationship Manager, is accountable for the following:

  • The point of contact with the third party for all related compliance issues
  • Regular contact with the third party
  • Annual meetings with the third party to review their company compliance obligations
  • The submission of annual reports to the company’s Compliance Oversight Committee (COC), summarizing services provided by the third party
  • Assist the company’s COC with any related third-party issues

Compliance Oversight Committee Must-Haves

A Compliance Oversight Committee (COC) reviews all reports related to the full scope of the third party’s relationship with the company. After the commercial relationship starts, the COC should monitor the third-party relationship annually, at the very least. An annual audit needs to include reporting on and evaluation of any new or supplemental risk, uncovered by a review of financial audit reports on the third party. This annual report must also include remedial due diligence investigations and evaluation of any new or supplemental risk.

Ongoing Third-Party Risk Reporting

Remember those old infomercials touting the tagline, “Set it and forget it?” Unfortunately, third-party risk reporting requires constant monitoring and risk reporting in order to be accurate and reliable. But instead of this being useless busywork, the ongoing reporting process will end up being the sharpest tool at your disposal. Your ongoing monitoring needs to be systematic, independent, and easily documented, in order to objectively determine exactly how your compliance terms and conditions are followed. By keeping constant tabs on your third-party risk, capturing, analyzing, and reporting on that data will become second nature. Your minimum baseline third-party monitoring should include the following metrics:

  • Existing compliance programs and code of conduct effectiveness
  • The origin and legitimacy of any funds paid
  • All disbursements made for or on behalf of the company
  • All funds received in connection to work performed and services/equipment provided

A more comprehensive evaluation should also include:

  • Due diligence determination, certifying that due diligence was taken by the third party
  • Compliance training program review, both program content and attendance records, to determine program effectiveness
  • Third-party hotline report review
  • Third-party employee discipline for related infractions
  • Employee expense report review for employees in high-risk positions or high-risk countries
  • Gift, travel, and entertainment (GT&E) spending limits to given to or accepted by foreign governmental officials. Were there any related overages?

What Does Comprehensive Risk Reporting Look Like?

Once you’ve started your oversight and monitoring, of your third parties, the work isn’t done; you should regularly review the health of your third-party management program. The strength and dependability of your program will help stop compliance issues in their tracks, well before they become full-blown FCPA violations. Stay consistent and fully document the steps you’ve taken in order for any regulator to test your report. These meticulous metrics will help with self-assessments down the road, whenever you conduct an audit of the health of your compliance program.

Want to see what a comprehensive third-party risk management tool looks like in action? The Convercent team is ready to walk you through an in-depth demo of our Third-Party Risk Management and Due Diligence for Ethics and Compliance solution.

See Third-Party Risk Management and Due Diligence in Action