Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CEB Compliance & Ethics Leadership Council
Third-Party Risk
Management
Reducing the Cost of
Third-Party Compliance
SCCE Co...
© 2016 CEB. All rights reserved.
A Framework for Member Conversations
The mission of CEB Inc. and its affiliates is to unl...
HOW WE MANAGE THIRD-PARTY RISK
Third-Party Risk Management Process Map
8
Contract with Third
Party
9
Monitor and Audit
Ris...
BETWEEN A ROCK AND A HARD PLACE
Compliance Must Maximize to Seemingly Competing Objectives
Compliance
How do I reduce thir...
HOW BUSINESS GETS DONE
Vast Third-Party Networks
Median Number of Third Parties per Respondent Company
Why We Use Third Pa...
THIRD PARTIES MAGNIFY COMPLIANCE RISK
Third Parties Drive Compliance Risk Exposure
Percentage of Risk Exposure Compliance
...
THE PROCESS WE’VE BUILT
Compliance’s Standard Third-Party Risk Management Process
Source: CEB 2015 Third-Party Risk Diagno...
THE HOLE IN OUR PROCESS
Business Partner Process Avoidance Undermines Risk Reduction
43% of compliance executives report t...
OPERATIONAL TAXES WEIGH HEAVILY
Business Partner’s Mental Model
Including Estimated Cost of Each Activity, Per Year
Costs
...
THE HEART OF THE PROBLEM
A Vicious Cycle in the Current Approach to Third-Party Risk Management
Source: CEB analysis.
Comp...
Monitor and
Audit
Recertify
or Terminate
Relationship
Review
Business
Justification
Form
Segment and
Conduct Due
Diligence...
A BETTER ROLE FOR COMPLIANCE
Key Differences Between the Policy Enforcer and the Business Accelerator Approaches
Policy En...
BUSINESS ACCELERATORS ACHIEVE GREATER RISK
REDUCTION...
Business Accelerators are More Confident in Process Adherence and ...
0
50
100
82
58
$0
$4,000
$8,000
$0
$4,000
$8,000 $7,067
$5,608
...AT LESS COST
Strong Business Accelerators Spend Less Mon...
Help the Business Make Risk-
Informed Decisions
Rationalize Unnecessary
Process Complexity
Remove Barriers to
Third-Party ...
Source: KPN N.V.; CEB analysis.
Source: KPN N.V.; CEB analysis.
SOLUTION 1: INTEGRATED RISK FRAMEWORK
KPN’s Pre-Contractin...
FOCUSING ONLY ON CRITICAL REQUIREMENTS
Process for Focusing on Critical Requirements
Illustrative
Requirements Related to ...
USING THE BUSINESS’S LANGUAGE
Translating Requirements into Business Language
Sample Grouping
Assurance Requirements Busin...
ELIMINATING UNNECESSARY BURDEN
KPN’s Third-Party Requirements Tool
Populating Only Applicable Requirements
Third-Party Req...
Updating the Integrated Framework Roles and Responsibilities
FACILITATE ONGOING COLLABORATION
Did something change?
■ New ...
SOLUTION 2: DUE DILIGENCE PROCESS
EFFICIENCY
TE Connectivity’s Due Diligence Process Completion Time
Average Completion Ti...
Business
Sponsor
(Internal
Employee)
Business
Partner
(ThirdParty)
Legaland
Compliance
Due
Diligence
Vendor
IDENTIFYING SP...
SUPPORTING THROUGH SPEED BUMPS
Sample Automated Reminder E-Mail
Addressing a Delay in Completing Business Justification Fo...
VISIBILITY CREATES ACCOUNTABILITY
Biweekly Progress Reports on Due Diligence Process
Illustrative
Source: TE Connectivity ...
A QUICKER DUE DILIGENCE CYCLE
Overall Due Diligence Process Time
Results of Biweekly Progress Reports and Automated Remind...
KEY TAKEAWAYS
1. Third Parties Magnify Compliance Risk Exposure—As organizations continue to use more third parties,
poten...
Upcoming SlideShare
Loading in …5
×

Key Insights in Managing Third- Party Compliance and Ethics Risks (2016 Compliance & Ethics Institute 107)

1,675 views

Published on

–– Compliance’s current process for managing third-party
risk focuses on setting and enforcing standards for
third-party behavior, which places a heavy operational
burden on the business.
–– Best-in-class programs account for the time and cost
considerations that drive business stakeholders’ behavior.
–– The best companies make third-party compliance
costs transparent, reduce the drag associated with due
diligence, and harness the self-interest of third parties to
their advantage.

Published in: Education

Key Insights in Managing Third- Party Compliance and Ethics Risks (2016 Compliance & Ethics Institute 107)

  1. 1. CEB Compliance & Ethics Leadership Council Third-Party Risk Management Reducing the Cost of Third-Party Compliance SCCE Compliance & Ethics Institute 26 September 2016 Chicago, IL
  2. 2. © 2016 CEB. All rights reserved. A Framework for Member Conversations The mission of CEB Inc. and its affiliates is to unlock the potential of organizations and leaders by advancing the science and practice of management. When we bring leaders together, it is crucial that our discussions neither restrict competition nor improperly share inside information. All other conversations are welcomed and encouraged. Confidentiality and Intellectual Property These materials have been prepared by CEB Inc. for the exclusive and individual use of our member companies. These materials contain valuable confidential and proprietary information belonging to CEB, and they may not be shared with any third party (including independent contractors and consultants) without the prior approval of CEB. CEB retains any and all intellectual property rights in these materials and requires retention of the copyright mark on all pages reproduced. Legal Caveat CEB Inc. is not able to guarantee the accuracy of the information or analysis contained in these materials. Furthermore, CEB is not engaged in rendering legal, accounting, or any other professional services. CEB specifically disclaims liability for any damages, claims, or losses that may arise from a) any errors or omissions in these materials, whether caused by CEB or its sources, or b) reliance upon any recommendation made by CEB. 2
  3. 3. HOW WE MANAGE THIRD-PARTY RISK Third-Party Risk Management Process Map 8 Contract with Third Party 9 Monitor and Audit Risk 6 Understand Compliance Expectations 4 Respond to Due Diligence Questionnaires 7 Certify to Expectations 5 2 Understand Business Sponsor Role and Responsibilities 1 Establish Due Diligence Protocols Prerequisite Steps Third Party Compliance Program 3 Complete the Business Justification Form Business Sponsor (Internal Employee) Evaluate and Segment Third-Party Risk © 2016 CEB. All rights reserved. 3
  4. 4. BETWEEN A ROCK AND A HARD PLACE Compliance Must Maximize to Seemingly Competing Objectives Compliance How do I reduce third-party risk to the organization without slowing down the business? Business Needs ■ Speed to decision ■ Low-cost risk management processes ■ Timely and efficient process support Regulatory Requirements ■ Risk assess and vet third parties pre-contract ■ Remediate identified risks ■ Monitor third parties for compliance Challenges ■ Size and diversity of third-party network ■ Complexity of internal third-party governance ■ Limited compliance resources to be shared among competing priorities Source: CEB analysis. © 2016 CEB. All rights reserved. 4
  5. 5. HOW BUSINESS GETS DONE Vast Third-Party Networks Median Number of Third Parties per Respondent Company Why We Use Third Parties Select Benefits of Third-Party Use Expected Growth in Third Parties Source: CEB analysis. Source: CEB 2015 Third-Party Risk Diagnostic. Source: CEB 2015 Third-Party Risk Diagnostic. Cost Savings Increased Speed to Market Local Expertise Market Access Suppliers’ Suppliers Development Partnerships Data Vendors Offshore Service Providers Suppliers in Emerging Markets International Joint Ventures Temporary Employees Auditors International Intermediaries Dealers or Resellers Domestic Agencies Foreign Distributors SubcontractorsLobbyists Suppliers Joint Ventures 5,000 Consultants Distributors Agents Vendors Contractors Companies that will either increase their use of third parties or remain steady in the next twelve months. 92% Companies are currently outsourcing core corporate function or plan to do so in future. 79% Expected growth rate in the business process outsourcing market through 2015. 5.5% © 2016 CEB. All rights reserved. 5
  6. 6. THIRD PARTIES MAGNIFY COMPLIANCE RISK Third Parties Drive Compliance Risk Exposure Percentage of Risk Exposure Compliance Executives Attribute to Third Parties Select Examples of Third-Party Risk Third-Party Factors That Magnify Risk n = 47. Source: CEB 2015 Third-Party Risk Diagnostic. Control Gaps Increased Touchpoints Misaligned Incentives Bribery and Corruption 91% of FCPA cases between 2011 and 2014 involved third parties.  Reputation Risk Only 47% of executives feel prepared to manage the reputational risk created by third parties. Data Privacy ■ 36% of 2014 corporate data breaches involved third parties. ■ Third party involvement increased the average cost per breach by $721,175. 42% Third Parties 58% Other Risk Drivers 1 2 3 © 2016 CEB. All rights reserved. 6
  7. 7. THE PROCESS WE’VE BUILT Compliance’s Standard Third-Party Risk Management Process Source: CEB 2015 Third-Party Risk Diagnostic. Note: This is an abridged version of the full process map found in CEB’s Third-Party Resource Center. of compliance executives rate their third-party programs as effective at creating standards, requirements, and controls to manage third-party risk.66% Recertify or Terminate Relationship Segment and Conduct Due Diligence Contract, Remediate Risk, and Certify Monitor and Audit Review Business Justification Form 1 5432 © 2016 CEB. All rights reserved. 7
  8. 8. THE HOLE IN OUR PROCESS Business Partner Process Avoidance Undermines Risk Reduction 43% of compliance executives report that internal partners avoid the compliance review process at least some of the time. Source: CEB 2015 Third-Party Risk Diagnostic. Business sponsors avoid the compliance review process… ...minimizing the ability of existing procedures to reduce risk. Review Business Justification Form Segment and Conduct Due Diligence Contract, Remediate Risk, and Certify Monitor and Audit Recertify or Terminate Relationship © 2016 CEB. All rights reserved. 8
  9. 9. OPERATIONAL TAXES WEIGH HEAVILY Business Partner’s Mental Model Including Estimated Cost of Each Activity, Per Year Costs n = 55–82. Source: CEB 2015 Third-Party Risk Diagnostic. a 18,000 = 60-day median cycle time x 300 estimated number of new third parties receiving due diligence in a given year. b $525,000 = Basic Due Diligence ($250 estimated charge of basic due diligence per third party x 300 estimated number of third parties that receive due diligence) + Enhanced Due Diligence ($15,000 estimated charge for enhanced due diligence x 30 estimated number of third parties that receive enhanced due diligence). c Percentage of Procurement, Internal Audit, and Information Security executives who agree or disagree with the statement, “My organization’s compliance program effectively supports third-party compliance risk management.” 18,000 Business Days Spent Waiting for Third-Party Approvala $525,000 Annual Due Diligence Spendb Limited Perceived Risk Reduction Only 22% of functional partners agree that Compliance is effective in reducing third-party risk.c Benefits © 2016 CEB. All rights reserved. 9
  10. 10. THE HEART OF THE PROBLEM A Vicious Cycle in the Current Approach to Third-Party Risk Management Source: CEB analysis. Compliance responds to increases in third- party compliance risk by enhancing risk management processes... …increasing process cost and potential stakeholder avoidance… ...further increasing compliance risk... Risk Process © 2016 CEB. All rights reserved. 10
  11. 11. Monitor and Audit Recertify or Terminate Relationship Review Business Justification Form Segment and Conduct Due Diligence Contract, Remediate Risk, and Certify Select Third Party Identify Business Need Source: CEB analysis. BREAKING THE CYCLE Opportunities for Improvement in Compliance’s Third-Party Risk Management Process Opportunity 1: Help the business make risk-informed decisions. Opportunity 2: Rationalize unnecessary process complexity. Opportunity 3: Remove barriers to third-party compliance. 1 2 3 Business-Owned Compliance-Owned © 2016 CEB. All rights reserved. 11
  12. 12. A BETTER ROLE FOR COMPLIANCE Key Differences Between the Policy Enforcer and the Business Accelerator Approaches Policy Enforcer (Current Approach) Business Accelerator Approach Working Assumption Compliance standards influence behavior. Time and cost considerations influence behavior. Resulting Strategy Tell Business Stakeholders What to Do Establish and enforce compliance standards for third-party behavior. Help Business Stakeholders Make Informed Decisions Partner with business stakeholders (i.e., internal business sponsors, third parties) to improve compliance decisions and streamline processes. © 2016 CEB. All rights reserved. 12
  13. 13. BUSINESS ACCELERATORS ACHIEVE GREATER RISK REDUCTION... Business Accelerators are More Confident in Process Adherence and Compliance Influence Percentage of Respondents Agreeing or Strongly Agreeing Source: CEB 2015 Third-Party Risk Diagnostic. a Index of percent selecting never or almost never when asked “How often do internal partners avoid the compliance review process?” and percent selecting always or almost always when asked, “How often are compliance recommendations followed?” b Index of percent agreeing and strongly agreeing with these statements: “Business partners seek guidance from the compliance ethics program about how to best reduce third-party risk to the organization” and “Business partners act on the third-party information provided by the compliance and ethics program.” c Top quartile performance against the Business Accelerator Index. d Top quartile performance against the Policy Enforcer Index. Best-in-Class Business Acceleratorsc Best-in-Class Policy Enforcersd Reducing Risk Business Accelerators improve the internal oversight of third- party behavior. 0% 40% 80% 72% 33% 79% 58% Business Process Adherencea n = 53–57. Compliance Influence on the Businessb n = 55–60. © 2016 CEB. All rights reserved. 13
  14. 14. 0 50 100 82 58 $0 $4,000 $8,000 $0 $4,000 $8,000 $7,067 $5,608 ...AT LESS COST Strong Business Accelerators Spend Less Money… Median Spend on Third Parties, Per 100 Third Parties …and Process Third Parties Faster. Mean Compliance Time Spent Reviewing Third Parties, in Business Days Source: CEB 2015 Third-Party Risk Diagnostic.Source: CEB 2015 Third-Party Risk Diagnostic. Best-in-Class Policy Enforcersa n = 41. Best-in-Class Policy Enforcersa n = 48. Best-in-Class Business Acceleratorsb n = 37. Best-in-Class Business Acceleratorsb n = 43. Best-in-Class Business Acceleratorsa Best-in-Class Policy Enforcersb ∆ = (21%) © 2016 CEB. All rights reserved. 14
  15. 15. Help the Business Make Risk- Informed Decisions Rationalize Unnecessary Process Complexity Remove Barriers to Third-Party Compliance Strategic Decision Support Integrated Risk Framework Partner Compliance Competency Due Diligence Process Efficiency Supplier Mentoring Program Monitoring Efficiency © 2016 CEB. All rights reserved. 15
  16. 16. Source: KPN N.V.; CEB analysis. Source: KPN N.V.; CEB analysis. SOLUTION 1: INTEGRATED RISK FRAMEWORK KPN’s Pre-Contracting Requirement Frameworks Creating Inefficiencies in the Contracting Process Key Elements of KPN’s Integrated Risk Framework Compliance Information Security Quality Client Assurance Business Sponsor Process Inefficiencies Overlap Different internal functions make similar requests of third parties. Low-Impact Requirements Frameworks include requirements that do not significantly reduce risk. Fatigue or Aversion Because of process length, business sponsors are more likely to make mistakes—or circumvent requirements altogether. Focus on Critical Requirements Streamline requirements from various functional questionnaires to reduce inefficiencies in the contracting process. Use Business Language Enable business sponsors to easily identify requirements by tying them to identifiable third- party services. Eliminate Unnecessary Burden Reduce process burden without increasing risk by assigning third parties only the requirements applicable to the their expected services. Facilitate Ongoing Collaboration Create a standard process for periodically updating the framework that maintains cross- functional collaboration. 1 2 3 4 © 2016 CEB. All rights reserved. 16
  17. 17. FOCUSING ONLY ON CRITICAL REQUIREMENTS Process for Focusing on Critical Requirements Illustrative Requirements Related to Anti-Corruption Risk Encryption Physical Data Storage Password Protection User ConsentAccess Logged Compliance Information Security Quality Client Assurance Requirements Related to Information Risk Frameworks Encryption Physical Data Storage Password Protection User Consent Access Logged Compliance Information Security Quality Client Assurance Source: KPN N.V.; CEB analysis. Duplicative Requirements Requirements that exist in more than one function’s framework Weak Risk Reducers Requirements that do not reduce a significant amount of risk Label Requirements Consistently Because assurance functions refer to similar risks using different terminology, start by standardizing requirement labeling, making it easier to identify duplicates. © 2016 CEB. All rights reserved. 17
  18. 18. USING THE BUSINESS’S LANGUAGE Translating Requirements into Business Language Sample Grouping Assurance Requirements Business Question Multifactor authentication must be required for offsite database use. Traffic data must be deleted when not in use. Does the third party store data? Sensitive data must be encrypted. Making it Easy Each question covers multiple potential requirements, allowing KPN to streamline further from 46 requirements to 16 questions for the business sponsor. Source: KPN N.V.; CEB analysis. Business Sponsor Fluency with Business Services Business sponsors can easily tell which services they expect a third party to provide. © 2016 CEB. All rights reserved. 18
  19. 19. ELIMINATING UNNECESSARY BURDEN KPN’s Third-Party Requirements Tool Populating Only Applicable Requirements Third-Party Requirements Tool—Excel File Home Insert Page Layout Formulas Data A B 1 Question Answer 2 Will the third party store data? Yes 3 Will the third party have interactions with clients? No Sheet 1 Sheet 2 Third-Party Requirements Tool—Excel File Home Insert Page Layout Formulas Data A B C 1 Applicable Requirements Options for Satisfying Requirement Internal Stakeholder Responsibilities 2 Sensitive data must be encrypted. Types of Data Considered Sensitive 1.The company has a clear policy and training on encryption. Business sponsor uploads copy of policy. Third Party Case Management System 3 2. The company has internal controls that prompt encryption. ■ Business sponsor uploads controls document. ■ Optional: Info Security assesses controls 4 3. The company will accept KPN’s encryption policy and standards and undergo training. ■ Business sponsor sends KPN’s policy to third party. ■ Info Security provides training. Sheet 1 Sheet 2 Source: KPN N.V.; CEB analysis. Auto-Populate Applicable Requirements Only requirements that are mapped to “yes” answers appear on Sheet 2. © 2016 CEB. All rights reserved. 19
  20. 20. Updating the Integrated Framework Roles and Responsibilities FACILITATE ONGOING COLLABORATION Did something change? ■ New risk ■ New regulation ■ New enforcement ■ New information No need for change. Is this risk addressed in the existing framework? Update the Framework. Develop proof of requirements. Monitor and inspect compliance. No need for change. No Yes Yes No Integrated Assurance Team: Risk and Compliance, Information Security, Quality, Client Assurance Integrated Assurance Team: Risk and Compliance, Information Security, Quality, Client Assurance Risk and Compliance Information Security Business Manager Source: KPN N.V.; CEB analysis. With support from subject matter experts, the business manager reviews external certifications, attestations, policies, and audit findings from the supplier. © 2016 CEB. All rights reserved. 20
  21. 21. SOLUTION 2: DUE DILIGENCE PROCESS EFFICIENCY TE Connectivity’s Due Diligence Process Completion Time Average Completion Time Across All New Third Parties Employee Pain Points with Due Diligence Process Source: TE Connectivity Ltd.; CEB analysis. Source: TE Connectivity Ltd.; CEB analysis. Due Diligence Process Completion Time Desired Completion Time Actual Completion Time = Three Times Longer “I got busy and forgot to complete my task.” “This task is complex and I’m not sure how to complete it.” “It’s not a big deal if I get to my task next week.” Automated Overdue Reminders Send support-oriented reminders to stakeholders when they do not complete tasks within the desired time period. Cross-Stakeholder Progress Reports Create visibility in the due diligence process so that stakeholders can see when their counterparts are causing delays. © 2016 CEB. All rights reserved. 21
  22. 22. Business Sponsor (Internal Employee) Business Partner (ThirdParty) Legaland Compliance Due Diligence Vendor IDENTIFYING SPEED BUMPS IN THE PROCESS TE Connectivity’s Due Diligence Process Map Identifying Most Problematic Tasks Source: TE Connectivity Ltd.; CEB analysis. Exceeds Desired Completion Time Within Desired Completion Time Complete business justification form and send Business Partner Questionnaire (BPQ) invite Review due diligence and approve/disapprove business partner Close case and finalize business partner status Provide due diligence results Complete and send BPQ Farthest from Benchmark TE Connectivity measured each task’s average completion rate against the vendor’s best practice completion rates. Calculate risk rating automatically Approve due diligence type based on risk rating Set up business relationship and contract 1 6 2 7 3 8 4 5 © 2016 CEB. All rights reserved. 22
  23. 23. SUPPORTING THROUGH SPEED BUMPS Sample Automated Reminder E-Mail Addressing a Delay in Completing Business Justification Form Source: TE Connectivity Ltd.; CEB analysis. page 24 Information is TE Confidential & Proprietary Do Not Reproduce or Distribute Partner Questionnaire Go to the “Due Diligence” tab in the profile and click on the “Invite” button in the right corner. It will bring up the “Due Diligence Intake Form Invitation”. The information should be pre-populated with the “Main Point of Contact” information from Step #2. • Choose the Language from the drop down box • Click “Current” if the Partner is an existing business partner; OR click “Prospective” if the Partner is a new business partner for TE • Click “Send Invitation”. 4 Subject: Reminder: Task Overdue - E-Mail Message From: Stephanie Roosevelt <sroosevelt@te.com> To: John Doe Dear John, Our records indicate that you have not yet completed the Business Justification Form for a third party with whom you would like to conduct business. This e-mail is meant to provide you with the right support to complete the form properly. For guidance on completing this form, please refer to our Business Partner Management Program SharePoint Site or our presentation on TE Connectivity’s Due Diligence Process. If you should still have questions or concerns, contact me using my information below. Stephanie Roosevelt Compliance Officer sroosevelt@te.com (717) 555-1234 Reply Reply All Forward DeleteFlag Move X—+ Resources • Business Partner Management Program (BPM) SharePoint Site Links to more information regarding your responsibilities: – Policies & Procedures – Business Partner Management Program – An Accountability Handbook – Training Opportunities and Video Tutorials – FAQs – Contact Details for Questions © 2016 CEB. All rights reserved. 23
  24. 24. VISIBILITY CREATES ACCOUNTABILITY Biweekly Progress Reports on Due Diligence Process Illustrative Source: TE Connectivity Ltd.; CEB analysis. 2/2/15 Dear John, Below is your bi-weekly report on the progress of the third parties in which you’re involved as they work through our due diligence process. Please notify the compliance program or any related stakeholders if you have any questions or concerns. Company Name Date Opened Current Phase Current Phase Owner Region Date of Process Reset Days Until Process Reset Martin Industrial 11/13/14 Complete business justification form You NA 2/13/15 11 Quaranta Enterprises 12/20/14 Complete and send third-party questionnaire Quaranta Enterprises EMEA 3/20/15 46 Process Reset If the overall process takes longer than the predetermined deadline, stakeholders must start the process over from the beginning. Social Pressure All stakeholders involved in a particular due diligence process—and business unit leadership—can see which stakeholder is causing delays. © 2016 CEB. All rights reserved. 24
  25. 25. A QUICKER DUE DILIGENCE CYCLE Overall Due Diligence Process Time Results of Biweekly Progress Reports and Automated Reminders Source: TE Connectivity Ltd.; CEB analysis. 0.75x Automated Reminders Biweekly Progress Reports1.00x 0.50x Q4 2015Q2 2014 Q2 2015 ■ More Buy-In for Compliance Employees appreciate Compliance’s effort in providing support resources during due diligence tasks and building a less burdensome third-party onboarding process. ■ Increased Accountability for Process Completion As a result of the biweekly progress reports, stakeholders have an incentive to quickly complete their designated due diligence tasks rather than become the stall point in the process. Additional Benefits of TE Connectivity’s Due Diligence Process Efficiency © 2016 CEB. All rights reserved. 25
  26. 26. KEY TAKEAWAYS 1. Third Parties Magnify Compliance Risk Exposure—As organizations continue to use more third parties, potential control gaps, increased touch points, and misaligned incentives combine to magnify risk exposure across all types of compliance risk. 2. Compliance’s Current Approach Fails—The standard process Compliance uses has three main flaws that undermine the program’s ability to provide assurance: limited involvement in the strategic decisions that create risk, high costs to the business, and a focus on using authority to influence the behavior of third parties. 3. Business Accelerators Increase Risk Reduction and Reduce Costs—By targeting internal decisions about third parties—a major risk driver within Compliance’s sphere of influence—Business Accelerators gain 118% more confidence in process adherence and 36% more confidence in Compliance’s decision impact. They also spend 30% less time reviewing third parties and 21% less budget dollars on third-party risk management. 4. Help the Business Make Risk-Informed Decisions—Move Compliance upstream to target the decisions that create third-party risk. Communicating the cost of third-party oversight will shape the decisions the business makes and help Compliance manage the amount of third-party risk the business accepts. 5. Rationalize Unnecessary Process Complexity—Reduce the cost of compliance to the business by streamlining third-party risk management processes and supporting business partners as they work through these processes. 6. Remove Barriers to Third-Party Compliance—Compliance programs can better reduce third-party risk by creating strong incentives for third parties to meet standards and providing targeted risk management support. © 2016 CEB. All rights reserved. 26

×