Due diligence is the necessary starting point for every relationship an organization embarks upon. Whether it’s vetting a supplier, a new business partner, or an outsourcing provider, performing sound Entity Due Diligence (EDD) establishes a sound beginning for proactive and effective Third-Party Risk Management (TPRM), even as the risk landscape and the nature of individual relationships evolve over time.
Regulators Scrutinize Third-Party Relationships
As firms continue to increase reliance on third-party vendors to deliver business-critical processes and services, there has been increased scrutiny from regulators looking to protect their areas of responsibility. For example, new rules regarding operational resilience in the financial services sector are now in force across the globe, which further underscores the importance of rigorous due diligence. Policymakers in the European Union (EU) are focused on protecting critical and important business functions via the Digital Operational Resilience Act (DORA), which includes rules for shielding firms against information and communication technology (ICT) incidents that can be detrimental to their business. Many other authorities have introduced policies that incorporate resilience outcomes as part of business continuity management. Inevitably, part of ensuring robust operational resilience frameworks includes incorporating the necessary requirements into due diligence processes.
Quality Data is Essential for Good EDD
Organizations can make better, more informed decisions and mitigate risks if their data is transparent, reliable, and always up to date. Curating and utilizing onboarding data is key to developing more holistic risk management strategies and responses to regulatory requirements, many of which require firms to demonstrate resilience through scenario testing. Harnessing institutional learnings and being creative about its use can contribute to individual and collective resilience outcomes.
No enterprise has unlimited resources to spend on the due diligence process, however, and prioritization is therefore essential. Reviews can be as extensive as required by the unique profile of a business, based on:
- The level of risk inherent in the relationship versus its importance.
- The business model.
- The criticality of the service being provided.
- The vulnerability or risk landscape of a specific third party, service, or region.
With the right data, making informed decisions about the importance of relationships illuminates the level of inherent risk and helps identify which third parties require deeper assessments to deploy resources where they are most needed. A low-risk third-party or service, even where a substantial contract is involved, can be rapidly processed, freeing up resources for other inquiries.
Of course, maintaining high-quality data is not a “one-and-done” process but an ongoing requirement. Reliable and timely incorporation of changes to data is key when looking at overall risk management and due diligence. Third-party risk profiles can alter over time because of changing personnel, shifts in the supply chain, or external factors linked to economic or geopolitical risks. This makes access to up-to-date data an essential part of the due diligence process, especially when considering the frequency with which assessments should be reviewed.
Creating Efficiencies Through Digitization
Conducting due diligence generates an enormous volume of valuable information. Because more firms are adopting technology to automate the assessment process, there is an opportunity to digitize this information in a structured manner. This information has actionable value that can further improve an organization’s processes and risk management through enhanced transparency and reassurance.
While experts frequently know where the risks lie, data can also illuminate further dependencies behind third-party relationships. Being mindful of these situations and where further investigation may be needed can free up an expert's time and generate better results.
This can be strengthened with predictive analytics to identify possible blind spots to help make the right decisions. In addition, a shared assessment approach, facilitated by using up-to-date technology and methodologies, can simplify and enhance the due diligence process. It streamlines data gathering, increases efficiencies across the entire ecosystem, and makes better data immediately accessible so it can be incorporated to both understand an enterprise’s risk posture and ensure the right actions are taken. Active participation by a broader user community, such as that facilitated by S&P Global KY3P, also ensures that data and processes are always in line with best practices. In addition, it removes redundancies and reduces the resource-intensive nature of any due diligence process.
About KY3P® for Third Parties
KY3P helps financial institutions simplify third-party oversight processes. A centralized data hub enables users to collect and maintain up-to-date information on vendors in a single location to assist with implementing best practices and ensuring audit readiness. Standardized questionnaires allow vendor information to be requested and stored once, with updates applied as needed. The platform helps firms collect and maintain risk information, including cybersecurity and financial ratings, sanctions data, news alerts, cyber event data, and questionnaire responses from third parties that can be used to generate risk scores. The recently released 5.0 assessment methodology enhances firms’ regulatory compliance, optimizes risk management by aligning with industry-standard risk types, increases risk transparency, and improves clarity for clearer risk communication to business teams. Additionally, customized workflow capabilities enable users to implement KY3P into their existing processes seamlessly. Driven by insights from diverse banks, customers, and S&P Global cross-industry experience, the KY3P blended framework consists of control objectives critical to business.