Choosing the Right Vendor Risk Management Software Solution
Traditionally, performing third party due diligence has been primarily a data gathering activity. Now, with access to abundant information sources, the activity—and the challenges—have evolved. How do you manage and efficiently analyze relevant information related to third party vendors? This will require a paradigm shift in how compliance professionals approach due diligence.
Fortunately, technology is stepping in to help. Third party due diligence compliance solution providers are developing systems that integrate data, apply sophisticated risk-ranking formulas and preserve accurate records of due diligence analyses. These systems support a company’s entire operation for conducting due diligence of third parties, vendors, suppliers and customers, and can manage tremendous volumes of information.
So how do you choose the right third party due diligence system for your company? That is a tough question. One thing is for sure—not all systems are the same. (I recently published a whitepaper that delves in detail into the key questions organizations should ask when they’re looking to choose a software system. You can download it here.)
Below are the key areas compliance professionals need to focus on when making a third party risk management solution selection:
1. Your Organization’s Unique Needs
The evaluation of due diligence system options requires a careful assessment of both your company’s needs and the system’s capabilities. What resources do you have internally to implement and manage a system? Who will need to access the information coming out of the system? What processes are in place to turn information into action? A capable provider will be able to tailor their system to meet your unique needs.
2. Risk Analysis and Efficient Use of Resources
A compliance professional needs to make sure that a potential due diligence software and services provider is focused on ways their technology can improve their clients’ efficiency. Effective due diligence is not always about the most in-depth analysis possible: technology is about doing things more efficiently and in a more targeted manner—not just doing more.
For example, a potential provider that brags about how comprehensive their due diligence is doesn’t “get it”— it’s also about ranking risks and targeting resources where they are needed.
In addition, not all “red flags” are created equal. Only a few kinds of red flags indicate the need for expensive analyst-led due diligence. An integrated due diligence system must be able to distinguish between red flags and the level of risk each presents. Many can be analyzed and resolved without expensive and time consuming analyst-led due diligence reports. A capable provider will be able to explain how its risk analysis process works and the underlying methodology it uses. Make sure to have this conversation before you select a provider.
3. Ongoing Due Diligence
A third party due diligence provider that wants to give you a report and then call it quits also doesn’t “get it.
Your business relationship with a third party is just a beginning—your due diligence process should be too. Ongoing monitoring must be automated so that you will be alerted to any new negative information. When combined with a risk analysis function (to weed out “false positives”) you can rest easy that your system will alert you to any relevant changes—and only relevant changes—in the status of your third party.
Making a Smart Decision
When deciding among third party risk management solutions providers, it is important to focus on real product differences. Sales people may ignore or downplay issues that may be significant.
As third party due diligence systems continue to evolve, it is important to monitor the market for new capabilities and offerings. Overall, the industry has responded to significant demand with innovative solutions.
Full disclosure: while I am affiliated with NAVEX Global, I truly believe that its platform is one of the most sophisticated I’ve seen, and is worth a close look for any organization in the market for a third party risk management solution. The platform’s risk-ranking formula is designed to help customers minimize the total cost of ownership—and helps ensure that users don’t have to spend their resources on unnecessary due diligence deep dives. NAVEX Global’s emphasis on the total cost of its platform indicates to me that they “get it.”
For example, NAVEX Global has provided a list of different third party due diligence report levels it offers (found here)—including recommendations when a particular level of report is needed or is not needed. Instead of encouraging clients to always select the most in-depth (and costly) report, they encourage clients to only select the level appropriate to meet their needs in any particular situation.
Overall, I welcome the new technology solutions to third party risk management challenges, and look forward to watching future developments further enhance the tools available to compliance professionals.