A new survey of legal and compliance leaders has found that 83% of organizations discover risks with third-party vendors only after the due diligence period, highlighting the danger of solely relying on a point-in-time approach to risk management.
According to Gartner’s 2019 Third-Party Risk Management Survey, even “exhaustive upfront due diligence” demonstrated an inability to identify certain critical risks presented by third-party vendors. The report further notes that the problem isn’t necessarily in the initial due diligence conducted. Rather, issues emerged only after the onboarding process was completed, reinforcing a growing belief that a legacy approach to third-party risk management is no longer adequate to mitigate risk.
Instead, the report advocates for an iterative approach to third-party risk management that continues to monitor third-party developments in near real time. This allows businesses to identify risk faster and engage remediation processes more quickly to minimize a firm’s exposure to any legal or reputational risk.
The Modern Challenges of Third-Party Risk Management
One area of risk stems from the methods in which organizations now collaborate with third parties. Third-party relationships are increasingly dynamic, evolving along with organizations’ needs, introducing new variables—i.e. new risks—that weren’t present during onboarding. Additionally, today’s data-driven approach to business operations results in third-party vendors gaining greater access to organizational data, creating a vulnerability where risk can manifest.
In addition, the business models and internal operations of third-party vendors can also create their own inherent risks. A growing number of third parties now include startups and business model innovators that conduct operations differently than traditional incumbent service providers, presenting previously unknown areas of risk.
Third parties are also increasingly utilizing their own third parties to outsource business services. As a result, a single organization may be enlisting vendor services that are built on an ever-changing mix of fourth or fifth parties, inhibiting oversight and limiting the value of scheduled due diligence.
Furthermore, the nature of vendors can change over the course of a business relationship. A third party can be bought or sold at any time, ultimately resulting in new beneficial ownership. Directors and senior leadership of a third party can also change over time.
Because of these issues, third-party risk often may materialize only after the initial due diligence process is completed and a relationship is established. This is where a due diligence policy of solely conducting point-in-time screening begins to fall apart. Any risk-relevant development that occurs after the initial screening would likely catch a firm by surprise and limit its ability to remediate before suffering a substantive impact.
What This Means for Your Due Diligence Model
Gartner’s survey is just the latest evidence that solely relying on a point-in-time due diligence process is insufficient to meet modern business challenges. Instead, your third-party risk management strategy should embrace a continual approach to due diligence that features ongoing monitoring, as well as agile remediation strategies to quickly address new risk factors as they’re identified.
To implement this iterative approach, a process-oriented strategy is needed to build a framework for continued oversight and, when necessary, intervention. The use of an iterative compliance platform can help organize these tasks and maintain consistent monitoring of your third parties throughout the business relationship.
First-line screening still has its place in a successful due diligence program, but given the complexity of today’s third-party vendor relationships, initial screening alone is no longer enough to minimize your organization’s exposure to risk. Only with an iterative third-party due diligence program where you can constantly monitor your existing third-party relationships can you truly position your organization to act quickly when a problem arises. Implementing an effective continuous third-party due diligence program now will save your organization costly damages later from any third-party corrupt or illegal behavior.