- In traditional third-party risk management, organisations create extensive questionnaires to be completed manually. How can a smart technology solution relieve this burden?
- Introducing modern technologies and programming into the due diligence process improves efficiency, data quality, and overall understanding of the full picture of risk each vendor and partner presents.
- We look at the benefits to the ethiXbase solution: collaboration, enhanced risk assessment, increased visibility, and improved accuracy.
Eight in 10 organizations still use spreadsheets to record, assess and manage their third party relationships, according to research from Forrester and RSA. In today’s increasingly automated world, this is alarming when you consider the sheer size and complexity of many organisations’ third-party ecosystems.
A 2019 study by analyst firm Gartner found that six in 10 organisations are now working with more than 1,000 third-parties, while seven in 10 expect their third-party network to grow even larger in the next three years. That’s a lot of rows on a spreadsheet!
Yet outdated practices persist in third-party risk management, especially in the due diligence process. Organisations are still creating exhaustive due diligence questionnaires (or DDQs) for third parties to complete manually, which are often returned late or incomplete and which they then spend significant amounts of time reviewing and analyzing.
Fortunately, there is a much smarter way to assess who they are conducting business with. In this article, we will take a look at how technology and automation can transform DDQs from clunky and cumbersome to streamlined and efficient to give organisations greater visibility of their third-party risk.
Anatomy of a DDQ Process
DDQs vary from company to company, and even from one department to the next, depending on the service being outsourced. But the one thing DDQs have in common is that they tend to be thorough – and long (sometimes very long). According to former federal prosecutor Michael Volkov, CEO of Volkov Law Group, they can also be “so wordy or legally crafted that the point of each question is lost in commas, phrases and run-on sentences.”
Common areas covered by DDQs range from ownership, key personnel and financial information to relationships with government organisations or public officials and compliance with applicable laws.
They require short form and more detailed long form responses and all manner of supporting documentation: policies, plans, references, certifications.
Imagine the effort involved both in creating a DDQ of that scale and completing it, especially given that an organisation may have many different types of third-party relationships, each requiring a slightly different DDQ, or one third party might need to complete a number of DDQs at one time.
The Traditional Approach
The information-gathering component of third-party risk management takes up a great deal of time, effort and expertise. This is because historically, and to this day, it has been a predominantly manual process.
The way it works is this: the organisation creates a DDQ which it posts or emails to the relevant third party for completion offline. The completed DDQ is returned along with accompanying documentation and the data is then entered manually into the company’s system, ready to be reviewed.
On the surface it all sounds fairly straightforward, but this is a best-case scenario. In reality, there is often much more to-ing and fro-ing, follow ups to prompt the third party to complete the questionnaire, gaps in the returned DDQs, missing documentation, errors and discrepancies in the information entered into the company system, not to mention sometimes rejected or incomplete DDQs. Some firms eventually give up and accept third parties without a full DDQ, exposing them to potential risk.
A New Automated Approach
A growing number of organisations are turning to technology to digitize the DDQ process, for greater accuracy and efficiency. Earlier this year, over a third (36%) of companies surveyed by Forrester said they plan to implement a third-party risk management technology in the next 12 months.
Some are using solutions to take the pain out of creating and issuing DDQs and monitoring the responses. Popular features include industry standard templates and dashboards to track responses and highlight red flags. There are also solutions that make life easier for third parties by alleviating the burden of filling in lengthy DDQs, such as by providing a central library of approved content for faster form completion and the ability to delegate questions or sections of the DDQ internally.
And the best of both integrate with broader third-party risk management systems for a seamless workflow – no manual data entry required.
The ethiXbase Approach
One of the newest solutions on the market is the ethiXbase Smart DDQ system. It aims to streamline the DDQ process, improving an organisation’s visibility of third-party risk and optimizing the onboarding process for organisations and their third parties alike.
In the past, creating a highly customized, branded DDQ would have taken days, but with Smart DDQ, it’s all done within a matter of hours. And issuing the DDQ couldn’t be easier – the organisation simply emails a secure link to the third party. The third party then logs in to complete the questionnaire, and because of Smart DDQ’s multilingual functionality, it can opt to do so in the language of their choice. This greatly improves the rate of completion – it’s that easy!
Other noteworthy benefits include:
- More collaboration, less chasing
If a third party has not completed the DDQ, Smart DDQ sends them automatic reminders. It also shows where they are in the questionnaire, which helps to identify any blockers or areas where they may need assistance. This helps to remove any barriers standing in the way of DDQ completion, all without lifting a finger!
- Enhanced risk assessment
Smart DDQ integrates seamlessly with the ethiXbase third-party risk management system EB360, enabling organisations to set triggers or actions based on information contained in the DDQ. This automatically highlights third parties requiring further checks or enhanced due diligence, negating the need to pore over and analyze the DDQ data
- Clearer visibility of risk
With the Smart DDQ dashboard, organisations can now view their third-party risk at a glance. The vital intelligence and powerful analytics they need are all in one place, from how many due diligence questionnaires have been issued, and what stage they are at, and most importantly, the level of risk posed by each third party (low, medium or high).
- Improved accuracy
Information provided by third parties via Smart DDQ is automatically available in the organisation’s system, as described above, which avoids the errors that inevitably creep in when the DDQ data has to be entered manually
Interested in streamlining third-party due diligence in your organisation? Look no further than ethiXbase’s SmartDDQ for more efficient, more accurate management of your third-party risks. Contact us today.