Skip to content
Best Practices Technology & Architecture

Third-Party Risk: How To Assess It And Manage It

The best laid plans of mice and men can go out the window when it’s not your mice and men

Zen masters preach the benefit of letting go. Of the peace that comes with accepting the reality you actually have little control over your life. But while you may catch your CEO indulging in some corner office meditation, or find the CCO skipping lunch for yoga class, when it comes to the processes and practices that keep an enterprise financial firm operating safely, efficiently, and with a healthy profit, western ways will inevitably carry the day. That means control.

Companies naturally want to control as much of their business as they can. To have ultimate say-so over what goes on, top to bottom. But not every organization can completely wall itself off. Many companies rely on third-party vendors to supplement business needs in some form. It could be these vendors do a job some companies can’t afford to do or just don’t want to do. Maybe the vendor provides access to a genuine operational niche, a specialty few operators have the knowledge and expertise to provide.

Whatever the reason, it’s worth thinking about how to handle third-party vendors when it comes to their participation in your enterprise financial firm. The risks associated with using third-party vendors is well known. As such, third party vetting should be considered a top priority for any compliance department. And though not as straightforward as, say, trade surveillance, there are common irregularities to be on the lookout for when using third-party vendors and proven approaches to effectively managing your relationships with these helper firms.

Eyebrow raisers
Companies can get up to all sorts of things in the course of doing business, activities which can and occasionally should raise eyebrows. These activities can range from the clearly ill-advised—the kind that should make you want to run as quickly as possible in the opposite direction—to benign activities which may simply indicate a poor fit. Here’s a list of items to consider when vetting third-party partners:

  • Leadership: Are the key principals of the third-party vendor involved in any side businesses? Businesses that might distract or conflict with what your firm does or what the third party might be doing for you? Is the third party operating more than one business out of the same location? All of this is more common than you might expect. If anything like this is happening, it might be as innocuous as strategic diversification, or something less desirable.
  • Reputation: How well is the third-party regarded in the supply chain? How well is it regarded in its overall sphere of operation? Service complaints, product complaints, lawsuits, and fines in greater numbers than one would expect based on experience could indicate bigger problems: not just that the third-party might be difficult to work with as a partner, but that poor financial performance could compel it to operate unethically.
  • Politics: For certain kinds of businesses in certain countries, political connections can be a boon and can be perfectly legal and ethical. But government connections can also indicate the kind of coziness that regulators in home countries and foreign countries frown upon. Third-party connections to government in countries that don’t have the best reputations for transparency should be carefully considered in the third-party vetting process.
  • Vendors’ Vendors: In the same way your firm is considering contracting out for help, so the third-party you’re considering using may also have similar needs and relationships in place, with the same third-party risk that goes along with it. You’re getting at levels within levels here, and it may all seem a bit too much to think about and delve into, but the farther you can think and vett your way through the chain of potentially interconnected companies the better.
  • Size And Sophistication: How big is your target third-party vendor? Is it a one-person shop, a small-to-medium sized one, or a big corporation? Too small and the vendor may not be able to stay on top of its own operations (including compliance), let alone yours. Too big and corporate arrogance can set in, with similar results, i.e., important practices and processes falling by the wayside.

Minding someone else’s business
How does one find these kinds of things out? Due diligence. An answer simultaneously easy and difficult. Easy because the idea of vetting a potential vendor completely and thoroughly is obvious. Difficult because it means getting deep into the inner workings of another company. Essentially, you have to conduct audits of your potential third-party partners. This means:

  • Inspecting their books and records and, as best as possible, making sure they’re accurate.
  • Ensuring they have documented and functioning compliance programs and polices in place.
  • Extending background checks and audit functions to subcontractors, i.e., the vendor’s vendors.
  • Implementing formal change-management programs to ensure that irregularities are addressed and necessary improvements are made. 
  • Implementing an audit schedule, to revisit topics critical to both parties on a regular basis.

Is this asking a lot? Yes and no. Yes, in that it’s an intrusive process. Any audit is. No, if the company wants your business. So long as you present your case and handle matters professionally from the start, a company with nothing to hide should have no problem satisfying your very reasonable curiosity. After all, by partnering with you, depending on the precise nature of the relationship, they may be privy to the most sensitive information you handle, including proprietary processes and practices. It’s a reciprocally intrusive arrangement in that sense.

And don’t forget the simple things when a vetting third-party partner. Go out to the company’s website. Read about what it does and who it serves. Find out its approach. See who its clients are. Check out its technical certifications, if that’s a core part of its business. A company that has its act together should want to let prospects and clients know it. Finally, do an internet search. Make sure your target firm hasn’t been in the news for anything objectionable.

Letting go with confidence
After all this, you may come away with the idea that all third-party partners are time-bombs waiting to go off. That would be the wrong conclusion. The vast majority of specialist vendors around the world go about their work everyday with honesty and integrity, and are as concerned with compliance as you are. After all, they have to survive regulatory and reputational scrutiny the same as you.

Third-party partners play a critical role in the business world. One could argue global business couldn’t exist without this dynamic, intricate web of partnerships. Not every company can do everything on its own, or wants to. So do your due diligence, find that third-party partner you can trust, and sign up for that yoga class.