Managing Third-Party Risk

How do you best use your resources to efficiently and effectively quantify that risk across a large number of partners?

June 4, 2014
Andrew Henderson
Red Flag Group

The necessity to use partners to distribute and supply when conducting business globally is a reality for most companies today; however, the introduction of any third party into your business creates risk. So, given that the available resources to manage risk are always constrained, how do you best utilize the resources you do have to efficiently and effectively quantify that risk across a large number of partners? One solution is to build and implement a scoring methodology to allow you to control the way that decisions are made.

As there is only a finite amount that you can find out about your partners, there is an obvious desire to make the best use of that information. There also needs to be a balance between spreading the decision-making across a large number of people whilst ensuring that the decisions that are made are consistent. Here are things to think about when building a risk-scoring methodology to help you focus your controls and resources most efficiently.

1. What Is the Aim?

The first step in any risk-scoring exercise is to clearly define what you are trying to achieve. Generally a scoring process can be used to:

  • Provide an automatic determination of the level of risk of a third party.
  • Help decide what the next step is within a process (for example, a recommended level of due diligence).
  • Help determine what to do next (for example, to determine whether the process remains with a business-level decision-maker, or is escalated to the compliance or legal review team).
  • Provide broadly consistent results, which represent a reliable best guess, and can therefore be challenged or changed by an appropriately trained member of your team.
  • Gather information on your partners, which may also be valuable to other parts of the business, and can help justify the decision of whether or not to bring on a third party.

Considering the purpose of the scoring has an impact later on in the process when deciding the types of questions to ask.

The second part of clarifying the aim is to build an expectation and means of measurement for what you think the outcome of the scoring program would be. This allows you to assess the validity of the program during its working life and at later review stages. It is generally not recommended to try to fully automate the process until the scoring is run and validated with a sufficient volume of partners.

2. Which Information Is Relevant?

It is important to ascertain early on which information you can use to determine the overall score. Generally for third-party corruption risk the main criteria are the location of the partner or where they are providing their product or service, the type of service or product that partner is providing, and the value of that service.

Building a simple view of the world into high, medium and low risk helps to quickly determine a preliminary level of corruption risk based on a company’s location, although how you build on that view can be more difficult. Using openly available lists can be a good start, but it is generally preferable to make your own list based on your knowledge of your own business. Think about where your company has had past or ongoing compliance issues, and where you have a strong presence to monitor third parties.

Establishing exactly which type of service a third party is providing is critical. The key to making this factor useful is to think about the risks you want to mitigate and consider what services may impact those risks.

Different compliance risks are likely to have different factors that require attention. There are also a number of other criteria that are sometimes included in a scoring scheme, such as sanctions and political exposure, or previous compliance issues. Whilst there is some benefit in considering these factors, they are rarely uncovered through the questionnaire process, so are best used as red flags rather than as determinative elements.

3. Where Can I Find the Information?

The information that you can use to determine a perception of risk for a third party can be found from three main sources: what you know yourself about the third party, what the third party knows about itself and what the world knows about the third party.

Throughout your organization, there is a vast amount of information about your third parties. Much of this information can be found in your enterprise resource planning (ERP)-type systems, but there is also plenty to be found from the institutional knowledge of your staff. Regardless of which source you use, you must firstly determine where the data is (i.e. which system or person holds the information) before deciding on how to go about accessing the information and which form you can gather it in. Internal information is generally the cheapest to gather, but may not provide all the data you need.

Often you can gain information about a third party’s internal structure and ownership, culture, or past issues by asking that third party in a questionnaire or interview. Asking a partner for data is not generally expensive, although the time to manage the process needs to be considered. Whilst this can be a cost-effective means of gathering information, there may be questions about the veracity of what is provided where the third party doesn’t understand what you are asking, whether you have asked the wrong person within the third party or whether it is not in the best interest of the other party to tell you.

Information gathered internally and from the third party should be verified at some point. External information may be able to help you do this, particularly if you have incomplete information. Certain factors, such as geographical risk and the value of the deal, could mean that external verification is needed to support the business decision to enter into the transaction. It may involve cross-checking the information you already have (i.e. from internally or from the partner) with a trusted source (like a corporate registry), or finding new information (such as the partner’s reputation).

4. Consider the Questions

Based on the analysis of the criteria required and the possible sources to gain the information to support the criteria, there are further decisions to make:

  • Which is the most cost-effective source for the information?
  • What is the most accurate way of obtaining information?
  • How should the questions be worded to ensure the greatest efficiency in getting to the required answer?
  • How do you write the questions to ensure the scores are usable?
  • Which questions and responses should be scored?

Once the questions are decided, other factors to consider are:

  • Who within that source knows the answers?
  • Does the person who knows the answers have the skills needed to respond accurately?
  • Does he or she know how to assess the reputation of a media source?
  • Can he or she assess the impact of a potential match on a sanctions list?
  • Does he or she understand the analysis and research needed to assess a possible false-positive match?
  • If he or she doesn’t have the skills, what training does he or she need to be able to respond accurately?

5. Are the Responses Accurate?

Once you have the answers, you must ensure that they are accurate. This may involve:

  • Sanity checks to ensure that the answers respond to the question and that the responder seems to have understood the question—this is especially useful when the questions have been translated into other languages.
  • Cross-checking against other information known about the partner.
  • Reviews by multiple people.
  • Audits and spot-checks to assess the accuracy and consistency of approvals.

Providing an accurate set of results from the process is important not only for your own use, but also because of the data protection and privacy obligations that you have to those who gave you the information.

6. What Does It All Mean?

Once all the base information is collected and sufficiently reviewed, you need to use it to make an intelligent decision. There are a number of methods that could be used to build the individual responses into a single, final score. These include averages or additions—which are generally a safer form of analysis, but only when they are used with a small number of key criteria as they also have the tendency to be inaccurate when too many criteria have scores attached to them.

As it is not always possible (or likely) that you get the scheme correct the first time, it is important to design the overall process to allow changes to be made in the future as you learn more about the results.

7. What Happens Next?

Once the process is run and a score is generated for a particular partner, a number of questions arise. As the score is generally used to make decisions about the next steps, it is important to decide:

  • Who should make decisions (this may be a single person, or a group acting together or in sequence).
  • Which decisions fall outside of the normal process and need to be escalated.

Secondly, how does the scoring and decision-making get documented? In many cases, recording the fact that a decision is made and the reasons behind that decision can be just as important as the accuracy of the decision itself. When planning the documentation, you should consider where it can be stored (whether it is in a database or in hardcopy format, and if it is in hardcopy, its physical location) by deciding who may need to access the information. Access is generally required by your internal compliance and legal teams, but your business teams may also utilise the information to establish partners’ capabilities, and internal auditors and investigators may need the information if an issue is discovered.

8. What Happens When Circumstances Change?

In the real world, the factors that make up your view of risk are constantly changing, so it is necessary to put in place processes to stay up to date with the changes.  Examples of these changes may be:

  • New sanctions against countries or companies.
  • Changes of ownership.
  • Announcements by enforcement agencies of new actions and settlements.

The question of how often to review the information, however, again comes down to the risks posed. For a partner deemed to be high risk, it may be reasonable to have a service that checks the media daily for adverse reports and ownership changes annually. For a lower risk partner, it may be sufficient to review the media monthly.

Whatever method and frequency is used, it is important that the changes and decisions based on them are properly documented in the same manner as the original review.

9. Is the Process Working?

At an appropriate interval, it is important to stand back from the process and consider whether it has met the aims set out in step one. Whether this is after a certain time period or after a particular number of partners is dependent on the volume that you are expecting through the process. It is also advisable to have the review carried out by a team that is independent of the process, whether internal or external.

When reviewing the scoring methodology, it is important to ask:

  • Did it accurately reflect the risk that you understood the partners posed?
  • Did it agree with what you would have decided yourself given the same information?
  • Were decisions made by the right people?
  • Were issues escalated to the right people?
  • Have the risks changed?
  • Can the process be changed, or has it been built into an inflexible technology or workflow?

Once the review is complete, any necessary changes should be communicated to the staff involved in the process to ensure they know how their role is impacted.

Building a scoring model is a useful process and can be crucial to making the most out of the limited resources you have. It is important to remember:

  • Don’t expect to use scoring to fully automate a process—the information available is generally not complete enough to provide an accurate model, so scoring is far better when used as a guide.
  • Don’t assume that you get it right first (or second) time—it is important to have a clear understanding of what you are aiming at and to build a regular review into the program to recalibrate the scoring.
  • Keep the process and scoring as simple as possible—most of the relevant risk-related information can be found in a few key criteria.
  • Your perception of risk changes when new information emerges, so remember to document the decision-making process so that you can justify the final risk outcome and ensure the process has the flexibility to accommodate new information as it come to light.
Recommended
Women In Supply Chain Vertical Color
Nominations Close June 7 for 2024 Women in Supply Chain Award
This award recognizes female supply chain leaders and executives whose accomplishments set a foundation for women in all levels of a company’s supply chain network. Submissions close June 7!
April 1, 2024
Adobe Stock 323829328
Alexis Asks: The Surge of E-Commerce Shipping
Managing editor Alexis Mizell-Pleasant asks industry experts about various topics developing in the supply chain field. Strategies that implement efficiency enhancing tools will be the ones to keep up in the coming years.
April 12, 2024
Flash is your go-to partner for service supply chain solutions
Sponsored
Flash is your go-to partner for service supply chain solutions
Flash specializes in helping OEMs meet customer SLAs. Whatever the scenario, Flash is prepared and equipped to successfully deliver your spare parts.
April 1, 2024
Latest
Adobe Stock 277780456
Alexis Asks: Redefining the Carbon Footprint
Managing editor Alexis Mizell-Pleasant asks industry experts about various topics developing in the supply chain field. Earth Day is around the corner and acts as a catalyst for change, teeing up sustainability for the coming year.
April 19, 2024
Women In Supply Chain Vertical Color
Nominations Close June 7 for 2024 Women in Supply Chain Award
This award recognizes female supply chain leaders and executives whose accomplishments set a foundation for women in all levels of a company’s supply chain network. Submissions close June 7!
April 1, 2024
Anya Skomorokhova
Pros to Know: PorterLogic's Anya Skomorokhova Talks Go-to-Market Strategy
Anya Skomorokhova , co-founder and COO of PorterLogic, was named one of our Rising Stars award winners from this year’s Pros to Know award.
April 18, 2024
Stock Supply Chain Photo
Global Trade Activity Indicates Rebound in Demand for Manufactured Goods
New data from Tradeshift's Q1 Index of Global Trade Health paints an encouraging picture for global trade, with robust growth observed in China and the United States, alongside indications of a rebound in global demand for manufactured goods.
April 17, 2024
Adobe Stock 485622467
Why All Modules Are Not Created Equal
IoT modules are a critical part of the overall connectivity ecosystem. It’s therefore essential to select a credible provider that prioritizes rigorous testing to identify vulnerabilities and practices the highest level of security and transparency.
April 17, 2024
Flash is your go-to partner for service supply chain solutions
Sponsored
Flash is your go-to partner for service supply chain solutions
Flash specializes in helping OEMs meet customer SLAs. Whatever the scenario, Flash is prepared and equipped to successfully deliver your spare parts.
April 1, 2024
Adobe Stock 573355948
Top 5 Tips for Businesses to Meet Sales Tax Obligations More Efficiently
Automated sales and use tax solutions can ensure precision, while also streamlining reporting capabilities and reducing audit risk.
April 13, 2024
Leestat Adobe Stock 503946321
Global Manufacturers Using Inventory Surpluses; Item Shortages Remain Lowest in 4 Years
Underlying data shows global manufacturers are using up inventory surpluses, some of which were accumulated because of Red Sea and Panama Canal disruptions, and cutting back on stockpiling activity.
April 12, 2024
K Ps Photography Adobe Stock 338059393
Greenscreens Ignite to Transform Pricing Analysis, Strategy Implementation
Greenscreens.ai launched Greenscreens Ignite, designed to transform pricing analysis and strategy implementation by enabling brokerages to craft optimized strategies.
April 12, 2024
Adobe Stock 357875609
Economy Overtakes Supply Chain Challenges as Innovation Roadblocks
Report finds respondents expect to slowly close the door on pandemic-related product development challenges, namely material shortages and supply chain disruption.
April 10, 2024
Adobe Stock 202513980
Panasonic Connect Highlights New Automated Manufacturing Solution
Panasonic Connect North America introduces new NPM-GH Pick-and-Place machine. The robotic surface-mount technology is the latest addition to Panasonic Connect’s autonomous factory lineup.
April 9, 2024
Bill Mrzlak Headshot
Pros to Know: ChainSequence's Bill Mrzlak Talks Uniting Sound Supply Chain Practices
Bill Mrzlak, president, ChainSequence, Inc., was named one of our Lifetime Achievement award winners from this year’s Pros to Know award.
April 9, 2024
Adobe Stock 498287166
Implementing PLI Proves Vital in Sustainable Product Design
A Makersite study reveals over half of organizations’ sustainability efforts are driven by regulations despite the benefits from adopting more sustainable product lifecycle intelligence (PLI).
April 8, 2024
Adobe Stock 220174007
Leveraging Recommerce to Strategically Sell Excess Goods
A reverse logistics partner can help an organization make real-time, data-backed decisions on lotting strategies, generate buyer demand and ensure excess and returned inventory is moving in and out of warehouses.
April 5, 2024
Adobe Stock 716542218 (1)
The Next AI Revolution: Helping Businesses Manage Excess Stock
AI-powered functionalities can operate both proactively—ensuring excess stock doesn’t recur—and reactively—helping teams redistribute excess stock moving forward.
April 5, 2024
Adobe Stock 231617101
While 68% of Consumers Lack Loyalty to Fintech Brands, Rewards Can Help
Tillo releases its "Bridging the Loyalty Gap: Consumer Insights for Fintech Engagement and Growth" study, unveiling that 68% of consumers feel no loyalty to fintech companies at this time.
April 3, 2024
Annika Adobe Stock 589591429
Global Business Optimism Continues to Climb, Indicating Sustained Confidence
The latest quarterly report from Dun & Bradstreet highlights a sustained positive trend in the global business outlook, with the Global Business Optimism Index rising 5.4% quarter over quarter.
April 3, 2024
Wisc Forum Logo Resized For Enl
Shattering Glass Ceilings at This Year’s Women in Supply Chain Forum
Registration is open for this year's Women in Supply Chain Forum, scheduled for Nov. 12-13 in Atlanta.
April 1, 2024
Jasont 1
Pros to Know: Nulogy's Jason Tham Talks Supply Chain Unity
Jason Tham, co-founder and CEO of Nulogy, was named one of our Lifetime Achievement award winners from this year’s Pros to Know award,
April 2, 2024
Adobe Stock 90106798
Supply Chain Lessons from the Boeing 737 Inspection Crisis
By adopting the right technology, manufacturers can mitigate the risk of defects and close gaps while not raising costs in this highly turbulent period in supply chains.
March 28, 2024
360mod
380 Modular Vision Tunnel Expands the Capabilities of Logistics Operations
Cognex Corporation introduces the 380 Modular Vision Tunnel, a new addition to the Modular Vision Tunnel portfolio.
March 27, 2024
Adobe Stock 527756780
Why Manufacturers’ Warehouses Must Prioritize Visibility
Adopting and leveraging technology solutions that drive supply chain visibility offers manufacturers a way to steer through turbulent times and succeed in the months and years ahead.
March 27, 2024
Top Supply Chain Projects
Nominations Open for 2024 Top Supply Chain Projects Award
This award profiles innovative case study-type projects designed to automate, optimize, streamline and improve the supply chain. Submissions close March 29.
February 19, 2024
Flash is your go-to partner for service supply chain solutions
Sponsored
Flash is your go-to partner for service supply chain solutions
Flash specializes in helping OEMs meet customer SLAs. Whatever the scenario, Flash is prepared and equipped to successfully deliver your spare parts.
April 1, 2024