Rebalancing Risk Management with a Third-Party Compliance Policy

Get the eBook

How can compliance set the right precedents and processes for managing third-party risk?

Whether you’re a financial institution, a CPG company, or a nonprofit, working with third parties such as vendors and suppliers is essential to meet strategic objectives. That said, doing business with third parties carries inherent risks that continue to intensify in the current business climate of increasing complexity, regulatory expansion, and cyber and fraud threats. 

To guard against these risks, mature organizations use a compliance policy for third parties. This policy provides standardized guidance for evaluating risk factors and determining whether the third party is an acceptable partner — one that will contribute to the business’s growth and operational efficiency without damaging its reputation or profitability.

Reshaping Your Lines of Defense Model

A third-party risk policy isn’t something that exists just for the benefit of the compliance team. Third-party risk is a larger business risk that spans all teams that work with external companies and individuals. But where compliance is specifically concerned, the third-party risk policy can help address a common structural problem with a business’s “lines of defense” (LOD) — the people or teams that work with external parties and (should) play a primary role in risk assessments.

In a business that’s operating without a formal policy, the first LOD — functions that are closest to the third parties — are not equipped with the knowledge, guidance, or often the technology solutions to perform risk assessment or mitigation processes. So for lack of a better alternative, this responsibility ends up being passed over to the second LOD and spread across different second-line functions, each focused on its own silo of responsibility. Each and every time, for potentially hundreds or even thousands of third-party engagements.

Creating and operationalizing a third-party risk policy can reduce that bulge at the second level and redistribute responsibility so that the second LOD can focus on the cases where its specialized expertise has the most value — the gray areas or edge cases that can’t be easily adjudicated within the parameters of the policy. Meanwhile, the first LOD gains clarity around the business’s risk appetite with a set of guidelines and procedures that enable those teams to make sound decisions about relationships and interactions with external parties.

A formal compliance policy for third parties helps to prevent an ad hoc approach for each vendor or partner as well as silos, duplication, and inconsistencies across functions.

Establishing a Consistent Risk Management Approach

Rebalancing risk management also depends on the effort to standardize third-party risk assessments across the business. A formal compliance policy for third parties establishes a consistent set of procedures, assessment criteria, and risk evaluation methodologies. This helps to prevent an ad hoc approach for each vendor or partner as well as silos, duplication, and inconsistencies across functions. 


Disparities in risk evaluation, where different stakeholders are applying different levels of scrutiny than others to different third parties, may result in errors and missed opportunities that ultimately harm the business. The awareness that this could happen, or is actively happening, often contributes to the bulge mentioned earlier at the second LOD where every aspect of third-party assessment comes to compliance and its close associates.

Ultimately, a robust compliance policy for third parties can gain the compliance team recognition for achievements that are both tangible and intangible:

  • The company forms relationships only with reliable, trustworthy partners, which elevates the trust the company itself receives from customers and external stakeholders. 

  • Adverse legal and financial impacts resulting from undetected third-party risks are minimized — thus, fewer lawsuits, regulatory penalties, and unexpected expenses.

  • The process of screening, onboarding, and monitoring third parties — particularly when a compliance automation solution is utilized — becomes more streamlined and efficient, reducing administrative overhead and freeing up resources for more strategic activities.

Our eBook — How to Create an Effective Third-Party Risk Management Policy — can help answer the most pressing questions about compliance policies for third parties, such as:

  • What are the risks of not having a third-party risk policy?
  • How do I start the process of creating a policy?
  • Once I have a policy in hand, what happens next —how do I operationalize and maintain it?

Get the eBook


The information provided in articles are suggestions only and based on best practices. Dun & Bradstreet is not liable for the outcome or results of specific programs or tactics. Please contact an attorney or financial/tax professional if you are in need of legal or financial/tax advice.