Organizations across the world depend on suppliers, distributors, contractors, re-sellers, brokers, and other third parties to fulfil critical business requirements. As the complexity of this third-party ecosystem increases, so do the associated risks. If these risks are not identified and mitigated in a timely manner, they can seriously impact an organization’s reputation and revenue. Therefore, effective third-party screening, due diligence, and continuous risk assessments are critical – especially when complying with multiple regulations around third-party governance.Download Fact Sheet
MetricStream Third-Party management App
The MetricStream Third-Party Management App provides advanced and comprehensive capabilities to manage third-party risks, compliance, and issues across the extended enterprise. Through an integrated approach to third-party management, the app provides real-time visibility into third-party risks, and helps mitigate them before a crisis can erupt.
Users can consolidate and rationalize third-party information, manage onboarding and continuous third-party due diligence, track third-party compliance, verify third-party information based on facts from authoritative sources, and improve risk mitigation and resolution.
The app's “multi-dimensional organization structure” functionality enables organizations to model their third-party management programs based on their organizational hierarchies. Powerful dashboards, workflows, a centralized repository of third-party risk information, and other capabilities help ensure that third-party management processes are efficient and robust. Advanced reporting tools provide real-time insights into third-party risks, enabling stakeholders to identify and respond swiftly to red flags.
The app is certified for conformance with global accessibility standards and best practices as defined by WCAG 2.1 Level AA and Section 508. It can be deployed cost-efficiently, and its robust platform foundation can scale up with the organization over time.
Why MetricStream Third-Party Management App
Simplifies third-party management processes
Offers built-in assessment templates to simplify third-party onboarding, information management, risk assessments, compliance assessments, continuous monitoring, and risk mitigation
Provides an intuitive portal to search and request for third parties and engagements
Enables users to search existing third parties before requesting for a new one; allows users to manage multiple third-party related activities from a single page, including due diligence, assessments, artifact uploads, and the addition of products or services
Centralizes third-party information management
Provides a central repository to store and manage information on third parties across departments; delivers a 360-degree view of third-party risks, compliance status, and associated documents though user-friendly metric cards
Delivers comprehensive visibility into third-party risks
Strengthens decision-making through various reports and dashboards that provide real-time visibility into the status of third-party relationships, as well as the associated risks, compliance, and performance metrics
Helps orchestrate the risk mitigation process
Provides capabilities to collaborate with third parties on risk mitigation tasks, and automatically alerts them on pending action items
Improves compliance with regulatory mandates
Enables an efficient and effective approach to third-party management, thereby enhancing compliance with multiple mandates from the Office of the Comptroller of the Currency (OCC) and the Federal Financial Institutions Examination Council (FFIEC), as well as the Foreign Corrupt Practices Act (FCPA), Anti-Money Laundering (AML) laws, and the UK Bribery Act
M7 Platform Highlights
Engaging and personalized user experience
Makes third-party management processes simple, context-sensitive, and personalized to each user; facilitates an intuitive and engaging user experience
Supports app configurations and extensions in an upgrade-safe and scalable manner through the MetricStream AppStudio configuration framework; helps the organization adapt to change quickly
Mobility and layering
Provides a responsive interface that allows third parties to be managed across devices; leverages a REST API integration framework to layer third-party management processes over heterogeneous IT systems and business critical infrastructure
Reporting and analytics
Delivers powerful visualization tools and analytics to manage and monitor third-party trends, data relationships, and actions in real time across the extended enterprise
Lean and robust architecture
Is built on a lean, modern, scalable, and extensible architecture that enables the global digital enterprises of today to seamlessly scale up and support new users, while also adding new apps and solutions to meet changing organizational needs
Create a third-party profile page with comprehensive information on each third party, including their internal and external contacts, relationships with the organization, assessments, bank information, artifacts or documents, risk alerts, and issues. Access third-party details such as their Data Universal Numbering System (DUNS) digits, the business units they are associated with, facilities, products or services provided, contracts, spend, ongoing assessment data, country, issues, certifications, due diligence status, and risk rating. Capture third-party aliases or "also known as" names to facilitate duplicate checks. Enable all stakeholders involved in a third-party relationship to view accurate and up-to-date information on their third parties through the app. Mark strategic third parties as confidential, and limit data access to a specific group of users or roles.
Capture artifacts and contract details including contract value, review schedule, supporting documents, and expiration dates. Co-relate these artifacts with each other e.g. statements of work (SOWs) with master service agreements (MSAs). Automate task assignments based on the review schedule defined. Track upcoming expiration dates and reviews
Use the third-party profile page to edit information, and initiate various third-party management activities. Offer third parties access to the system to submit and update relevant information, and to upload documentation. Enable these third parties to also initiate profile edits such as name changes. They can even submit re-qualification certifications.
Leverage the app’s intuitive portal to search, view, and request for new third parties, as well as new engagements with existing third parties. Use the access-control feature to ensure that only users with specific access rights can view third parties, their relationships with other business entities, and associated documents. Search for third parties based on multiple criteria, including the product or service provided, country, qualification status, DUNS number, criticality, and tier. Check existing relationships before requesting for a new third party or engagement. View third-party information in a comprehensive card format, and initiate and track due diligence activities as well.
Onboarding due diligence
Make an informed selection of third parties through the app. Establish a standard process across the enterprise to assess, rank, segment, and onboard third parties. Define the process of third-party screening and onboarding for each organization, line of business, or engagement based on the company’s business needs. Trigger internal approval workflows to ensure that the right third parties are onboarded. Send out automated notifications to keep the business informed about the progress of third-party onboarding.
Identify and assess potential third-party risks, including inherent risks, bribery risks, business continuity risks, financial health risks, legal liabilities, and IT risks. Leverage the Shared Assessments Standardized Information Gathering (SIG) questionnaires A-Z to enhance risk assessments. Based on the results, qualify and rank third parties, and then define the next course of action to mitigate risks. Enable additional screening and validation of third-party information with the help of alerts from reliable internal or external sources.
Segment third parties based on multiple attributes, including country, annual spend, product or service category, criticality, and revenue. For each attribute, define weighting factors, and aggregate the overall segmentation score. The segmentation scoring rules are based on acceptable limits. Based on the score values, automate the assignment of a rating (e.g. high, medium, low, or risk tier 1, tier 2, tier 3). Define if due diligence assessments are required and at what frequency
Requests for a New Third Party or Engagement
Request for a new engagement before deciding which third party will be involved. Respond to a set of pre-defined questions to help assess the risks involved with the third party’s product or service. Simplify requests for a new third party or engagement though a user-friendly portal. Capture details of the engagement, including the purchasing organization involved, the product or service category, spend, primary and secondary lines of business, primary and secondary departments, legal entities, and internal contacts. Automatically identify the relevant due diligence workflows based on the criticality of the purchasing organization, as well as the category of the product or service offered. Capture additional information on the third-party engagement to assess the inherent risk.
Allow users to conditionally approve new third parties during the due diligence process to support the urgent interim needs of the business. Track this information from the "Conditional Approval Report" which provides details of such third parties. If a third party or engagement is not valid anymore, allow the requester or approver to cancel the request (it can be re-initiated later based on business needs).
Validate third-party information based on feeds from third-party content providers. Integrate content from single or multiple industry providers and global data sources on politically exposed persons (PEPs), sanction lists, special interest persons (SIPs), state owned enterprises, and adverse media listings. Enable users to subscribe to regulatory alerts based on the risk rating or criticality of their third parties. Review the alerts, and accordingly risk-rate the third parties, while also performing risk assessments, and logging issues for remediation.
Periodic Risk and Compliance Due Diligence
Identify the level of risk and compliance associated with a third party or their product or service. Schedule periodic due diligence assessments, or trigger ad-hoc assessments. Automate various assessment workflows based on the type of third party or engagement, the compliance mandates, and risk levels (i.e. reputation risk, information security risk, financial risk, strategic risk, business continuity risk).
Select third parties for compliance or risk assessments based on various parameters such as criticality, rating, and tier last assessed. Leverage pre-defined questionnaires to assess the status of third-party risk in multiple areas, including finance, compliance, legal, IT, anti-bribery, corruption, and business continuity. Trigger assessments at pre-defined intervals, and based on the responses, automate risk rating and scoring. Simplify the process of responding to assessments by pre-populating form fields with earlier responses. Once all the risk assessments are complete for all third parties and engagements, view an overall third-party score and rating.
Capture assessment responses from multiple stakeholders periodically. Enhance efficiency by allowing one or multiple team members to contribute to periodic third-party assessments. Allow internal and third-party users to reassign or collaborate on assessments with other users in their organizations. Enable third-party users to create temporary new contacts and login credentials, and reassign assessments to these new users.
Scheduling Periodic Assessments
When qualifying a third party, leverage their rating scores to define the schedule and frequency of periodic due diligence assessments which will then be triggered automatically. Alternatively, define business specific logic to determine the frequency, as well as the start and end dates of the assessments based on organizational needs. Or, trigger ad hoc assessments whenever required.
If there are any changes to the third party’s ratings, enable schedules to be automatically re-suggested by the app. Or allow users to modify and update the schedules themselves. In addition, allow new assessments to be added to the due diligence workflow in progress.
Assessment Scoring and Response Management
Simplify third-party assessments by automating the risk scoring process, and triggering additional assessments based on the third-party ratings. Apply weighting factors at the question, section, and questionnaire level. Automate the aggregation of third-party risk scores based on the overall questionnaire score as well as the scores at the individual section level and question level. Use a scoring range and/ or limits to arrive at a holistic risk rating - high, medium or low. Allow additional assessments to be triggered based on the responses, and score the value or range.
Issue Tracking and Action management
Record and resolve issues identified during each stage of third-party management, including onboarding, monitoring, and risk and compliance assessments. Systematically capture issues, and define and manage action plans. Assign specific, time-bound issue management tasks to internal users and third parties. Gain visibility into the completion of each issue management stage, including issue initiation and approval, as well as action plan definition, approval, implementation, and final approval.
In the event of a third-party contract breach or expiration, as well as incidents of non-compliance or dissatisfaction, enable users to off-board the third party by leveraging in-built workflows and checklists. At this point, all open assessments will be revoked, and no further assessments will be assigned to the third party.
Reports and Analysis
Gain powerful reports, analytics, and business intelligence capabilities for a sound understanding of third-party risks, compliance, and performance. Leverage a range of dashboards and charts to slice and dice third-party data based on organization, region, type, and other focus areas. Compare third-party scores based on each product or service type, and track how third parties are improving over time. Allow third parties to monitor their own progress through graphical reports and dashboards. Use the status and summary reports to track the compliance and risk status of third parties. This data can provide insights into business performance.