Given that third party vendors and affiliations have become an integral part of day-to-day operations, have you considered the risks to company performance if a robust third party management program is not in place? In this blog post our partners, MetricStream recommend strengthening your third party management program by making a thorough assessment of risks, then leveraging and integrating technology to mitigate those risks and enforce compliance across all departments of your company. This post originally appeared on the MetricStream blog and was published here with permission.
For one of the world’s biggest automotive manufacturers, the year 2016 started off on a less than promising note when the company, which produces millions of cars every year, was forced to halt vehicle production for a week after an explosion at a supplier site resulted in a shortage of components. The incident was a timely reminder of just how much companies have come to rely on their third parties, and how significantly a single supply chain disruption can affect a company’s performance.
As organisations grapple with these and other third-party risks such as data breaches and contract risks, as well as multiple third-party related regulations, a robust third-party management program can make all the difference. With that in mind, here are five best practices to take your third-party management program to the next level:
Effectively Assess and Monitor Third-Party Risks
Third-party risks can have a direct impact on company profits and brand value. It is imperative, therefore, to identify these risks in a timely manner, and implement the appropriate controls and control testing processes. Also, establish contracts and policies that outline the roles and responsibilities of all parties in risk mitigation. If there are any fourth parties involved, make sure that you are informed about them, and include them in the scope of screening and risk management processes. Another best practice is to leverage curated content on third parties from external sources such as Dow Jones and D&B which can be invaluable in flagging high-risk third parties before they cause a failure.
Conduct Third-Party Screening, Onboarding, and Due Diligence
While conducting initial third-party screening, a good approach is to categorise third parties by risk based on various factors (e.g. offered product or service and country of operation), and then define and prioritise screening and due diligence processes accordingly. On-boarding is another critical step in ensuring that you have all the required third-party data to begin the relationship. Many organisations also set up real-time third-party data feeds, and monitor their third parties against global sanctions lists, adverse media reports, and other data to identify areas of concern.
Integrate and Streamline Third-Party Management Processes
Often, each department in a company manages their third parties differently from other departments. This siloed approach can lead to redundancies, and also limits overall visibility into third-party risks and compliance. To avoid these issues, you might want to standardise and streamline your third-party management processes across departments and functions. Also, make third-party information available centrally to facilitate oversight and accountability, and to ensure that nothing falls through the cracks.
Evaluate the Effectiveness of Your Third-Party Management Program
Just as you evaluate your third parties, it is important that you also evaluate your third-party management program regularly to determine if risks are being managed effectively, if compliance requirements are being met, and if issues are being resolved. Make sure that all allocated third-party management resources are available, have their responsibilities defined, and are working as planned. A 360-degree view of the third-party ecosystem is also a must.
A scalable and integrated GRC technology platform can help you manage multiple third parties efficiently, and provide greater visibility into risks and compliance issues. Technology can also streamline and automate third-party management processes, and consolidate and roll up third-party risk intelligence to support decision-making. Some solutions integrate with industry sources to aggregate and validate third-party data. Some also provide survey and assessment capabilities for due-diligence, compliance monitoring, and control evaluations.
December 28, 2020
What Role Does the Board Play in Business Continuity Planning?
Continuing in the face of adversity has been the dominant theme of the past year. When the scale of disruption caused by COVID-19 became clear, businesses worldwide were forced to adapt rapidly to the restrictions that came into force overnight. While many organisations have business continuity plans designed to keep…
December 21, 2020
Business Continuity Plan Maintenance: A Step-by-Step Guide
A business continuity plan (BCP) is a living, evolving document. Designed to be activated when unplanned disruption strikes, it must be flexible enough to guide actions regardless of the specifics of the situation. In a fast-changing environment, business continuity plan maintenance is an essential part of the business continuity programme…
December 8, 2020
Board Meeting Minutes Best Practices and Guidelines
Guidelines for Board Meeting Minute Taking In order to keep the courtroom from invading the boardroom, the most basic rule is, “saying less is often better,” warns the London-based law firm Bricker & Eckler in a recent note. “Today’s business climate places heightened…