It’s virtually impossible to do business in today’s world without the involvement of third parties. Suppliers, vendors, resellers, agents, shipping services and a slew of other third parties participate and contribute to your business. By definition, third parties are outside of your direct control – and therefore introduce additional risk.
Not all Third Party Risks are obvious
The risk that third parties introduce is sometimes obvious. If you rely on a shipping service to deliver your goods to customers, you know that your sales will be impacted if the shipper doesn’t properly process your shipments. That’s why you carefully select the service you’ll use to ensure that they are reputable and reliable.
Some risks aren’t so obvious. If you rely on a supplier in China to produce a specific widget for your end product, of course you will ensure that the quality of the product meets your standards. You’ll probably even confirm that the supplier is financially solid to ensure that they will be in business next week. However, do you know what natural disasters might be possible in their geographic region? Do you know how quickly they can recover if there is a flood? If this is your only supplier of that widget, those are very real risks to the production of your product.
Appropriate and Effective Due Diligence
The key is to perform appropriate and effective Third Party Due Diligence. The topic of what is appropriate and effective was a big topic of conversation at the Compliance Week Conference in May. The challenge for many organizations is that they can’t afford to spend a lot of time on third party due diligence. And yet they can’t afford not to.
There were a few key points made during the discussions at Compliance Week that provide some great guidance:
- Develop a program that makes sense for the level of risk
An organization like Apple whose brand alone adds value to a product is going to need to be far more concerned about things like reputation risk than a virtually unknown online seller of goods, where the value they bring is low cost.Similarly, the risk surrounding a supplier of office supplies like pens and paperclips is much lower than a supplier of a critical component of one of your end products.In both cases, the level of due diligence will be very different based on the level of risk.
- Push the process down to the “owners” of the partnerships
Compliance teams are overtaxed in most organizations. While the compliance team should certainly create the due diligence program and have some advisory role, the work of connecting with third parties and gathering data does not need to sit with the compliance team. Push the information gathering down to the individuals who own the partnerships (procurement, sales, etc) and use your compliance expertise to look for red flags in the responses.
- Use technology to streamline and standardize
The use of technology to issue due diligence data requests, gather information, and analyze the responses will great improve the efficiency of the program. Of course, this is where the policyIQ application can help.
policyIQ for Third Party Due Diligence
Clients are already using policyIQ to track third party due diligence. Issuing questionnaires to third parties or to internal stakeholders, analyzing the responses, setting up reminders for annual re-evaluations, capturing the results of periodic audits or simply keeping track of which contracts have specific risk mitigation language – these are all ways that policyIQ can help you stay on top of your third party due diligence activities. If you are already using policyIQ, it is easy to get set up to start gathering your third party risk and due diligence information.
If you aren’t sure where to start – or aren’t sure if your third party risk management approach is sufficient – our RGP consultants can help by evaluating your program and make recommendations.
Contact us today to find out how we can help!