Increasing automation and standardization for an enterprise view of risks associated with vendor and third parties

Increasing automation and standardization for an enterprise view of risks associated with vendor and third parties

By Anders Rodenberg, Director of Sales and Bill Hauserman, Senior Director, Compliance Solutions, Bureau van Dijk.

About Anders

Anders A. L. Rodenberg, M.Sc. is the Head of Financial Institutions and Advisory in the Americas for Bureau van Dijk. Originally from Scandinavia, Anders previously served as Head of Compliance for the Nordic European Region at Bureau van Dijk before transferring to the U.S., which gave him key compliance insight and experience on both sides of the Atlantic.
Anders has been involved in multiple projects in areas ranging from Credit risk of clients and suppliers, Tax risk, Sanctions Risk, Money Laundering risk to FATCA and FCPA, helping to improve the overall risk management at various financial institutions, insurance companies and traditional corporates. Much of his work has been focused on creating operational efficiencies and reducing financial and regulatory risk through global standardization as well as introducing global ownership structures into risk models and procedures.
Anders has met with regulatory authorities and industry leaders in numerous countries, giving him key industry knowledge with a special focus on trends and developments. He also often speaks at conferences. Anders graduated from Aarhus University in Denmark and studied at London School of Economics and Copenhagen Business School.”

About Bill

Bill has spent the last 12+ years bringing the promise of automation to previously analyst-driven due diligence tasks. The goal is to focus the all-important risk analyst time on important decision-making vs. tedious data discovery tasks. By marrying the best in structured private company data with existing or new enterprise due diligence tools, a paradigm shift in typical third-party due diligence is now available.
As Director of Compliance Solutions, Americas and leader of the Compliance Global Practices Group at Bureau van Dijk, Bill has insight on best practices for performing due diligence with a global focus. Bill has seen firsthand the wasted time and effort of trained risk analysts because both the internal and external data sources are deficient. These deficiencies create unknown risk and elevate the cost of due diligence. But worse, can create a false sense of security among banking and corporate Compliance staffs.

How can companies ensure they are optimizing processes to adapt to modern vendor risk landscape?

Ironically, the answer is probably to work with more vendors as it becomes harder to maintain an updated and optimized process in the ever-evolving vendor risk landscape. I use the word “Ironical” as many of the vendors that create risks are also the same vendors that have the solution to managing this risk.

At the Vendor and Third Party Risk conference, you spoke on your insights regarding ‘Increasing automation and standardization for an enterprise view of risks associated with vendor and third parties’. Why is this a key concern right now? And what are the essential things to remember?

More types of risks are being introduced to Third Party Risk Management programs and hence automation and standardization is needed to:

1) Ensure the core third party data is valid and automatically maintained when changes occur. Both factors critical to understand the risk associated to the third party initially, and as it changes over time. Asking for information manually will either not give an objective answer or prevent data changes to be detected.

2) Ensure the data is comparable across borders as the world gets more global and with it the potential risks. A siloed approach could prevent a true understanding of a Third Party’s risk exposure.

Why is it important to analyze specific risks of each vendor early in the process?

All institutions are under a pressure of using the limited resources most effectively. Analyzing and hence identifying critical risks early in the process will avoid resources waisted on contract negotiations, record management, time spent with vendors, etc. in cases where the risks might a full stop sign.

Any due diligence process should have a primary goal of stopping the effort as soon as a significant policy exception is highlighted. For instance, why send a questionnaire to a third-party, perform a financial assessment and have a risk analyst create a due diligence plan when the third-party is owned by a sanctioned individual? That scenario happens far too often today because the information is not available either during on-boarding or very early in the engagement with a third-party.

The goal for every due diligence risk analyst should be to “fail fast”. Find the obvious problem so you don’t spent time on wasted effort. One size does not fit all when it comes to due diligence. Policy and data analysis guide the effort.

How do you see the risk landscape evolving over the next 6-12 months?

Cyber risk and Data security risk will of course steal most of the attention in the coming months, however as more types of risk are being included into the Third Party Risk Management programs the need for having correct and updated core third party data correct becomes critical. If an institution gets the legal entity name wrong most of the down stream risk processes will fail – for example sanctions or adverse media screening doesn’t detect any risk if it is a wrong name that is being screened in the first place.

Currently, most risk assessments, both automated and via risk analysts are performed using self-reported or structured data sources. But the volume of useful unstructured data is increasing well beyond the capacity for most systems or people to absorb and analyze it. This unstructured data, once it can be analyzed, will be providing much of the information to inform due diligence processes. What we see is that the structured data, such as Orbis, will be used to “train” new risk tools to make use of vast quantities of unstructured data. The impact will materially change the way due diligence is performed and the cost of that due diligence

You may also be interested in…