Seven Steps for an Effective Risk Management System
by Dan Townsend
Director of Sales | North America
Third-Party Risk Management can mean many things to different organizations. To Symfact it is the process of evaluating new business partners and monitoring existing partners to ascertain what level of risk they may bring to a business relationship. The need for an effective and efficient onboarding process for new partners and the need to constantly monitor current partners is a critical element in managing your key vendors, customers, and other business relationships.
The onboarding process for new third parties will require gathering information from a variety of sources. The level of data required will depend on the size and type of the proposed relationship: the higher the risk of the relationship the higher the level of due diligence. This data gathering may come from initial interviews with the third party, cursory financial reviews, and data supplied through more structured questionnaires. Understanding what the third-party organization can provide, where it operates, a determination of financial health, the identification of key business owners and management, and the organization’s past performance and reputation will help frame an overall risk profile.
An effective Third-Party Risk solution is one that is designed to help Compliance, Sales, and/or Procurement Teams identify and assess the risks their business partners may expose them to and to determine what level of risk is acceptable. For the more strategic third parties it may be necessary to further interrogate the third party’s operations, its ownership, and its management by fielding this data through an external database (that is constantly updated from hundreds of business analysts around the world) to cast the widest net possible to ensure your understanding of who you are dealing with and properly vet the results through the necessary levels.
The solution must offer a user-friendly platform that incorporates all aspects of identification, evaluation, and management reviews of the business partners your organization deals with and to provide the audit trail to substantiate your efforts.
The following are some of the key aspects of the system:
- Single Platform: A web-based platform that efficiently controls and manages third-party data load, pre-analysis, and assignment of risk levels for the on-boarding of third and fourth parties.
- Flexible Data Collection Toolsets: A simple to operate tool that your Compliance staff can use to collect and store data about pending and ongoing relationships to determine the potential risk level. This risk level is based on the products, ownership, countries of operation, monetary value of the relationship, and other industry-specific details. The resulting risk score that is determined from this information can dictate the need for further due diligence.
- Screening Data: Third Party Risk Management systems such as Symfact’s can support the delivery of risk intelligence and financial databases via Symfact’s established API’s with highly reputable and global sources of data such as Thomson Reuters, Dow Jones, D&B, Lexis Nexis, and various specialized sources. Results can consist of detailed profiles of the key individuals, entities, Ultimate Business Owners, Politically Exposed People, at risk countries, as well as issues of bribery and corruptions.
- Risk Cross Checking: In addition to the evaluation of named individuals and companies, an effective tool must undertake risks checks to analyse and cross-validate the answers collected through the internal and external questionnaires. These risk checks should be based on configurable business rules for your industry, country, or compliance policies.
- Continuous Monitoring: The ability to flag specific high-risk individuals or organizations that need to be monitored on an ongoing basis is a critical step in the management of existing relationships. Linkages to external databases and registers ensures automated checks are initiated and notifications are generated when notable items are identified.
- Enhanced Due Diligence (EDD): Detailed background reports on organizationally significant third parties can assist in protecting against regulatory and reputational damage. Having the ability to instantly order an EDD report as part of the evaluation process brings significant efficiencies to the process and ensures the data is automatically archived on the third-party evaluation record.
- Integration: Ability to integrate with your ERP and other internal systems to ensure effective dissemination of the relevant data. Additionally, the ability to use the third-party evaluation as a precursor to the development of the contract is a highly effective control mechanism and can directly feed into a Contract Lifecycle Management and/or Legal Entity Management systems. This linkage eliminates the need to re-enter data in the CLM system and streamlines the overall process of onboarding a customer, vendor, or business partner.
The following graphic depicts the standard functional steps in the analytical review process to evaluate and onboard your business partners, their subsidiaries and partner organizations, and the key individuals with their organization(s).