Best practice approaches to risk and performance scoring and automated workflow
As businesses have evolved and matured, so too has their approach to third parties. In the past, companies focused more on transactional ‘supplier’ relationships, typically for raw materials or ‘parts’. However, today third party relationships form a much deeper and far-reaching part of the strategic and operational ecosystem of any Global 2000 organization.
Now third parties are intrinsically linked to the success and the reputation of the business – and can include not only traditional suppliers, but also vendors, distributors, resellers, agents, partners, affiliates, contractors, managed service providers, brokers and even intra-company groups.
Third parties have become part of the fabric of customer engagement, IT, and sourcing strategy as they bring new capabilities, opportunity and scale to the enterprise. On the flip side, they also bring substantial strategic, operational, financial, compliance and reputational risks. Depending on the relationship, third parties may have access to your network, to your customers’ or employees’ personally identifiable information (PII), or may represent your business and deal with foreign government officials on your behalf. Risk is rife.
This means that risk and compliance teams cannot just be focused on what must be done internally to protect a company and its customers, but also ensure that the same checks and balances are in place for third parties.
This can be a daunting undertaking. The number of third parties and suppliers that Global 2000 organizations can work with can extend into the tens of thousands or even many hundreds of thousands, and involve a web of complex relationships.
Due to this scale and complexity, as more third parties are on-boarded, they are often not managed to the level of risk that they represent. In fact, a recent survey by Thomson Reuters found that global companies are only conducting due diligence on 62% of their suppliers, distributors and third party relationships, with only 36% fully monitoring the ongoing risks and 61% not even knowing the extent to which third parties are in turn outsourcing their work.  Companies may be vetting critical suppliers, often the most visible by spend or service, but they are ignoring the long tail – which is where hidden risk lurks.
This is why having an automated process of assessing vendors is important. It means that you can manage volume and scale, and at the same time help eliminate the blind-spots that exist in the long tail.
Risk scoring is an essential element of this process. By applying risk scoring – third parties can be tiered according to the inherent risk within a given relationship. This provides organizations with the intelligence to scope due diligence in a risk-relevant way, with the capability to encompass the entire long-tail of their third party universe. It also means there’s auditability and defensibility behind the decision making process – that tracks to the risk appetite of the organization.
But, in managing your third parties, it’s not just about risk, it’s also about performance. How much value are your third parties bringing to your organization and can it be measured and maximized? Poor performance of third party relationships is a risk unto itself – why not have a means of measuring and monitoring performance, just as you would risk?
Generally, the aim of risk scoring is to be able to provide an automated assessment of the level of risk a third party presents based on a number of data-points. This in turn will provide the next step in the process of risk mitigation – such as trigger the scope of due diligence, automatically initiate a corrective action notification to the relevant stakeholders, and/or trigger an appropriate remediation plan.
Part of the objective should also to be ensure that the risk scoring process is:
- Customizable enough to align to your organization’s risk appetite;
- Consistently applied, with similarly situated third parties being assessed and analyzed in a comparable manner;
- Reportable, for individual third-parties and also in aggregate for transparent decision making and good governance;
- Trackable and auditable, so that you can demonstrate to the business, auditors and the regulators, the process behind decision making.
Aravo’s latest technical paper provides insight into how effective scoring methodologies connected to automated workflows can help companies better manage third party risk, performance and compliance at scale. It draws from Aravo’s experience of working with organizations that have the most complex third party networks in the world, and describes the best-in-class approaches companies are now taking. It also provides a deep dive into the Aravo Evaluate Engine – a unique and configurable scoring engine – and demonstrates how it provides a solution that companies with mature third party risk management programs are benefiting from.
For more information about the Aravo solution for Third Party Risk Management, please contact us.