Managing Third-Party Risk

How do you best use your resources to efficiently and effectively quantify that risk across a large number of partners?

The necessity to use partners to distribute and supply when conducting business globally is a reality for most companies today; however, the introduction of any third party into your business creates risk. So, given that the available resources to manage risk are always constrained, how do you best utilize the resources you do have to efficiently and effectively quantify that risk across a large number of partners? One solution is to build and implement a scoring methodology to allow you to control the way that decisions are made.

As there is only a finite amount that you can find out about your partners, there is an obvious desire to make the best use of that information. There also needs to be a balance between spreading the decision-making across a large number of people whilst ensuring that the decisions that are made are consistent. Here are things to think about when building a risk-scoring methodology to help you focus your controls and resources most efficiently.

1. What Is the Aim?

The first step in any risk-scoring exercise is to clearly define what you are trying to achieve. Generally a scoring process can be used to:

  • Provide an automatic determination of the level of risk of a third party.
  • Help decide what the next step is within a process (for example, a recommended level of due diligence).
  • Help determine what to do next (for example, to determine whether the process remains with a business-level decision-maker, or is escalated to the compliance or legal review team).
  • Provide broadly consistent results, which represent a reliable best guess, and can therefore be challenged or changed by an appropriately trained member of your team.
  • Gather information on your partners, which may also be valuable to other parts of the business, and can help justify the decision of whether or not to bring on a third party.

Considering the purpose of the scoring has an impact later on in the process when deciding the types of questions to ask.

The second part of clarifying the aim is to build an expectation and means of measurement for what you think the outcome of the scoring program would be. This allows you to assess the validity of the program during its working life and at later review stages. It is generally not recommended to try to fully automate the process until the scoring is run and validated with a sufficient volume of partners.

2. Which Information Is Relevant?

It is important to ascertain early on which information you can use to determine the overall score. Generally for third-party corruption risk the main criteria are the location of the partner or where they are providing their product or service, the type of service or product that partner is providing, and the value of that service.

Building a simple view of the world into high, medium and low risk helps to quickly determine a preliminary level of corruption risk based on a company’s location, although how you build on that view can be more difficult. Using openly available lists can be a good start, but it is generally preferable to make your own list based on your knowledge of your own business. Think about where your company has had past or ongoing compliance issues, and where you have a strong presence to monitor third parties.

Establishing exactly which type of service a third party is providing is critical. The key to making this factor useful is to think about the risks you want to mitigate and consider what services may impact those risks.

Different compliance risks are likely to have different factors that require attention. There are also a number of other criteria that are sometimes included in a scoring scheme, such as sanctions and political exposure, or previous compliance issues. Whilst there is some benefit in considering these factors, they are rarely uncovered through the questionnaire process, so are best used as red flags rather than as determinative elements.

3. Where Can I Find the Information?

The information that you can use to determine a perception of risk for a third party can be found from three main sources: what you know yourself about the third party, what the third party knows about itself and what the world knows about the third party.

Throughout your organization, there is a vast amount of information about your third parties. Much of this information can be found in your enterprise resource planning (ERP)-type systems, but there is also plenty to be found from the institutional knowledge of your staff. Regardless of which source you use, you must firstly determine where the data is (i.e. which system or person holds the information) before deciding on how to go about accessing the information and which form you can gather it in. Internal information is generally the cheapest to gather, but may not provide all the data you need.

Often you can gain information about a third party’s internal structure and ownership, culture, or past issues by asking that third party in a questionnaire or interview. Asking a partner for data is not generally expensive, although the time to manage the process needs to be considered. Whilst this can be a cost-effective means of gathering information, there may be questions about the veracity of what is provided where the third party doesn’t understand what you are asking, whether you have asked the wrong person within the third party or whether it is not in the best interest of the other party to tell you.

Information gathered internally and from the third party should be verified at some point. External information may be able to help you do this, particularly if you have incomplete information. Certain factors, such as geographical risk and the value of the deal, could mean that external verification is needed to support the business decision to enter into the transaction. It may involve cross-checking the information you already have (i.e. from internally or from the partner) with a trusted source (like a corporate registry), or finding new information (such as the partner’s reputation).

4. Consider the Questions

Based on the analysis of the criteria required and the possible sources to gain the information to support the criteria, there are further decisions to make:

  • Which is the most cost-effective source for the information?
  • What is the most accurate way of obtaining information?
  • How should the questions be worded to ensure the greatest efficiency in getting to the required answer?
  • How do you write the questions to ensure the scores are usable?
  • Which questions and responses should be scored?

Once the questions are decided, other factors to consider are:

  • Who within that source knows the answers?
  • Does the person who knows the answers have the skills needed to respond accurately?
  • Does he or she know how to assess the reputation of a media source?
  • Can he or she assess the impact of a potential match on a sanctions list?
  • Does he or she understand the analysis and research needed to assess a possible false-positive match?
  • If he or she doesn’t have the skills, what training does he or she need to be able to respond accurately?

5. Are the Responses Accurate?

Once you have the answers, you must ensure that they are accurate. This may involve:

  • Sanity checks to ensure that the answers respond to the question and that the responder seems to have understood the question—this is especially useful when the questions have been translated into other languages.
  • Cross-checking against other information known about the partner.
  • Reviews by multiple people.
  • Audits and spot-checks to assess the accuracy and consistency of approvals.

Providing an accurate set of results from the process is important not only for your own use, but also because of the data protection and privacy obligations that you have to those who gave you the information.

6. What Does It All Mean?

Once all the base information is collected and sufficiently reviewed, you need to use it to make an intelligent decision. There are a number of methods that could be used to build the individual responses into a single, final score. These include averages or additions—which are generally a safer form of analysis, but only when they are used with a small number of key criteria as they also have the tendency to be inaccurate when too many criteria have scores attached to them.

As it is not always possible (or likely) that you get the scheme correct the first time, it is important to design the overall process to allow changes to be made in the future as you learn more about the results.

7. What Happens Next?

Once the process is run and a score is generated for a particular partner, a number of questions arise. As the score is generally used to make decisions about the next steps, it is important to decide:

  • Who should make decisions (this may be a single person, or a group acting together or in sequence).
  • Which decisions fall outside of the normal process and need to be escalated.

Secondly, how does the scoring and decision-making get documented? In many cases, recording the fact that a decision is made and the reasons behind that decision can be just as important as the accuracy of the decision itself. When planning the documentation, you should consider where it can be stored (whether it is in a database or in hardcopy format, and if it is in hardcopy, its physical location) by deciding who may need to access the information. Access is generally required by your internal compliance and legal teams, but your business teams may also utilise the information to establish partners’ capabilities, and internal auditors and investigators may need the information if an issue is discovered.

8. What Happens When Circumstances Change?

In the real world, the factors that make up your view of risk are constantly changing, so it is necessary to put in place processes to stay up to date with the changes.  Examples of these changes may be:

  • New sanctions against countries or companies.
  • Changes of ownership.
  • Announcements by enforcement agencies of new actions and settlements.

The question of how often to review the information, however, again comes down to the risks posed. For a partner deemed to be high risk, it may be reasonable to have a service that checks the media daily for adverse reports and ownership changes annually. For a lower risk partner, it may be sufficient to review the media monthly.

Whatever method and frequency is used, it is important that the changes and decisions based on them are properly documented in the same manner as the original review.

9. Is the Process Working?

At an appropriate interval, it is important to stand back from the process and consider whether it has met the aims set out in step one. Whether this is after a certain time period or after a particular number of partners is dependent on the volume that you are expecting through the process. It is also advisable to have the review carried out by a team that is independent of the process, whether internal or external.

When reviewing the scoring methodology, it is important to ask:

  • Did it accurately reflect the risk that you understood the partners posed?
  • Did it agree with what you would have decided yourself given the same information?
  • Were decisions made by the right people?
  • Were issues escalated to the right people?
  • Have the risks changed?
  • Can the process be changed, or has it been built into an inflexible technology or workflow?

Once the review is complete, any necessary changes should be communicated to the staff involved in the process to ensure they know how their role is impacted.

Building a scoring model is a useful process and can be crucial to making the most out of the limited resources you have. It is important to remember:

  • Don’t expect to use scoring to fully automate a process—the information available is generally not complete enough to provide an accurate model, so scoring is far better when used as a guide.
  • Don’t assume that you get it right first (or second) time—it is important to have a clear understanding of what you are aiming at and to build a regular review into the program to recalibrate the scoring.
  • Keep the process and scoring as simple as possible—most of the relevant risk-related information can be found in a few key criteria.
  • Your perception of risk changes when new information emerges, so remember to document the decision-making process so that you can justify the final risk outcome and ensure the process has the flexibility to accommodate new information as it come to light.