It’s a fact: the third-party risk management landscape is rapidly evolving due to technological advancements and increasing regulatory pressures.
In response to these major changes, our recent webinar, ‘Trends & Innovations in Third-Party Risk Management,’ featured experts Sylwia Wolos (Chief Strategy Officer at Ground Truth Intelligence), Kimberly Riggins-Brackman (Sr. Compliance Manager at PepsiCo), Andrew McBride (former Chief Risk and Compliance Officer at Albemarle Corp), and Vera Cherepanova (GTI Advisory Council Member), who explored the complexities of managing third-party risks in a turbulent environment.
The experts emphasised a critical shift from traditional, more manual, methods to innovative, data-driven approaches that enhance efficiency and improve compliance.
Staying aware of emerging trends is crucial for companies looking to remain competitive. Let’s dive into the key insights from the webinar and explore the actionable steps shared with our audience.
7 Key Trends and Innovations in Third-Party Risk Management
From Paper-Based to Data-Centric Investigations
The move from paper-based to data-centric investigations has revolutionised due diligence, boosting efficiency and cost-effectiveness. Companies now use extensive data sources and API connections for automated data gathering, simplifying and streamlining risk management and reporting. This evolution improves information integration, speeds up processing, and scales third-party risk programmes.
However, paper-based investigations remain relevant for high-risk entities in sensitive areas.
The Need for Flexibility
Regulatory requirements like the United States’ Uyghur Forced Labor Prevention Act (‘UFLPA’) and the EU Corporate Sustainability Due Diligence Directive are driving companies globally to seek advanced due diligence technologies, particularly for addressing complex risks such as forced labour and environmental impact. Consequently, flexibility in technology is essential, enabling tailored workflows and collaboration among various internal stakeholders.
Streamlining Data Collection by Focusing on Relevant Information
Data collection requires a focused approach, and technology plays a critical role in simplifying this process. For instance, platforms with ‘waterfall logic’ in questionnaires collect only relevant data, making it faster and more efficient for both internal teams and third-party suppliers.
Companies are also encouraged to apply a “So What?” test when requesting information to focus on data that truly impacts risk assessments. Additionally, they should reevaluate compliance questionnaires by comparing them with insights from public sources to enhance the quality and relevance of the data being collected.
“A relentless focus on continuous improvement through innovation and data can simplify processes and enhance effectiveness.” Andrew McBride, former Chief Risk and Compliance Officer Albemarle Corp
Taking a Phased, Risk-Based Approach to Risk Screening
While risk management programmes typically prioritise higher-risk entities, some reviews – such as those related to sanctions – require a wider scope involving examining all vendor data and selected customer information.
Some companies must screen tens of thousands of entities for sanctions risks, placing significant demands on resources. In addition to sanctions, companies should also consider screening for risks like financial health, PEPs, and adverse media. Each of these adds further complexity and resource implications, particularly when applied to large numbers of third parties.
Given these challenges, a phased, risk-based approach is essential. Tackling all risks at once is impractical, so prioritising based on the risk assessment ensures more efficient management and resource allocation.
AI in Risk Management: Potential and Pitfalls
AI has significant potential to enhance third-party risk management, particularly in screening and conducting due diligence by aggregating data and flagging risks. However, the adoption of AI is still in its early stages; many companies are interested, but few have fully implemented it due to its limitations and challenges.
Regulatory bodies, such as the U.S. Department of Justice (‘DOJ’), emphasise the importance of specific risk assessments for AI tools, prompting companies to carefully evaluate their third-party AI implementations. To effectively manage AI risks, companies must develop robust frameworks that balance benefits with challenges.
Holistic Third-Party Risk Evaluation with Enhanced Due Diligence
Enhanced Due Diligence involves a more in-depth investigation of third-party relationships, including both official sources and unofficial information that in certain cases – especially when dealing with high-risk entities operating in environments where reliable, official data is scarce – may serve as the only indicators of risk.
In addition to examining third-party conduct, companies must also consider broader factors like jurisdictional and sector-specific risks which can influence overall risk exposure. By integrating diverse perspectives into EDD processes that are tailored to each third party’s risk profile, companies can make more informed decisions and effectively mitigate risks.
Streamlined Third-Party Risk Management Requires a Collaborative Approach
Effective third-party risk management relies on collaboration among teams. Integrating due diligence into the procurement and sales processes requires enhanced controls, supported by cooperation between compliance officers and business units. When teams understand the benefits of streamlined procedures and improved risk management, they are more likely to embrace the compliance function’s role and overall value to the business.
Other Expert Insights for Effective Third-Party Risk Management
In addition to the key points above, several other practical aspects of third-party risk management were discussed during the session. Here is a brief overview:
- Streamlining Data Requests in Complex Supply Chains: As supply chains grow more complex, avoiding duplicative information requests from third parties becomes essential. Coordination among departments, such as sustainability and compliance and legal, helps streamline this process by ensuring that similar data points, like Scope 3 emissions and forced labour metrics, are only requested once.
- Evaluating and Verifying Due Diligence Providers: Companies must carefully select and verify the due diligence providers to ensure the data is relevant and tested before making contractual commitments.
- Effective Management of Complexity in Data Integration: Vendor relationships, contracts, and engagements add complexity when integrating data from multiple sources. Whether the process is handled in-house or subcontracted, having a consistent methodology is key and requires careful resource management and oversight.
- Tackling the False Positives Dilemma in Sanction Screening: A major challenge in sanctions screening is managing false positives, which can overwhelm compliance teams, especially in jurisdictions with less name variation. To ease this burden, many companies outsource the adjudication of screening hits. While this reduces internal workload, it introduces new challenges. Companies must carefully manage these vendor relationships to ensure efficiency and consistency as outsourcing does not eliminate the need for ongoing oversight.
- Building Internal Expertise to Ensure Consistent Screening Processes: When developing internal capabilities to ensure consistency in third-party risk assessments, companies must balance resource constraints with the need for accuracy. This balance allows them to allocate resources effectively while still achieving reliable outcomes.
- Ensuring Effective Blocking of High-Risk Third Parties: Safeguards such as advanced analytics, ongoing monitoring, timely reviews and team collaboration are essential to avoid blocked entities re-entering the system through indirect channels or under different credentials.
- Overseeing Third Parties Through Comprehensive Compliance Monitoring: Effective oversight includes ongoing reputational screening, transaction testing, and contract compliance monitoring to identify new risks and ensure that third parties meet their obligations.
“With regard to third-party management, always be looking out, checking, testing and monitoring your resources to make sure that you are equipped to do the job that you want.” Kimberly Riggins-Brackman, Sr Compliance Manager PepsiCo
Conclusion
The future of third-party risk management hinges on the harmonious blend of innovation, agility, and collaboration. Companies that embrace data-driven solutions boost efficiency while staying ahead of regulatory demands. Streamlined processes, continuous monitoring, and strong internal frameworks are essential for managing today’s complex third party risks. While AI offers game-changing potential, its role should be strategic – enhancing decisions rather than making them. By fostering collaboration between compliance and business teams, companies can build a proactive risk culture that ensures third parties meet their obligations while also safeguarding integrity in a quickly evolving landscape.
Keep an eye out for more insights and practical advice in our upcoming articles and webinars.