Third Party Risk Monitoring

Is Your Third Party Onboarding Due Diligence Comprehensive Enough?

Written by Patrick Gleeson, Ph.D.

why supplier onboarding demands risk assessment
Contemporary corporations are expansive by nature. Often, continued success or even survival requires rapidly opening new markets, dramatically increasing production capacity and/or incorporating specialized expertise and capabilities. In many cases, the most time-efficient and cost-effective way to achieve these goals is through entering into relationships with third parties. Third parties can enable great results, but not without the possibility of significant risk exposure for your organization. As a result, third-party onboarding procedures become critical to your overall TPRM process to ensure risks to your organization are fully visible and acceptable. Unfortunately, the breadth and depth of risk assessment required to safely onboard third parties is not always fully understood by the organization.

Leading Practice for Comprehensive Third-party Onboarding

The first step in your onboarding process needs to be an assessment of the overall potential risk each new third party poses to your organization. The appropriate amount of due diligence should be guided by the risk level assigned to each third party from low to medium to high to critical. The higher the level of risk exposure, the more extensive the due diligence required. The key elements of third-party due diligence are data collection, validation, and evaluation of results, including the identification and investigation of any red flags. Data collection should include a health check of the third party as gleaned from independent market data, an internal questionnaire completed by the sourcing organization, as well as an external questionnaire to be completed by the third party being onboarded. Depending on the criticality of the third party to the organization, onsite visits may be required to fully understand the third-party’s operations.

While many organizations collect data on the potential third party as part of their onboarding process, where they may fall short is the risk framework that is used to evaluate the overall health and risk exposure of the third party. The risk framework used needs to include a comprehensive set of third-party risks beyond financial and cyber risks. Additionally, risk associated with the location from where the services are to be provided need to be included in the comprehensive risk framework. An organization’s risk exposure can be considerably higher if the third party operates from a higher risk global locations such as Mexico or Brazil where a number of location-risk factors can be in play, including political instability, crime, corruption, civil unrest, high taxes and language issues. After any red flags have been investigated and acceptable risk levels established, the final step in onboarding should be the approval process. But there’s one more thing to consider. Risks don’t end when the third party is successfully onboarded. Post-approval risk mitigation is a continuing process, and a post-approval risk mitigation plan should be part of all third-party onboarding.

For organizations experiencing rapid growth in the number and criticality of their third-party relationships, it may not be the most efficient and cost-effective answer to handle all onboarding and due diligence functions in-house. For example, for their most critical third parties, organizations may elect to hire an assessment provider to do more intrusive internal due diligence. Additionally, many organizations also subscribe to data services to get the risk intelligence they need for their due diligence process. But all data services are not the same. Organizations should be aware that the depth and breadth of the risk intelligence provided varies widely and may not be comprehensive enough to fully mitigate onboarding risks.

What Is the Solution?

A perfect risk solution is one that has comprehensive, real-time and continuous risk data, alerts, monitoring and intelligence. For each third party, the solution should continuously monitor market data for risk events. These verified and curated risk alerts should automatically update risk scores in each of the monitored risk categories in real-time. At any point in time, one should be able to generate an up to date third-party risk report that shows current risk scores and how those risk scores have changed in recent quarters.

This unique solution is Supply Wisdom. Supply Wisdom’s comprehensive risk framework, unmatched in the market, includes risk parameters in six categories for third parties and eight categories for locations. The more than 175 third-party risk parameters go beyond Financial and Cybersecurity to include Governance, Regulatory & Compliance, People, Solutions Maturity and Client Risk. As the location in which the third party operates is critical to assessing the risk of third-party relationships, Supply Wisdom includes more than 150 location specific risk parameters including Geo-Political, Legal, Financial, Business, Macro-Economic, Infrastructure, Scalability and Quality of Life risks.

As a recent example of the value of Supply Wisdom’s location monitoring, take the Coronavirus epidemic that began in early January 2020 in Wuhan, an important Chinese industrial city. Supply Wisdom immediately began notifying subscribers of the health risk associated with this location. In fact, risk alerts related to this outbreak were sent to subscribers nearly a month before the virus was first reported in The New York Times giving the early warning necessary for their subscribers to take proactive mitigation steps and minimize or even avoid costly service disruptions.

But there’s more Supply Wisdom can do: remember the importance of including post-approval risk mitigation planning as part of your third-party onboarding? Supply Wisdom’s real-time risk monitoring can be used to continuously monitor your onboarded third parties and the locations in which they operate for ongoing risk mitigation. Supply Wisdom’s risk alerts are curated for relevancy and accuracy so your team can concentrate their efforts on effective risk mitigation. Additionally, because all risk scores are updated in real-time, at any moment you can generate a health scorecard for your third party thus streamlining and simplifying future risk assessments.

Supply Wisdom can even be used before the onboarding process to screen all third parties considered for the RFP. Because you can take a quick snapshot of the current risk profile of all third parties under consideration, you can compare their risk profiles side by side and reject any with unacceptable risk levels. For the third party ultimately selected for onboarding, their risk profile can easily be updated for onboarding due diligence. Because Supply Wisdom’s risk intelligence and risk scores are real-time and continuous, Supply Wisdom can be used to understand the risk profile of your third parties at any point in time.

Want to learn more about how Supply Wisdom can elevate your third-party onboarding and due diligence? Request a demo today.

About the Author

Patrick Gleeson holds a doctorate in 18th-century English literature, has more than 15 years of investment-management experience, and is a FINRA registered investment advisor. He has contributed hundreds of financial articles to U.S. print and online publications. In his spare time he performs his own compositions at electronic music festivals, most recently Moogfest.