What role does technology play in third-party risk management?

It is important to keep in mind ISO 37.301, the latest ISO to be approved, which indicates that in case of use of third party processes or outsourcing of activities, the company should carry out effective due diligence to ensure standards and commitments. Now, what methodology is recommended to be implemented internally for this third party risk management? In other words, what role does technology play in these processes? Because although many departments have incorporated technology and that is not yet in dispute, third-party management is still carried out in a very manual way, even through Excel spreadsheets. And taking into account the volume, the risk involved and, even more, taking into account in some organizations, the importance of the value chain, the supply chain, the distribution chain, how important is it to incorporate technology in these processes?

‍

Technology today is an ally that is not something nice to have, it is something essential. However, technology without methodology generates a technological problem, because we put our chaos in a technological tool. What is recommended, first of all, is to understand very well and make a very conscious mapping of which are those third parties that expose us to specific risks, in this case, for example, corruption. So, I can have thousands of suppliers, but the ones that can generate a corruption issue may end up being a couple of hundred, or a hundred, or fifty. It depends on where you are operating, it depends on what kind of business you have, and that has to be worked very conscientiously, without any kind of bias. And that has to be done by qualified people, people who know how to do it, people who understand what they are looking for, and not simply mapping third parties because they have to do it or because they are required to do it by a regulation or an ISO. 

‍

Once we have identified those third parties, we have to make a very thorough check of the third party's real way of operating. The best way, in the very high risk ones, is to sit down with that third party, have a very frank and open discussion and have them explain to us how they work. Obviously, we cannot apply this scheme to a thousand suppliers, but we can go to that handful of very high-risk suppliers, where we need to understand very well how they operate, how they are documented and all that, precisely, document it, make a box true, understand what are the critical points, to understand if it has a contract or not, to benchmark and audit as well, to see if what it is charging me is in accordance with the contracts, if there are expenses outside, if we are working, for example, with something that is sometimes common, which is to ask for additional funds for emergencies that are never rendered.

‍

Understand that, for example, if I work with a critical supplier on corruption issues, I must pay attention to all the alerts, because I am working in a very high-risk scheme. I may have to discontinue, or have a fixed rate or a pre-agreed rate. There are different issues in which we have to have this very clearly mapped, understanding very well where we want to go and with a tool that helps us to identify them every time I am going to pay them, that I am paying a high-risk supplier. It is essential to have mapped that this supplier has already been trained, to have it identified in the tool that this supplier, for example, has been deregistered, has been blocked, and that no one can reinstate it unless the Compliance team is involved in the registration.

‍

There are different tools and different mechanisms that we have to take into account. It is not just a simple Google search, there is a whole methodology behind it and a lot of work behind it. I think that, of the Compliance programs, it is one of the biggest jobs to be done, and one of the ones that requires the most patience. Because again, you have to infect the inertia and you have to infect those third parties, so that they keep up with the company's rhythm.

‍

In recent years, technology applied to processes in a lot of areas, i.e., from ethical channels, from monitoring or supervision, from risk management, from training and awareness, has shown enormous importance. In a world where half of the planet is working telematically, and where the modality continues, it is extremely important to implement this risk management, because reality has shown us that we live in such changing environments that our risk map can no longer be updated after one or two years, as was the case before.

‍

With my team we always talk about a live animal, also because of the type of business we are in. To do an annual mapping is to make history, we are not on time. And you have to have enough agile mechanisms to be able to respond to the business in a timely manner. So, you have to make a survey and select those critical processes where it is not possible to fall asleep. And maybe there are processes that you can plan for the long term and other suppliers that you have to constantly survey.

‍

‍

‍