Using Technology in Third-Party Risk Management

Learn how changing technologies can support your third-party risk management program.

Using Technology in Third-Party Risk Management - Transcript

Elliot Berman: Chris, welcome to the program today. I know we'd like to talk about using technology in third party risk management. I think first I'll introduce myself to the audience. I'm Elliot Berman, I'm the Marketing Thought Leadership Specialist at AML RightSource. And Chris, why don't you introduce yourself to our audience as well?

Chris Sindik: Yeah, thanks, Elliot, and glad to be here today, certainly. My name is Chris Sindik, I'm the Director of Third Party Risk and Due Diligence at Blue Umbrella. That means a lot of different things, and it means I have a good insight sometimes into what our clients are thinking and maybe what the marketplace is hopeful for.

Elliot Berman: And that'll be very helpful for this conversation. There are several technology driven providers offering third party risk management services. What drives the client choices in the marketplace?

Chris Sindik: It's a good place to start. A lot of times when I'm talking to companies, it's existing clients, but also prospective clients as well. And, we try and win them all, but you can't win them all. We learn from those and hear about why we were chosen or maybe why it was a different provider. When it comes down to what's driving someone to pick one solution over another I think it's important to take a step back sometimes and realize how far technology has come in the third party risk management space.

A lot of times companies were using Excel documents and maybe putting Word documents in a shared drive or, some other systems that have been around for a very long time. But in today's day and age, there's really a lot of choices out there for customized software that really fits the unique needs of clients.

So with that being said, what causes a company to pick one over the other, I think one is just the modern features of the software. It sounds, a bit silly to say, but if there aren't certain basic user interface and quality of life things, if you have to click 25 buttons to get somewhere that should really take you two or three, that's something that the clients are going to notice along the way. So it's ease of use. I think that's definitely something that everyone wants to think about because it's not just compliance people using the software these days, but, people in the sales function and procurement, new joiners when they come into the company, they need to be able to pick it up and run with it right away. So I think ease of use is a big one.

And then two, with just a variety of shapes and sizes and needs and maturity of a third party risk management program is just the customization. Is it a product that can be very robust and have a lot of different features and hold 250,000 third parties? Can you customize the workflow, the questionnaires, the approval processes, the escalations, the hits, the list goes on and on. So really being able to pick a solution that is fit for purpose and one that you can tweak as your program changes. It might be simple now, but it's something you really have to think about in the future. What's the program going to look like when the company doubles in size in five or ten years?

And then another one, just with today's day and age, is cost. Everyone's being asked to do more with less. And technology can help to fill the void of headcount. So making sure that you're getting a good ROI and making sure the costs are in line with the need that you have and what's out there in the marketplace.

Finally, I think one that really is the human side of it, which is the support that you get along the way. No one wants software that was thrown over the fence and, figure it out yourself. So having a good ramp up period, people are trained on it, they understand it, again, that customization through the beginning part of the process up until a solution is chosen being able to get quick support, training, documentation, et cetera. I think those are the things that people are starting to ask about in addition to just those, table stakes of functionality and screenings and automations and things of that nature.

Elliot Berman: You talked a little bit about the whole issue of features. What are the features that really make a successful deployment in this space?

Chris Sindik: Really getting down to the nitty gritty of it is important. And can it do this? Can I somehow link up my training to third parties with the software, so I can track that. Are you able to bring in screening hits, watch list hits, in addition to third party questionnaires and have those match up along with due diligence.

I think a big part of it is making sure that all those different points of risk identification, analysis, and ultimately mitigation if they all talk to each other. I think that's definitely a big feature. You can't just have software that does one of those things these days. It really has to do more than just one part well.

It's something where expectations have grown over time. So you have to make sure that there's that more holistic view considered with the programming and the features that are there. Additionally, I think one of the biggest pieces is automation. The evolution that I've seen over my career, and I've been doing this for about 15 years is, maybe companies would be understanding where it's a manual process where they have to move some things through 10 years ago. But in today's day and age with, the AI boom and a lot more things coming online specifically when it comes to compliance programs is, say we have a point of information and a third party is identified at low risk, having that move through the system with the least human interaction as possible and having that be automated with, guardrails and safety rails around it as appropriate.

But, if you're screening and looking at a thousand parties in a week and there's just one or two people in the program, you have to make sure that the touch that is being given is a risk based approach. So having that automation whenever possible can really just make the software provide a better ROI and again, fill in some of that headcount space.

Another big one that we're hearing about from clients and potential clients when they're picking a solution and when they're getting it up and running is API connections. The least amount of systems that a company can use is probably the right number. They don't want to have one here and one there and one that does this and one that does that.

And before you know it, people have 35, or more different logins and platforms that they have to connect to. So while they're certainly going to have the core tool that anyone can log into, or the right people can log into and, take a deep dive into spaces what you might just want is an API connection that, is it approved, is it in progress, or is it denied?

That's really where the rubber meets the road and the big question that needs to be answered by the business. So anything to just have that technology seamlessly flow from one to the other and identifying that early and making sure that those API connections are open, I think that's really a way to get that tool embedded into the program and really embed it into people's daily lives so that they can, start to see the value in that. You don't just want a tool that's there that can house these things, but a tool that's going to make people's lives easier and the program more robust.

Elliot Berman: So if I'm a member of a group that's evaluating various solutions beyond features, which you just talked about in detail, and some of the other things, what are a couple of the key elements that I should really be thinking about in evaluating the various systems I'm looking at?

Chris Sindik: You can have that evaluation matrix, does it check the box with this? And then can it do that? Yes, no. And you have a stack ranking of, what the software at its core can and can't do. But I think outside of just that, what is the product in and of itself? Ask other questions about, how often does the product go through significant updates? What have the updates been in the past year or two? What's being changed and actually look at that. So if the company says, we're releasing new features every month or releasing new features every quarter, whatever it might be you'll look at those.

Maybe one of the features that they have thought to add might be things like suddenly they can have hyperlinks in text. That might not be, the most robust feature and it might actually cause you to question, why didn't they have that before? So look at the updates, look at how often they're being made and look how significant they are. If it's things that, maybe should have been there years before that can be, maybe a sign of where the software is in reality. Maybe it looks great, but the engine behind it is in need of a tune up, let's say.

Also where's the product going? What's the roadmap? Are there going to be integrations with other tools? Can it do new and exciting things? Can it connect to new systems? Are there, new modules being added? Whatever it might be. Look at how it's going to change over time, because again the product it needs to match the compliance program as it goes.

And then other certain things, obviously security of the software is paramount. There's a lot of proprietary data that's going into these tools that's very confidential. So security is a key concern and a failure there can certainly derail the program for a while and cause a lot of headaches.

And I think other things, like just single sign on, making sure that's available. And also, considering the needs of the business there can be times when you want to segment the data, where maybe this business unit has visibility into their third parties, but not the larger programs.

Or, product line A can't see what's happening in product line B for whatever reason. So it's those nuanced items to the software that can really be make or break. The devil's in the details with some of these things. Depending on the program, making sure that they can meet those specific needs.

Elliot Berman: Working with that group, and I've done both the feature, checkbox list, yes, no, I've looked at some of the things you just talked about. There any other things that before I would make a decision or my group would make a decision I should absolutely be thinking about?

Chris Sindik: I think it's also important at times when it's a big shift. Maybe you've been with one provider for 10 years and that's the way it's always been done. And there's some consternation about, switching providers, maybe it's a pilot program that you can consider, to have a workflow set up that mimics the one that would be used in a larger program and run some parties through that and see if it works and see if you like the notifications and if it works for people. And also showing some of the efficiencies gained along the way, before it used to take 25 clicks to get it from A to B we've gotten that down to five.

I think that's something that can really help to sell a potential new tool. Whether it's, for the first time someone coming in and using technology to help manage their third party risks or switching providers, whatever it might be. I think that's, a possibility that companies can consider. I think, too, when you go into that process or when you're, seeing a demo, think about if there are any workarounds. It's something that's to be avoided when you can't get things done the normal way and you have to do things with extra clicks or import it here and export it there, or we'll click this button, but don't move it through yet because then you got to go back. Those things become pretty big annoyances when you're doing them a thousand times in a month or 10,000 times in a year, whatever it might be, but really look to see, how truly automated it is, hands off.

If you took a step back, how well could that third party move from, beginning to end and where would the human interaction points be. Consider the volume of the third parties that would go into the tool and really be a realistic about what the team can do with the results.

You may need to make significant changes to a risk modeling, perhaps, if you find that there just aren't enough people to review the high risk entities. Obviously there's a lot that goes into that statement but, you can't expect to be entirely hands off or maybe to have very senior people look at third parties when they won't have time in their day to do that.

So having something built into the system, into the tool, that matches the resources available, is a really nice thing. is another real consideration that companies need to think about. Everyone has a great idea for how it can look and how it can work. And, our workflows look great in Visio or Excel, risk modeling looks great, and then you load it into the system, but it turns out that, the people that you thought had time for this actually don't. That can be a real sort of undoing of the positive sides of using technology as well. I think making sure that what's designed matches the resources and the risk tolerance of the company as well.

Elliot Berman: Chris you've given our listeners a lot to think about. If I can pick out a couple of key things that I've learned, it's consistency of the automation, flexibility, scalability, which with any kind of risk management program is something that's really critical because no matter what you start off with when you first launch a program it's going to change and it's going to grow. Once you realize, oh, we can look at this, you could look at that. And and having a system that's flexible is really important. So I want to thank you. I'll give you a chance for one closing insight that you can share with the audience.

And thank you again for doing this today.

Chris Sindik: I'd say one final consideration is, talk to your vendor, or your potential vendor too, about what you want. It's amazing how many times it can be that the software can do things that you didn't even know about. And it's there for the taking, but oops, no one just thought to use the tool in this way. Again, it's really amazing how providers in this space, and in Blue Umbrella specifically can do more. Bringing in those other points of data, training, et cetera, can really be the focal point for a lot of the third party risk management at a company.

And a good way to formalize it, make it auditable, consistent in the future, and it can really help to bridge that gap with headcount, doing more with less. It's been said countless times and it's a real way to see that happen in reality too.

Elliot Berman: Thanks, Chris. And I know we have some other episodes planned for the future. So you and I will be chatting about other aspects of third party risk management which is clearly something that companies are more and more aware of and more and more focused on.