How to Implement a Third Party Risk Rating Program

Which third parties pose the largest risk to your organization?

If you don’t know the answer to this question, there is likely room for you to optimize your current due diligence process.  As a compliance officer, knowing your highest risk third parties provides great insight into your organization, will impact your risk management strategy, and will help you optimize your compliance program.

On the other hand, knowing which third parties are low-risk can be just as valuable. The vast majority of third-parties probably don't pose a significant risk, buy the secret to successfully managing them lies within identifying the level of risk each third party presents. The best way to identify how much risk third parties pose (and then apply the right amount of due diligence) is by establishing a risk-based methodology that you can trust.

While risk rating your third parties is immensely valuable it can also be a large undertaking for most compliance teams. Deciding how to rank third parties, what the levels of risk are, and how much due diligence falls under each of those levels can be a tedious task (and one you will want to personalize to the unique characteristics of your organization).

What is Third Party Risk Rating?

Let's back up for a second and review the fundamentals. A risk-based approach to third party due diligence allows compliance officers to better understand their third parties and determine how much due diligence should be applied based upon the level of risk they present. This creates an efficient and cost-effective solution that allows organizations to best deploy limited resources with maximum impact.

Given the sheer number and variety of third parties most organizations work with, taking every precaution for every third party can be nearly impossible or at best, an uphill battle. Not only will taking a risk-based approach better allocate your team’s time and resources but it will also help determine what measures are suitable for each third party. Taking a risk-based approach to third party due diligence is a vital component of any effective compliance program.

Organizational Risks From Third Parties

Third parties present to tangible risks to organizations. All along the value creation chain, third parties put organizations at risk and can even threaten your company's reputation. Once you’ve decided to take a risk-based approach to third party due diligence, the next question becomes: how do I efficiently categorize my third parties to understand which ones are low-risk and which ones are high-risk?

In order to best protect your organization, these are the three overarching questions should you be answering about your third parties:

1. Am I allowed to do business with that third party? Are they on a sanctions list that would prohibit us from doing business together?
2. Am I confident that this third party is in good standing and will not create a legal or reputation liability? What would it mean to our organization if this third party was found engaging in unethical or illegal conduct? Could their conduct pose a legal liability? (Also known as “The Front Page Newspaper Test”)
3. Can I explain and document my decisions if something unideal happens? This is all about taking reasonable and appropriate measures to successfully defend the organization to regulators in the face of any alleged breach.

These questions will help to divide your third party population into high-risk, medium-risk, and low-risk cohorts so that you may perform the appropriate amount of due diligence. For most organizations (not all, but most), risk rating will categorize the majority of your third parties as low-risk. For these third parties, you might perform initial screening, and if there is no match, your work is done. For the medium-risk third parties, you might decide enhanced due diligence is needed, human-led red flag research should be conducted, and that an external questionnaire will be required. Then there are your highest risk third parties that will receive the most due diligence, budget, and attention. The Chief Compliance Officer should be involved in recommending mitigations and a boots-on-the-ground investigation might make sense. There are countless ways to customize this process to your organization, but this should give you a good outline of how the risk rating process works.

Your Third Party Risk Rating Methodology

To continue learning about how to risk rate your third parties, we highly suggest reading A Compliance Officer’s Guide to Third Party Risk Rating. This eBook serves as a robust guide to understanding the risks your third parties present, creating a systematic and scalable approach to properly managing third parties, and discovering the valuable role automation plays in the process. Get your copy now to transform the way you mitigate organizational risks in a streamlined manner that distributes valuable resources to the highest risks.