Third Party Risk – Are you doing your due diligence?

It’s virtually impossible to do business in today’s world without the involvement of third parties.  Suppliers, vendors, resellers, agents, shipping services and a slew of other third parties participate and contribute to your business.  By definition, third parties are outside of your direct control – and therefore introduce additional risk.

Not all Third Party Risks are obvious

The risk that third parties introduce is sometimes obvious.  If you rely on a shipping service to deliver your goods to customers, you know that your sales will be impacted if the shipper doesn’t properly process your shipments.  That’s why you carefully select the service you’ll use to ensure that they are reputable and reliable.

Some risks aren’t so obvious.  If you rely on a supplier in China to produce a specific widget for your end product, of course you will ensure that the quality of the product meets your standards.  You’ll probably even confirm that the supplier is financially solid to ensure that they will be in business next week.  However, do you know what natural disasters might be possible in their geographic region?  Do you know how quickly they can recover if there is a flood?  If this is your only supplier of that widget, those are very real risks to the production of your product.

Appropriate and Effective Due Diligence

The key is to perform appropriate and effective Third Party Due Diligence.  The topic of what is appropriate and effective was a big topic of conversation at the Compliance Week Conference in May.  The challenge for many organizations is that they can’t afford to spend a lot of time on third party due diligence.  And yet they can’t afford not to.

There were a few key points made during the discussions at Compliance Week that provide some great guidance:

  1. Develop a program that makes sense for the level of risk
    An organization like Apple whose brand alone adds value to a product is going to need to be far more concerned about things like reputation risk than a virtually unknown online seller of goods, where the value they bring is low cost.Similarly, the risk surrounding a supplier of office supplies like pens and paperclips is much lower than a supplier of a critical component of one of your end products.In both cases, the level of due diligence will be very different based on the level of risk.
  2. Push the process down to the “owners” of the partnerships

    Compliance teams are overtaxed in most organizations.  While the compliance team should certainly create the due diligence program and have some advisory role, the work of connecting with third parties and gathering data does not need to sit with the compliance team.  Push the information gathering down to the individuals who own the partnerships (procurement, sales, etc) and use your compliance expertise to look for red flags in the responses.
  3. Use technology to streamline and standardize

    The use of technology to issue due diligence data requests, gather information, and analyze the responses will great improve the efficiency of the program.  Of course, this is where the policyIQ application can help.

policyIQ for Third Party Due Diligence

Clients are already using policyIQ to track third party due diligence.  Issuing questionnaires to third parties or to internal stakeholders, analyzing the responses, setting up reminders for annual re-evaluations, capturing the results of periodic audits or simply keeping track of which contracts have specific risk mitigation language – these are all ways that policyIQ can help you stay on top of your third party due diligence activities.  If you are already using policyIQ, it is easy to get set up to start gathering your third party risk and due diligence information.

If you aren’t sure where to start – or aren’t sure if your third party risk management approach is sufficient – our RGP consultants can help by evaluating your program and make recommendations.

Contact us today to find out how we can help!

This entry was posted in Industry News, Solutions by Chris Burd. Bookmark the permalink.

About Chris Burd

Chris is the Managing Director of the policyIQ group at RGP. She gets geeky about compliance and technology, and gets to spend every day working at the crossroads of the two. With policyIQ since 2005, Chris has worked with hundreds of policyIQ clients to implement technology and enhance their internal compliance environment. In the past few years, she's focused on enhancing policyIQ's offering as a Conflict Minerals and Anti-Corruption tool. In past lives, Chris worked as a system implementation consultant, a e-commerce specialist, a customer service call center manager, and - for one short but memorable summer during high school - a machine operator on midnight shift in a plastics factory. In her free time, she spoils her nieces, volunteers at her local food bank, and spends more time than she should taking photos of her cats. She would like to be a rock star when she grows up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s