Third-Party Risk Management: Managing the Information Flow
We are living in rapidly changing times. I know it sounds trite but it is amazing when you witness rapid innovation and change. Even in our narrow corner of life involving ethics and compliance, we can see change occurring right before our eyes.
When you review due diligence and third-party risk management, there has certainly been significant advances in capabilities to identify risks, uncover relevant facts and learn about potential business partners. As more companies enter the due diligence business, the quality and amount of information available for review has increased.
Coupled with access to greater information has been significant advances in information technology and third-party risk management platforms. This dynamic change has resulted in a powerful combination for third-party risk management – the ability to access more information and intelligently review such information in an efficient and cost-effective manner.
In many situations, companies now face a different challenge – compliance officers are receiving too much information, not enough, about a a particular third party. What do I mean by this?
Given the pressing demands on compliance officers, time management is always a challenge. When a compliance officer is overwhelmed with third-party information, the compliance officer may become frustrated and unwilling to devote inordinate amounts of time to reviewing such information.
This phenomenon is occurring more frequently as we develop better information sources and new technologies for reviewing such information. This is where artificial intelligence or machine learning capabilities can come in handy.
One perfect example of too much information is notification of changed circumstances relating to a third-party. A number of automated third-party platforms tout ongoing monitoring and notification services. These can be very valuable so long as the notifications are tailored to the company’s risk profile – meaning that irrelevant or remotely-relevant notices about a changed circumstance can easily overwhelm a compliance officer.
For example, assume that you have retained Company A as a logistics provider in Singapore. You subsequently receive a notice that an employee at Company A’s subsidiary operating in Peru has filed an unfair labor practices case in Peru.
First, the fact of this occurrence is most likely irrelevant to your risk view of the third-party’s operations in Singapore.
Second, assuming that your notice settings permit such a notice to be sent, you should probably review your notice settings to eliminate these notices in the future.
Third, even if you have not changed your notice settings, artificial intelligence and machine learning capabilities should be able to develop rules such that the notice would be weeded out and hopefully not even sent to you.
All of these points underscore the importance of a new priority for compliance officers – managing information flow to maximize the value of your time.
The importance of this issue cuts across all compliance functions, including internal monitoring, proactive auditing and other information collected as part of a compliance program. It is easy for a compliance officer to get overwhelmed especially in these days of power computer data analytics and processing of large amounts of data.
Compliance officers have to develop time management strategies, akin to their own risk allocation processes for assigning assets. Time is a resource and management of time has become a new frontier and challenge for compliance officers.