reducing the risk in third-party
TRANSCRIPT
ELM Solutions
Reducing the Risk in thiRd-PaRty RelationshiPsA Practical Guide for Compliance Professionals
Intermediary
Contractor
Service provider
Outsourcer
Distributor
Dealer
Subcontractor
Franchisee
Vendor
agent
Business Partner
Representative
Supplierclient
this eBook will PRovide you with thRee key takeaways:
1third-party relationships
mean both great benefits
and great risks
2Management programs
based in best practices
mitigate third-party risk
3effective technology
is a crucial component
15minute read
ELM Solutions
ELM Solutions
1
taBle oF contents
intRoduction ................................................................................................................................................................................................................................................................... 2
chaPteR 1: ZeRoInG In on ThIRd-PARTy RISk ......................................................................................................................................................4
chaPteR 2: APPRoACheS To ThIRd-PARTy RISk MAnAGeMenT ..........................................................................................9
chaPteR 3: TeChnoloGy – A RequIReMenT foR SuSTAInAble PRoGRAMS ......................................... 20
chaPteR 4: key ConSIdeRATIonS foR A TeChnoloGy SoluTIon ..............................................................................23
conclusion ..........................................................................................................................................................................................................................................................................29
TABLE OF CONTENTS
Reducing the Risk in thiRd-PaRty RelationshiPsA Practical Guide for Compliance Professionals
ELM Solutions
2
intRoduction
What company does not rely on business relationships with third parties in some way? The services of third
parties are a necessity for most organizations in order to operate successfully in today’s global economy.
Third-party business relationships can deliver great benefits, but they also introduce a multitude of risks. every week the business news calls attention to enforcement actions for corporate regulatory violations, which often involve third parties. In fact, it has been widely reported that the majority (as high
as 90% in a recent year) of enforcement actions under the foreign Corrupt Practices Act (fCPA) involve third
parties.
Third-party relationships also introduce risks in the areas of security, privacy, reputation, finances, insolvency, business continuity, and geopolitics. Research shows that many organizations struggle
with the challenge of managing these risks, especially as the number of relationships grows. The good news
is that resources, such as best practice recommendations, are available to guide organizations in
establishing third-party management programs to fit their specific circumstances. And technology can help
to ensure that these programs are truly effective, efficient, and sustainable.
INTRODUCTION
ELM Solutions
3
of organizations have a business model that relies
heavily on vendors
“At the nation’s biggest banks and credit card companies, the list of third parties typically runs to more than 20,000 names; some firms might have 50,000 suppliers.” – Mckinsey & company
intRoduction
Krivin, Dmitry, et al. “Managing third-party risk in a changing regulatory environment.” McKinsey Working Papers on Risk, Number 46. McKinsey & Company, May 2013.
249 compliance & ethics
professionals responsible for
day-to-day operation of C&E
programs62% 187 senior executives in
ethics/compliance/anti-
corruption worldwide
average number of third parties per company3,868
Corporate exposure to third-party risk is wide-ranging
Society of Corporate Compliance and Ethics and NYSE Governance Services. 2014 Compliance and Ethics Program Environment Report.
Kroll and Compliance Week. Anti-Bribery and Corruption Benchmarking Report. 2014.
ELM Solutions
4
In an Industry Week article on third-party risk, Crowe horwath risk consultants Patrick Warren and Michael Varney present a categorization of third-party threats that manufacturers and other companies may face:
ChApTER 1
ZeRoing in on thiRd-PaRty Risk
ChApTER 1 / ZeRoInG In on ThIRd-PARTy RISk
Warren, Patrick and Michael Varney. “Third-Party Risk and What to do About It.” IndustryWeek, 23 May 2014.
Regulatory and legal violations
Breaches of systems and data
Reputation damage
Financial dependence (e.g., based on reliance on a single
supplier of a key item)
systemic events
geopolitical events
ELM Solutions
5
“We are seeing third-party vendors as a very significant source of cyber risk. You could have
a moat around a heavily fortified castle but if the bridge is down to your vendors, then your
fortifications become worthless.” – lisa J. sotto, partner and head of Global Privacy
and Cybersecurity, hunton & Williams
ChApTER 1 / ZeRoInG In on ThIRd-PARTy RISk
Perlroth, nicole. “heat System Called door to Target for hackers.” The new york Times, 5 feb. 2014.
“…The reality [is] that a large company is actually a sprawling network of interconnected vendors, and that weak security at any one vendor can
lead to a breach thatcosts hundreds of millions of dollars.”
– The New York Times
$$$ $
$$
PWC. “Managing cyber risks in an interconnected world – key findings from the Global State of Information Security® Survey 2015.” 30 Sep. 2014.
ELM Solutions
6
Risk categories for financial institutions apply broadly
ChApTER 1 / ZeRoInG In on ThIRd-PARTy RISk
The uS federal deposit Insurance Corporation (fdIC) devotes an entire chapter in its Compliance examination Manual for bank examiners to a discussion of third-party risk. While the focus is on financial institutions, the fdIC summary provides a useful categorization for organizations in other industries as well. In addition to reputation risk, credit risk (similar to financial dependence), and country risk (including geopolitical events), the fdIC includes:
Compliance risk — beyond potential violations of laws and regulations, practices or products of a third party may breach an organization’s internal policies and standards
Strategic risk — A third party may make “adverse business decisions” or execute business decisions in ways that are at odds with an organization’s strategic goals
Operational risk — losses may occur as a result of “inadequate or failed internal processes, people, and systems, or from external events” associated with a third party
Transaction risk — for any number of reasons, including poor planning/preparation, systems failure, mistakes, or fraud, a third party may fail to deliver products or services as expected
federal deposit Insurance Corporation. “Third Party Risk.” Compliance Examination Manual VII-4, Jan. 2014.
ELM Solutions
7ChApTER 1 / ZeRoInG In on ThIRd-PARTy RISk
A third-party representative’s conduct in violation of a law/regulation can generate costs to the organization beyond any direct fines and penalties levied by a government enforcer — for example, the costs of investigations, disruption of operations, etc. Such conduct may also lead to damage to the organization’s reputation and other equally serious consequences.
often third parties are engaged to assist a company in moving into new geographic regions and/or markets. It is imperative to determine both the full scope of the laws of the company’s home country, as well as any locale- and/or market-specific rules that are in play. Regulatory intelligence is clearly a critical component of any third-party risk management program.
– Michael Rasmussen of gRc 20/20
one of the most prevalent third-party risks: the threat of regulatory non-compliance
ELM Solutions
8
These survey results underscore companies’ concern with the regulatory risk associated with third parties. There appears to be heightened concern with third-party risk related to stringent anti-corruption laws and regulations, as evidenced by the focus on this in the guidance and research highlighted in the next chapter.
209 senior
compliance, audit,
risk, and ethics
officers worldwide
how much is the changing regulatory landscape driving companies to reassess their third-party relationships?
ChApTER 1 / ZeRoInG In on ThIRd-PARTy RISk
deloitte and Compliance Week. “Compliance Trends Survey 2014.” May 2014.
Increasing ongoing oversight (i.e., auditing, monitoring) on a prospective basis
Reassessing some or all of their existing business partners
bringing many of their business activities under more direct control and oversight
not at all
85%Reassessing
15%
49%
31%
5%
ELM Solutions
9ChApTER 2 / APPRoACheS To ThIRd-PARTy RISk MAnAGeMenT
A wealth of resources are available to help companies structure a third-party risk management program based in best practices. In addition to guidance issued by various regulatory bodies, corporate compliance and risk management experts write regularly on the topic of third-party risk.
A few of these experts’ recommendations are highlighted here, along with a brief look at what companies are doing with regard to third-party risk management. A more in-depth discussion of third-party risk management best practices is covered in the elM Solutions white paper, “Getting your Arms Around Third-Party Relationships.”
Tom Fox, independent consultant and author on FCpA compliance, describes five steps of the “life Cycle of Third Party Management” in his fCPA Compliance and ethics blog. These steps provide a convenient way to organize this discussion of best practices and current programs:
business Justification
questionnaire
due diligence
Contract
Relationship Management
ChApTER 2
aPPRoaches to thiRd-PaRty Risk ManageMent
1
2
3
4
5
ELM Solutions
10
Business JustiFicationTom fox suggests that the business justification should be prepared by the “business sponsor” of the third party and serve the needs of both the business unit and the compliance practitioner. It becomes part of the third party’s “compliance review file.”
Questions that the business justification should answer:
Y who? what? where? when? etc. on the third party organization
Y how was the third party identified?
Y what is the planned engagement?
Y why has this entity been selected for this engagement?
1 QuestionnaiRe 2for fox, a third-party questionnaire is a “mandatory step.” The third party’s response provides valuable data to inform the plan for due diligence.
Key questionnaire topics:
Y ownership structure
Y Financial qualifications
Y Personnel
Y Physical facilities
Y References
Y Politically exposed persons (PePs)
Y the ultimate beneficial owner(s) (uBos)
Y the compliance regime
Y appropriate compliance training and awareness
fox. “life Cycle of Third Party Management – Step 2 questionnaire.” 1 April 2014fox, Thomas R. “life Cycle of Third Party Management – Step 1 business Justification.” fCPA Compliance and ethics blog, 31 March 2014.
ChApTER 2 / APPRoACheS To ThIRd-PARTy RISk MAnAGeMenT
ELM Solutions
11
Regulatory authorities and compliance and risk experts alike recommend that third parties be categorized by the degree of risk posed. due diligence is then driven by risk category: the most intense scrutiny is focused on the relatively small number of third parties that represent the greatest risk. tasks at each level might include:
ChApTER 2 / APPRoACheS To ThIRd-PARTy RISk MAnAGeMenT
Y Internal review of available documentation and news on the third-party company, its owners, its financial healthY Checks against watch lists and other trusted sources for potential red flags
– Corruption, sanctions, other criminal activity
– Politically-exposed persons (PePs)
– Conflicts of interest
Y More in-depth internet searches and review of international media
Y More detailed background on directors and shareholders
Y Screening and searches of in-country and sector-specific information sources
Y In-person interviews with third-party owners/managers that will be responsible for the relationship
Y Interviews of references and business and/or political associates
Y Audit/review of the third party’s policies, controls, audit reports, and financial records
Y Independent in-country investigation of the third party’s compliance with relevant laws, regulations, and licensing requirements
Y In-house legal review of documentation collected
Risk categoRy:
LowRisk categoRy:
MediumRisk categoRy:
high
DUE DILIgENCE3
ELM Solutions
12
ChApTER 2 / APPRoACheS To ThIRd-PARTy RISk MAnAGeMenT
how are companies handling due diligence today?
187 senior
executives in
ethics/compliance/
anti-corruption
worldwide
of companies report conducting due diligence on third parties
97%
kroll and Compliance Week. Anti-bribery and Corruption benchmarking Report. 2014.
69% Reference checks
64% Information collected
by the business unit
56% Public databases (english only)
Most frequently noted components of due diligence
51% Adverse media searches
(local language)
51% Corporate legal department review
50% Public database (local language)
50% local jurisdiction corporate
registry sources
DUE DILIgENCE3
ChApTER 2 / APPRoACheS To ThIRd-PARTy RISk MAnAGeMenT
ELM Solutions
13ChApTER 2 / APPRoACheS To ThIRd-PARTy RISk MAnAGeMenT
187 senior
executives in
ethics/compliance/
anti-corruption
worldwide
383 compliance
professionals in
companies with
anti-corruption
programs worldwide
time and cost are the most important
factors limiting anti-corruption due diligence
$+
kroll and Compliance Week. Anti-bribery and Corruption benchmarking Report. 2014.
dow Jones Risk & Compliance. “The dow Jones State of Anti-Corruption Survey 2014.” dow Jones Risk & Compliance, 22 April 2014.
77% Allegations/rumors
of paying bribes in the third party’s background,
but no proof
64% A history of litigation
60% The third party is a
politically exposed person
55%While the third party is well-known in the region, it is not
known to perform the work it would be doing for us
Factors that influence a decision not to work with a particular third party
how are companies handling due diligence today?DUE DILIgENCE3
ELM Solutions
14
CONTRACT4The contract with each third party should contain adequate protections to mitigate the risks that have been identified in the previous steps. Templates can provide a good starting point and ensure that all pertinent items are taken into account. points to consider include:
Commercial terms, viewed through a compliance lens fox recommends review of the commercial terms from a compliance perspective. for example, compare the planned compensation of the third party — whether in the form of commission, a discount rate, or other remuneration — to the norm for the industry, geography, etc. Rates that are higher than normal could signal potential corruption.
Compliance terms and conditions The experts agree that third-party contracts must include specific compliance terms and conditions, such as: anti-corruption affirmations, breach notice provisions, subcontractor approvals, audit rights, ongoing training requirements, annual certifications, re-qualification terms, etc.
Termination provisions finally, it’s important to lay out the conditions that will permit the organization to terminate the contract and the associated steps to be taken.
ChApTER 2 / APPRoACheS To ThIRd-PARTy RISk MAnAGeMenT
fox. “life Cycle of Third Party Management – Step 4 – The Contract.” 3 April 2014.
“… Contract termination is an inevitable phase in the third party relationship lifecycle.
As many risks as there are in the active phase of a third party relationship, there are
some that remain and also new ones that arise when the relationship is ending.”
Switzer, Carole. “breaking up is hard To do – Avoiding Pain by Planning for the end of a Third Party Relationship.” oceg.org Blog, 19 July 2014.
– carole switzer, OCEG
ELM Solutions
15ChApTER 2 / APPRoACheS To ThIRd-PARTy RISk MAnAGeMenT
Are third parties required to sign an agreement agreeing to adhere to compliance standards?
Society of Corporate Compliance and ethics and nySe Governance Services. 2014 Compliance and ethics Program environment Report.
249 compliance &
ethics professionals
responsible for
day-to-day
operation of C&E
programsRequire third parties to sign an agreement to adhere to the company’s integrity standards
44% COMpANY’SINTEgRITYSTANDARDS
YESRequire third parties to sign an agreement to abide by a third-party or supplier code of conduct
23% SUppLIERCODE OFCONDUCT
YES33%
NO
CONTRACT4
“… Companies have begun creating ‘Supplier Codes of Conduct’ that lay out their expectations for suppliers to operate in a responsible and ethical manner … The multinationals then reference those codes of conduct and require that the supplier/partner comply with them.” – Baker & Mckenzie
baker & Mckenzie. “The companies you keep – Global Supply Chain Management: five Steps to Managing Third-Party Risk.” baker & Mckenzie, 2013
ELM Solutions
16
Management of third-party relationships involves a host of ongoing tasks, including: monitoring, training, responding to queries, handling issues, investigations of suspected violations, tracking and analyzing metrics, and auditing. fox notes that multiple roles in an organization play an important part in the management of every third-party relationship:
The relationship manager Most likely the business sponsor, acts as the liaison between the company and the third party, and is responsible for “monitoring, maintaining and continuously evaluating the relationship”
A compliance professional Acts as a resource and works with the relationship manager to answer compliance questions and “provide advice, training and communications” to the third party
An oversight committee Made up of senior management, reviews each third-party relationship at least annually and has approval authority over third-party requests for payments or non-monetary compensation
Audit Regularly executes “a systematic, independent and documented process” to establish “the extent to which your compliance terms and conditions are followed” by the third party
ChApTER 2 / APPRoACheS To ThIRd-PARTy RISk MAnAGeMenT
fox. “life Cycle of Third Party Management – Step 5 – Management of the Relationship.” 4 April 2014.
“You not only have a legal obligation to monitor the actions of your suppliers/partners,
but to respond appropriately to any issues that arise, and most importantly, remedy
the problems.”– Baker & Mckenzie
RELATIONShIp MANAgEMENT5
ELM Solutions
17ChApTER 2 / APPRoACheS To ThIRd-PARTy RISk MAnAGeMenT
dow Jones Risk & Compliance. “The dow Jones State of Anti-Corruption Survey 2014.” dow Jones Risk & Compliance, 22 April 2014.
deloitte and Compliance Week. “Compliance Trends Survey 2014.” May 2014.
383 compliance
professionals in
companies with
anti-corruption
programs worldwide
209 senior
compliance, audit,
risk, and ethics
officers worldwide
are companies auditing third-party compliance?
“sometimes” audit “always” do43% 16%
“never” annually
16%at least quarterly
42% 19%how frequently do companies monitor their business partners?”
“Regulators expect companies to do a lot more regarding their vendors and other third parties. It’s not just about giving out their code of conduct; it’s about rigorous due diligence, training, oversight, and performing periodic compliance reviews.”
RELATIONShIp MANAgEMENT5
–thomas Rollauer, Executive Drector, Center for Regulatory Strategies, Deloitte & Touche LLP
ELM Solutions
18ChApTER 2 / APPRoACheS To ThIRd-PARTy RISk MAnAGeMenT
kroll and Compliance Week. Anti-bribery and Corruption benchmarking Report. 2014.
say they neveR train third parties on anti-corruption efforts.58%
19.8% train annually
14.4% every 2 years
7.5% every 3-5 years
of those who do train:
do train third parties
52.6%
4.9%
Provide on-line or web-based training
distribute or post printed materials for review
42.3% Conduct in-person on-site training
42%
“Everybody has some form of anti-bribery policy in place. What they’re not doing is
educating their third parties, which is where most of the risk is.”
– Melvin glapion, Managing director, kroll
RELATIONShIp MANAgEMENT5
187 senior
executives in
ethics/compliance/
anti-corruption
worldwide
ELM Solutions
19
+
ChApTER 2 / APPRoACheS To ThIRd-PARTy RISk MAnAGeMenT
Vetting third parties before a business relationship?
Monitoring compliance after a relationship begins?
Auditing anti-bribery and corruption program compliance among third parties?
Training of third parties on anti-bribery policies and procedures?
kroll and Compliance Week. Anti-bribery and Corruption benchmarking Report. 2014.
how effective do you believe your company’s protocols and procedures are?
57%
43%
33% 33%
30% 29%
eFFective ineFFective
7%
17%
An important additional step is the periodic evaluation of the health of the third-party management program overall
pROgRAM REvIEw
187 senior
executives in
ethics/compliance/
anti-corruption
worldwide
ELM Solutions
20
“In a complex business environment, technology is essential for successful 3rd party
management.” – oceg
Given the numbers and variety of third-party relationships in which most companies engage, the implementation of a third-party management program can be a daunting challenge. A risk-based approach to due diligence and monitoring, the collaborative participation of multiple functions in the organization, and an effective technology solution are all critical for a sustainable program. The right technology solution offers benefits throughout the third-party management life cycle: Y Streamline development and ensure the consistency of the business justificationY Simplify both the creation of the third-party questionnaire and its collectionY Efficiently manage risk assessment and due diligence and ensure their defensibility Y provide a reliable framework for the third-party contractY Facilitate ongoing training, management, and oversight of third partiesY Support information-sharing and collaboration between functions involved in third-party management (e.g., compliance and legal)
ChApTER 3 / TeChnoloGy – A RequIReMenT foR SuSTAInAble PRoGRAMS
ChApTER 3technology – a ReQuiReMent FoR sustainaBle PRogRaMs
OCEG. “Integrated Third Party Management.” GRC Illustrated, 2014
ELM Solutions
21
essential tools
ChApTER 3 / TeChnoloGy – A RequIReMenT foR SuSTAInAble PRoGRAMS
templates, checklists, and document assembly capabilities
Serve to standardize the various documents required and streamline their preparation, including business justifications, questionnaires, and even contracts
Rules and workflow engines Automate and bring consistency and efficiency
to necessary processes, ensure that the right people are involved, and enforce follow-up requirements and deadlines
Can help effectively structure preparation and review/signoff processes for the business justification, risk assessment, due diligence, and contracts, as well as the collection of questionnaires and the ongoing monitoring and renewal processes
central database and document management system Provides a single location
to store and access all pertinent information and documentation on each third party, including the business justification, questionnaire response, risk ratings, due diligence results, contract, attestations, etc.
Centralization simplifies information sharing among all of the individuals involved in third-party management
calendaring and task management features enable tracking of
important milestones and scheduling of review intervals (e.g., due diligence) appropriate to each third party
audit and logging capabilities Capture key documents, decisions, actions, events, etc.
and ensure the maintenance of adequate audit history for each third party
Robust reporting facilities ensure that those responsible for making
decisions about third-party relationships have the information needed to guide those decisions
ELM Solutions
22
Virtually every function associated with governance, risk, and compliance (GRC) comes into play in the ongoing management, oversight, and training of third parties. Technology can provide an enduring foundation for effective communication and collaboration among the various players and ensure their ability to fulfill their respective responsibilities. To do this successfully, a technology solution must address:
ChApTER 3 / TeChnoloGy – A RequIReMenT foR SuSTAInAble PRoGRAMS
Proactive management of third parties exercises every aspect of GRC
Compliance management To enable continuous tracking and alerting of changes in regulatory and other compliance obligations; simplify procurement of legal opinions on the relevance and implications of these changes to third-party risk; and support appropriate response to changes in compliance obligations as they relate to third parties
Ongoing risk management To support continued monitoring of risk indicators; simplify scheduling of periodic due diligence reviews; enable recalculation of risk levels and generation of new due diligence tasks in response to changes
policy management To enable regular policy communications with third parties; provide access to the company’s code of conduct and applicable policies; manage attestations required from third parties (e.g., that they have read and agree to applicable policies, have completed related training, etc.); and maintain records of these activities
Management of internal controls and audit To streamline scheduling and planning for audits of third-party activities; provide visibility to enable identification of compliance gaps; and maintain an ongoing audit history
Incident and issue management To support intake, triage, and investigation of third-party related inquiries and allegations from a variety of internal and external sources; streamline identification, assignment, and tracking of any needed corrective actions (e.g., contract term revisions, additional payment controls, more frequent monitoring); provide early notification to legal staff and expedite engagement of legal resources to assist in resolution
ELM Solutions
23
The right technology solution can enable organizations to implement best practices and effectively manage the risk associated with third-party relationships across the business. Important factors to consider when evaluating a technology solution for third-party risk management include:
Y does it support a risk-based approach?
Y does the solution provide global visibility to third-party risk across the organization?
Y does it offer an easy to use, secure portal for communicating with third parties?
A brief discussion of each of these factors follows.
ChApTER 4 / key ConSIdeRATIonS foR A TeChnoloGy SoluTIon
ChApTER 4key consideRations FoR a technology solution
ELM Solutions
24
A risk-based approach enables prioritization, so that the most rigorous third-party due diligence and management efforts are focused on the highest risk relationships. This allows more efficient use of available resources and provides greater assurance that needed protections will be implemented where the risk is highest. The technology solution must support valid, accountable, and consistent risk management and due diligence processes – and do so on a continuing basis as changes occur. An effective solution is characterized by:
Y A customizable risk model that employs weighted risk factors, both pre-defined industry standard and company-specific
Y Integrated monitoring of internal and external data sources (e.g., for watch lists, PePs info, negative news, etc.) for detection of risk factors
Y Automated calculation — and recalculation as changes occur — of risk scores and recommended due diligence levels
Y Auto-generation of due diligence tasks by risk level
Y Alignment with industry standards (e.g., ISo 31000, oCeG) for risk management and due diligence
Y Customizable templates for key third-party management documents
Y A single system to identify, analyze, evaluate, mitigate, and monitor third-party risk
Y An historical view of changing third-party risk levels over time
ChApTER 4 / key ConSIdeRATIonS foR A TeChnoloGy SoluTIon
Support for a risk-based approach
ELM Solutions
25
An effective third-party risk management solution must support a risk-based approach to enable prioritization of due diligence and management efforts to the highest risk relationships
ChApTER 4 / key ConSIdeRATIonS foR A TeChnoloGy SoluTIon
1000s of third parties
What are the risk factors/indicators?
Gather information/data
Run Risk Model Use risk factors to calculate risk score that determines the risk level of each third party
Risk Scoring
Low Med High
Low Med High
Low
Med
High
Risk Assessment Customized due diligence plan
ELM Solutions
26
A global view of third-party risk, and the associated management efforts, enables the regular collaboration that is crucial to effective management. The solution must support all of the functions involved in managing third parties — business, compliance, risk, legal, audit, policy, etc. — and the employment of attendant services (e.g., outside counsel). The only truly viable way to provide such enablement and support is through a platform-based solution. A technology platform should provide the capabilities described earlier, across organizational boundaries, including:
Y A central database and document management system for storage of all pertinent third-party information
Y Shared rules engine, workflow engine, and audit and logging
Y Robust, comprehensive reporting and analytics capabilities
The platform should enable the seamless integration of third-party risk management with broader risk management and other legal and gRC management systems. It should also provide the ability to integrate with enterprise systems — such as transaction monitoring systems, and internal and external services — such as hotlines and regulatory and risk content providers.
ChApTER 4 / key ConSIdeRATIonS foR A TeChnoloGy SoluTIon
Global visibility to third-party risk across the organization
ELM Solutions
27
A platform-based technology solution should provide robust reporting and analytics
ChApTER 4 / key ConSIdeRATIonS foR A TeChnoloGy SoluTIon
Less than $15,00030%
Between $15,001 - $75,00025%
Between $75,001 - $200,00035%
Greater than $200,00110%
Joint Venture Partner 3%
Consultant 7%
Distributor 10%
Agent 20%
Supplier 60%
Banking & Finance 25%
Light Manufacturing 20%Pharmaceutical &
Healthcare 20%
Consumer Services 10%
Transportation & Storage 8%
Heavy Manufacturing 7%
Utilities 6%Other 4%
Distribution of third parties by category type
Distribution of third parties by sector
Spread of annual $ spend with third parties
ELM Solutions
28
Regular, effective communications with third parties is facilitated through an easy-to-use and secure portal that enables third parties to both submit and receive information. The portal should give third parties ready access to policy and other compliance-related training and information that apply to them. It should provide straightforward mechanisms to respond to questionnaires and submit attestations and certifications, as well as to ask compliance-related questions and raise issues.
ChApTER 4 / key ConSIdeRATIonS foR A TeChnoloGy SoluTIon
ACCeSS + ReSPond + SubMIT + leARn + CeRTIfy + InquIRe + RePoRT
An easy-to-use, secure portal
ELM Solutions
29
every third-party relationship introduces some level of risk. In order to maximize the value and minimize the risk of these relationships, organizations must put processes in place to assess the types and degree of risk and implement appropriate measures to mitigate that risk. Risk and compliance experts have offered models to assist companies in developing third-party management programs based in best practices. even with such best practices-based processes in place, the magnitude of the effort can easily overwhelm available resources. The right technology solution can effectively support these processes and ensure a third-party risk management program that is efficient, defensible, and sustainable for the long term.
CONCLUSION
conclusion
© 2015 Wolters kluwer elM Solutions, Inc. and its affiliates and/or licensors. All rights reserved.