We’ll be at Compliance Week National 2024 in Washington, D.C., April 2-4. Learn more or schedule a time to meet with us at the show here.

#Article

Third-Party Due Diligence: 5 Steps to Reduce Risk


Third-Party Due Diligence: 5 Steps to Reduce Risk

Modern supply chains are extremely complex, making it even more important that you are on top of your third-party due diligence.

According to the 2017 GEODIS Supply Chain Worldwide Survey, only six per cent of organizations have full visibility into their supply chains past the first level. The vast majority of companies have no oversight of their suppliers’ suppliers or customers’ customers.

This limited visibility is problematic because conducting business with non-compliant, high-risk third parties can lead to penalties, fines and recalls, and can destroy a company's reputation.

Most companies must outsource at least some aspects of their business, so it's important to actively manage risks by following a thorough plan for third-party due diligence. Follow these five steps to manage your third-party risk and keep your organization out of trouble.

Document your risk assessments with this Risk Matrix Template. It will help you stay organized and may come in handy if there's ever an incident.

Know and Understand Your Risks

The global nature of business means that organizations commonly conduct business across countries and continents. So, to reduce risk, you need a strong understanding of the risks and regulations to ensure the companies in your supply chain are ethical, safe and compliant.

Common third-party risks include: 

  • Corruption
  • Money-laundering
  • Trade sanctions
  • Antitrust
  • Cybersecurity

Some risks are unique to the third party’s region or industry. Checking a your supplier's country's corruption risk is a good first step. For those ranked high, it’s safe to assume that suppliers in that country can also be considered high risk.

Centralize Your Information

It’s easier to identify and monitor risks when all of your third-party information is stored in one centralized database. Large, multinational corporations can have hundreds or even thousands of companies in their supply chain. Without a centralized database, key information can get lost or fall through the cracks.

Reach out to business operations team leaders to add in all of the third-party relationships they manage, including resellers and partners. Consolidating your third-party information into a single system means you’ll be able to see everything at a glance.

Conduct a Risk Assessment

For every third party in your supply chain, the best way to reduce risk is to conduct a thorough screening and risk assessment. Prospective third parties, whether it’s an individual or a company, should be subjected to a detailed screening process.

Assess the third-party’s country of origin, specific industry and internal factors. Get answers to common questions such as:

  • Do they document their processes thoroughly?
  • What is their employee training like?
  • How well do they know applicable regulations and laws?
  • Does their culture encourage excessive risk-taking?
  • How do they secure confidential data?

Then, validate the answers they’ve given you. Use credit checks, search for news about them, and check public records and sanction lists to verify the truth of their answers.

Define an Ongoing Monitoring Process

Your due diligence doesn’t end once you’ve vetted and on-boarded a third party. To reduce risk further, it’s important that you develop and commit to an ongoing monitoring process.

Metric Stream recommends defining “specific rules or criteria to reduce the burden of due diligence and ensure that third parties are tracked better”. Keep an eye on risks as they emerge, so you can report, investigate and mitigate them before they turn into a major problem.

Evaluate and Improve Regularly

The fifth and final step is to routinely audit your processes. Ideally, you will have maintained a thorough record of documents and assessments so you can go back at year’s end and identify areas for improvement.

With a complete, clear understanding of your process and how tasks are carried out, you can use this information to improve, automate or even skip unnecessary steps. With new risks and regulations popping up every day, you can alter your processes to avoid these risks and comply with these laws.