For one of the world’s biggest automotive manufacturers, the year 2016 started off on a less than promising note when the company, which produces millions of cars every year, was forced to halt vehicle production for a week after an explosion at a supplier site resulted in a shortage of components. The incident was a timely reminder of just how much companies have come to rely on their third parties, and how significantly a single supply chain disruption can affect a company’s performance.
As organizations grapple with these and other third-party risks such as data breaches and contract risks, as well as multiple third-party related regulations, a robust third-party management program can make all the difference. With that in mind, here are five best practices to take your third-party management program to the next level:
Effectively Assess and Monitor Third-Party Risks
Third-party risks can have a direct impact on company profits and brand value. It is imperative, therefore, to identify these risks in a timely manner, and implement the appropriate controls and control testing processes. Also, establish contracts and policies that outline the roles and responsibilities of all parties in risk mitigation. If there are any fourth parties involved, make sure that you are informed about them, and include them in the scope of screening and risk management processes. Another best practice is to leverage curated content on third parties from external sources such as Dow Jones and D&B which can be invaluable in flagging high-risk third parties before they cause a failure.
Conduct Third-Party Screening, Onboarding, and Due Diligence
While conducting initial third-party screening, a good approach is to categorize third parties by risk based on various factors (e.g. offered product or service and country of operation), and then define and prioritize screening and due diligence processes accordingly. On-boarding is another critical step in ensuring that you have all the required third-party data to begin the relationship. Many organizations also set up real-time third-party data feeds, and monitor their third parties against global sanctions lists, adverse media reports, and other data to identify areas of concern.
Integrate and Streamline Third-Party Management Processes
Often, each department in a company manages their third parties differently from other departments. This siloed approach can lead to redundancies, and also limits overall visibility into third-party risks and compliance. To avoid these issues, you might want to standardize and streamline your third-party management processes across departments and functions. Also, make third-party information available centrally to facilitate oversight and accountability, and to ensure that nothing falls through the cracks.
Evaluate the Effectiveness of Your Third-Party Management Program
Just as you evaluate your third parties, it is important that you also evaluate your third-party management program regularly to determine if risks are being managed effectively, if compliance requirements are being met, and if issues are being resolved. Make sure that all allocated third-party management resources are available, have their responsibilities defined, and are working as planned. A 360-degree view of the third-party ecosystem is also a must.
A scalable and integrated GRC technology platform can help you manage multiple third parties efficiently, and provide greater visibility into risks and compliance issues. Technology can also streamline and automate third-party management processes, and consolidate and roll up third-party risk intelligence to support decision-making. Some solutions integrate with industry sources to aggregate and validate third-party data. Some also provide survey and assessment capabilities for due-diligence, compliance monitoring, and control evaluations.