Third-party risk is increasingly complex and the process of managing this risk, plus compliance, can be painful, says Neil Isherwood, due diligence subject matter expert at Dun & Bradstreet.
He recommends creating a process, first identifying the supplier and its relationships, and verifying these against the business in a risk-based approach. Then, to establish the business’s ultimate beneficial owners, using that information based on your company’s risk tolerance.
Screen the supplier for sanctions, and reputational or litigation risk, and assess the risk of the entity to confirm the supplier passes your compliance policy.
Next, establish a reporting process to show you have undertaken the policy set out, and are adhering to it and the process.
Lastly, create a process to monitor suppliers for changes, and plan how you will deal with this.
Four key tenets to ensure best practice in third-party risk planning:
1. Set and stick to your policy.
2. Use a risk-based approach and find ways to segment your portfolio accordingly. This makes it easier to onboard suppliers and manage less risky customers, leaving time to scrutinise those in more risky industries or countries, or who have shown non-compliance previously.
3. Establish a secure ID and verification of businesses and the people connected to them. Verify that the data provides a holistic picture, having searched for financial risk.
4. Look at automating your third-party data collection, which can shorten the process of onboarding, and establish rigorous monitoring and repeat due diligence processes.