The challenge of managing third party relationships has expanded within the banking industry. In guidance issued last year by the Office of the Comptroller of the Currency (OCC), the scope of such relations has grown to include third parties beyond suppliers and vendors – such as JV partners, channel arrangements, debt buyers, correspondent banking relationships and more.
Perhaps the biggest challenge to the scope expansion is one shared by every industry – should all third parties be included in a risk management solution or just those that pose the highest risk? And, if it is a subset, can you and should you identify the most risky relationships?
First, as a practical matter, it is a waste of time and resources to risk manage third parties who do not light up an organization’s top risk list. For example, local facility landscape contractors. While there could be a local conflict of interest or inappropriate gifts or entertainment involved to secure the contract, such misconduct – or a sudden failure of the vendor to deliver – will not cause major damage to the reputation or financial/operational viability of the engaging entity. Therefore, triaging third parties based on risk level is an overall better approach and emerging trend.
So how can you identify the riskiest third parties? The process starts outside the third party world with identifying your organizational risks and sorting them into low, medium and high risk buckets. Next decide how many buckets you will consider for full due diligence and monitoring of third parties who potentially expose your organization to those risks.
The mistake we see many companies make is the use of only one criterion in evaluating third party risk – and it is not always tied to the organization’s risk profile. For example, size of contract. Using dollars as the single filter means you potentially waste resources screening some of the largest companies that likely have great compliance programs in place (i.e. IBM, GE, Microsoft, etc.) and ignore smaller business partners that could present significant risk, especially when considering your company’s high risk areas (i.e. small consulting firm helping with business development in the Middle East).
Best practice is to use multiple criteria that are more likely to point out potential risk, including:
The type of product or service provided (critical system software development vs. lawn care)
Geography (Yemen vs. Canada)
Length of relationship (new vs. 20 years old)
Age of company (new vs. 20 years old)
Automated third party risk management systems can help with this task by utilizing client databases in combination with the external data screening sources such systems already use. This area continues to evolve, but the process must start with a good organizational risk assessment and a solid understanding of the tools available to help identify and thoroughly screen your riskiest partners.