Risk profiling third parties is now a critical stage of any due diligence process. As businesses continue to expand and grow, more and more factors must be considered when assessing the risk level of a given third party — whether a vendor, customer, or agent.
If you’re new to developing internal due diligence procedures and risk profiles, here are some recommendations on how to get started.
- Understand your third-party landscape — complete a risk assessment and know your biggest risk factors — even at a high level (including credible risk sources and references such like the CPI)
- Divide your third parties into risk categories using your top 3-5 risks you identified from the risk assessment
- Start with the highest risk third parties and make sure there are no immediate issues
- Lay out your due diligence program and build a future process that considers no more than five factors when evaluating where a third party gets categorized (e.g. location, type of service, contract value, government involvement, prior history)
- Name or assign a specific metric to the categories you create for each third-party type — these will be your third party “risk profiles”
- Detail due diligence procedures that are appropriate for each risk profile
In my next post I’ll discuss what specific factors should be taken into account when creating a risk profile, and the complexities of automating the process.
Lindsay Columbo, Esq. is a founder of eSpear LLC, a developer of due diligence and screening solutions, where she serves as the Global VP of Compliance & Support Services. She previously served as Associate Corporate Counsel, Global Ethics & Compliance for Brightstar Corp. a SoftBank company headquartered in Miami, Florida. She can be contacted here.