The subject of third party risk and compliance continues to be a hot topic for our clients and for companies around the world. This past spring, third party risk was one of the key topics at the 2014 Compliance Week conference, and continues to be top of mind. One way that our clients have been using policyIQ to help mitigate third party risk is by utilizing policyIQ forms for the screening of new potential partners, vendors, suppliers and other third parties.
Almost every organization requires these third parties to go through some level of screening process before beginning a business relationship. Sometimes this process is decentralized and informal, leading to poor decisions or poorly documented decisions that cannot stand up to an audit review. Other times the process is highly bureaucratic and complex, which slows down the ability for the business to move forward with important partnerships.
policyIQ can help you to create a process for screening third parties that is consistent, sustainable, and takes a risk-based approach.
Typically we have seen this process administered by a compliance or legal team, however each organization can choose how much of the footwork is pushed down to the business owner of the proposed relationship. If your compliance “team” consists of just one or two individuals, the compliance role will be to review the information gathered and the decisions made by your business owners.
Use policyIQ Forms to quickly issue a questionnaires to:
- Third party contact person.
- Internal relationship owners.
The third party questionnaire might ask for company details, as well to request documentation, such as:
- W-9 or other formal supplier profile;
- policy documents related to key issues such as information security/privacy, supply chain compliance, or anti-corruption;
- references for other customers with similar relationships; and
- financial reports.
Internal questionnaire should capture information such as:
- the purpose of the relationship,
- the benefit to be derived,
- the options (or lack of options) for other third parties to fill the same need, and
- due diligence documentation, such as
- background check,
- credit check, or
- financial reports.
These questionnaires may be submitted to your compliance team, often along with an initial assessment by the relationship owner of any potential risks. For specific types of partnerships – or those that are expected to involve more than a defined threshold of transactions – additional detail may be required. After a thorough review, compliance can confirm the viability of the relationship. To finalize the process, a final attestation may be sent out to the newly approved third party to let them know of their approval – and to require their formal sign-off on a statement of compliance. (This may include signing off on key policies or agreeing to standard terms.)
Let us help you to build a process that works for you!
The process outlined above is just one example of how you can use policyIQ for third party screening. We can help you to build your process, or to define a more efficient process. If you need a little help confirming that your third party screening process is truly managing your risks and will hold up to regulatory audits, our RGP consultants can help you to review and refine that process, as well. Contact us today and let’s get started!