Organizations across the world depend on suppliers, distributors, contractors, re-sellers, brokers, and other third parties to fulﬁl critical business requirements. As the complexity of this third-party ecosystem increases, so do the associated risks. If these risks are not identiﬁed and mitigated in a timely manner, they can seriously impact an organization’s reputation and revenue. Therefore, eﬀective third-party screening, due diligence, and continuous risk assessments are critical – especially when complying with multiple regulations around third-party governance.Download Fact Sheet
MetricStream Third-Party management App
The MetricStream Third-Party Management App provides advanced and comprehensive capabilities to manage third-party risks, compliance, performance, business continuity, audit and issues across the extended enterprise. Through an integrated approach to third-party management, the app provides real-time visibility into third-party risks, and helps mitigate them before a crisis can erupt.
Users can consolidate and rationalize third-party information, standardize intake process, manage onboarding and continuous third-party due diligence, track third-party performance and compliance, verify third-party information based on audits and facts from authoritative sources, and improve risk mitigation and resolution.
The app's “multi-dimensional organization structure” functionality enables organizations to model their third-party management programs based on their organizational hierarchies. Powerful dashboards, workﬂows, a centralized repository of third-party risk information, and other capabilities help ensure that third-party management processes are eﬃcient and robust. Advanced reporting tools provide real-time insights into third-party risks, enabling stakeholders to identify and respond swiftly to red ﬂags.
The app is certiﬁed for conformance with global accessibility standards and best practices as deﬁned by WCAG 2.1 Level AA and Section 508. It can be deployed cost-eﬃciently, and its robust platform foundation can scale up with the organization over time.
Why MetricStream Third-Party Management App
Simplifies third-party management processes
Offers built-in assessment templates to simplify third-party intake, onboarding, information management, risk assessments, compliance assessments, audit management, continuous monitoring, and risk mitigation
Provides an intuitive portal to search and request for third parties and engagements
Enables users to search existing third parties before requesting for a new one; allows users to manage multiple third-party related activities from a single page, including due diligence, assessments, artifact uploads, and the addition of products or services
Centralizes third-party information management
Provides a central repository to store and manage information on third parties across departments; delivers a 360-degree view of third-party risks, compliance status, and associated documents though user-friendly metric cards
Delivers comprehensive visibility into third-party risks
Strengthens decision-making through various reports and dashboards that provide real-time visibility into the status of third-party relationships, as well as the associated risks, compliance, and performance metrics
Helps orchestrate the risk mitigation process
Leverages AI and ML to decode key risk areas, provides capabilities to collaborate with third parties on risk mitigation tasks, and automatically alerts them on pending action items
Improves compliance with regulatory mandates
Enables an efficient and effective approach to third-party management, thereby enhancing compliance with multiple mandates from the Office of the Comptroller of the Currency (OCC) and the Federal Financial Institutions Examination Council (FFIEC), as well as the Foreign Corrupt Practices Act (FCPA), Anti-Money Laundering (AML) laws, and the UK Bribery Act
M7 Platform Highlights
Engaging and personalized user experience
Makes third-party management processes simple, context-sensitive, and personalized to each user; facilitates an intuitive and engaging user experience
Supports app configurations and extensions in an upgrade-safe and scalable manner through the MetricStream AppStudio configuration framework; helps the organization adapt to change quickly
Mobility and layering
Provides a responsive interface that allows third parties to be managed across devices; leverages a REST API integration framework to layer third-party management processes over heterogeneous IT systems and business critical infrastructure
Reporting and analytics
Delivers powerful visualization tools and analytics to manage and monitor third-party trends, data relationships, and actions in real time across the extended enterprise
Lean and robust architecture
Is built on a lean, modern, scalable, and extensible architecture that enables the global digital enterprises of today to seamlessly scale up and support new users, while also adding new apps and solutions to meet changing organizational needs
Create and manage comprehensive profiles for each third-party , including their internal and external contacts, relationships with the organization, assessments, bank information, artifacts or documents, risk alerts, and issues. Access third-party details such as their Data Universal Numbering System (DUNS) digits, the business units they are associated with, facilities, country, assets, products or services provided, processes, regulations, contracts, spend, certifications, due diligence status, and risk rating. Capture third-party aliases or "also known as" names to facilitate duplicate checks. Enable all stakeholders involved in a third-party relationship to view accurate and up-to-date information on their third parties. Mark strategic third parties as confidential, and limit data access to a specific group of users or roles.
Capture artifacts and contract details including contract value, review schedule, supporting documents, and expiration dates. Co-relate these artifacts with each other e.g. statements of work (SOWs) with master service agreements (MSAs). Automate task assignments based on the review schedule defined. Track upcoming expiration dates and reviews.
Use the third-party profile page to edit information and initiate various third-party management activities. Offer third parties access to the system to submit and update relevant information.
Business User Portal
Leverage the app’s intuitive page to search, view, and request for new third parties, as well as new engagements with existing third parties. Use the access-control feature to ensure that only users with speciﬁc access rights can view third parties, their relationships with other business entities, and associated documents. Search for third parties based on multiple criteria, including the product or service provided, country, qualiﬁcation status, DUNS number, criticality, and tier. Check existing relationships before requesting for a new third party or engagement. View third-party information in a comprehensive card format, and initiate and track due diligence activities as well.
Simplify the task of searching for third party policies leveraging Google’s Bert algorithm for the NLP. Search for relevant policies from widgets placed in the intranet or any other portal.
Third Party Self-Service Portal
Submit and update relevant information, upload documentation, respond to assessments, issues and action requests across any type of interaction. Initiate profile edits such as name changes and submit re-qualification certifications to ensure authenticity of information. Capture an issue/observation, with a conversational chatbot provided which enables the third party user to give details. Report observations and issues discreetly and anonymously.
Search for the permissible and relevant policies leveraging NLP based search.
Onboarding due diligence
Make an informed selection of third parties through the app. Establish a standard process across the enterprise to assess, rate, segment, and onboard third parties. Deﬁne the standard process for third-party intake, screening and onboarding at an organization level, as well as for each organization, line of business, or engagement based on the business needs. Trigger internal approval workﬂows to ensure that the right third parties are onboarded. Send out automated notiﬁcations to keep the business informed about the progress of third-party onboarding.
Identify and assess potential third-party risks, including inherent risks, bribery risks, sustainability, business continuity risks, ﬁnancial health risks, legal liabilities, cyber and IT risks. Leverage the Cloud Security Alliance’s Consensus Assessment Initiative Questionnaire (CAIQ), Shared Assessments Standardized Information Gathering (SIG) questionnaires A-Z to enhance risk assessments. Rate and qualify third parties based on the results, and then deﬁne the next course of action to mitigate risks. Enable additional screening and validation of third-party information with the help of alerts from reliable internal or external sources.
Segment third parties based on multiple attributes, including country, annual spend, product or service category, criticality, and revenue. For each attribute, deﬁne weighting factors, and aggregate the overall segmentation score. The segmentation scoring rules are based on acceptable limits. Based on the score values, automate the assignment of a rating (e.g. high, medium, low, or risk tier 1, tier 2, tier 3). Deﬁne the level of due diligence assessments required.
Third Party Intake Process
Request for a new engagement before deciding which third party will be involved. Respond to a set of pre-deﬁned questions, which can be configured, to help assess the risks involved with the specific engagement. Simplify requests for a new third party or engagement though a user-friendly portal. Capture details of the engagement, including the purchasing organization involved, the product or service category, spend, primary and secondary lines of business, primary and secondary departments, legal entities, and internal contacts. Capture additional information on the third-party engagement to assess the inherent risk. Streamline the intake process and automate the review and approval of the request as per the criticality and various other attributes based on business needs. Identify and trigger relevant due diligence workflows based on multiple factors including the organization engaging the third party and the category of the product or service offered.
Allow users to conditionally approve new third parties during the due diligence process to support the urgent interim needs of the business. Track this information from the "Conditional Approval Report". If a third party or engagement is not valid anymore, allow the requester or approver to cancel the request.
Qualify and rate third parties based on the results of the due diligence process. Score all assessments with configurable scoring rules and aids available in the quantitative assessment of risks. Auto-define the next course of action to mitigate risks. Trigger internal approval workflows to ensure that the right third parties are onboarded. Automatically notify key stakeholders on the progress of onboarding third-parties.
Validate third-party information based on risk intelligence feeds from third-party content providers. Integrate content from single or multiple industry providers and global data sources on reputation, sustainability, threat intelligence, cybersecurity rating, country corruption index, financial ratings, politically exposed persons (PEPs), sanction lists, special interest persons (SIPs), state owned enterprises, and adverse media listings. Enable users to subscribe to regulatory alerts based on the risk rating or criticality of their third parties. Automatically create issue based on breach of pre-defined thresholds. Quantify third party risk by integrating with market standards, which improve insight on third-party’s cyber risk posture. Review the alerts, and accordingly risk-rate the third parties, while also performing risk assessments, and logging issues for remediation.
Leverage insights from leading regulatory content providers, to proactively identify regulatory changes and their impact on third party relationships, current engagements, business processes, policies, assessments and controls.
Periodic Risk and Compliance Due Diligence
Identify the level of risk and compliance associated with a third party or their product or service. Schedule periodic due diligence assessments, or trigger ad-hoc assessments. Automate various assessment workﬂows based on the type of third party or engagement, the compliance mandates, and risk levels (i.e. reputation risk, information security risk, ﬁnancial risk, strategic risk, business continuity risk).
Select third parties for compliance or risk assessments based on various parameters such as criticality, rating, and tier last assessed. Leverage pre-deﬁned questionnaires to assess the status of third-party risk in multiple areas, including sustainability, ﬁnance, compliance, legal, IT, anti-bribery, corruption, and automate risk rating and scoring. Simplify the process of responding to assessments by pre-populating form ﬁelds with earlier responses. View an overall third-party score and rating.
Capture assessment responses from multiple stakeholders periodically. Enhance eﬃciency by allowing one or multiple team members to contribute to periodic third-party assessments. Allow internal and third-party users to reassign or collaborate on assessments with other users in their organizations. Enable third-party users to create temporary new contacts and reassign assessments to these new users.
Scheduling Periodic Assessments
When qualifying a third party, leverage their rating scores to deﬁne the schedule and frequency of periodic due diligence assessments which will then be triggered automatically. Alternatively, deﬁne business speciﬁc logic to determine the frequency, as well as the start and end dates of the assessments based on organizational needs. Or, trigger ad hoc assessments based on risk intelligence from external sources, incidents, performance failures, or business insights.
If there are any changes to the third party’s ratings, enable schedules to be automatically re-suggested by the app. Or allow users to modify and update the schedules themselves. In addition, allow new assessments to be added to the due diligence workﬂow in progress.
Create and conduct compliance assessments and surveys based on internal policies, as well as local, regional, and international laws.
Collect certifications and attestations in line with regulatory requirements. Comply with key regulatory requirements including ABAC (FCPA, UK Bribery Act), Information Security - PCI-DSS, HIPAA, HITECH Act, GLBA, Social Compliance (UK Modern Slavery Act), Environment, Health, and Safety (EPA Mandates, ISO 14001, OHSAS).
Assessment Scoring and Response Management
Simplify third-party assessments by automating the risk scoring process, and triggering additional assessments based on the third-party ratings. Apply weighting factors at the question, section, and questionnaire level. Automate the aggregation of third-party risk scores based on the overall questionnaire score as well as the scores at the individual section level and question level. Use a scoring range and/ or limits to arrive at a holistic risk rating - high, medium or low. Allow additional assessments to be triggered based on the responses, and score the value or range.
Define third party performance metrics based on contracts and policies. Assess and track each third party’s key performance indicator (KPI) scores (e.g. cost, delivery, service, quality).
Incorporate performance and risk data from various systems, departments, content providers, and processes like audits, assessments, and inspections. Strengthen business decisions by leveraging scorecards, and comparing scores based on the product or service type offered.
Drive third party’s performance improvement with dedicated activities and tasks. Benchmark how third parties improve over time, view trends, and identify preferred third parties. Enable third parties to monitor their own status and performance through specific reports and dashboards.
Establish a business resilience posture for the organization with a structured approach. Capture and track the business impact analysis and business continuity plans of the third parties in conjunction with their internal ones. Source information on potential and actual hazards due to geophysical events through integration with content providers. Determine the potential impacts with early warning alerts on hazards/incidents near third party data centers and communicate these to the relevant stakeholders Trigger business continuity plans based on impact assets and processes. Respond quickly to emergencies and critical events with notifications and alerts. Communicate promptly using advanced capabilities such as Emergency Mass Notifications and mobile alerts. Implement BCM plans in collaboration with third parties, thereby enhancing crisis response and recovery. Trigger follow-up actions including automated deep assessment of third parties and third party termination with pre-defined assessment lists and approval workflows.
Leverage MetricStream COVID-19 solution to plan, act and adapt to ever-widening pandemic repercussions in a near-real time basis.
Identify key third parties for auditing based on their risk scores, screening results, and other important parameters such as the criticality of the supplier, product or service provided, and country of operation. Enable various types of audits, including compliance, quality, safety, IT, environmental, social responsibility, and sustainability. Conduct onsite audits or detailed online audit assessments.
Accelerate audit processes, ranging from information gathering, to audit planning and scheduling, field work, reporting, and issue remediation. Design or modify checklists to evaluate third parties based on multiple parameters.
Issue Tracking and Action management
Record and resolve issues identiﬁed during each stage of third-party management, including onboarding, monitoring, and risk, compliance, audit and performance assessments. Systematically capture issues, and deﬁne and manage action plans for risk mitigation.
Assign speciﬁc, time-bound issue management tasks to internal users and third parties. Gain visibility into the completion of each issue management stage, including issue initiation and approval, as well as action plan deﬁnition, approval, implementation, and ﬁnal approval.
AI Enabled Issue Management
Enable users to flag observations on potential risks, report anomalies, deviations etc. via chatbots/conversational Interfaces, widgets and browser plugins. Leverage the NLP based chatbot to view status updates and follow-up actions. Report sensitive issues discreetly and anonymously while ensuring anonymity, as personally identifiable information is not recorded.
Leverage AI-powered issue analytics to manage numerous issues, findings and gaps that are similar in nature and automate the creation, management and monitoring of actions for each of these issues and findings.
Improve risk visibility from issues and observations leveraging MetricStream k-means clustering which is a machine learning algorithm which helps decode real inter-relations and classification based on clustering. These clusters help identify unknown risks, effectiveness of control and reveal various insights from the issues reported.
Leverage in-built workflows and checklists to off board the third party in the event of a contract breach or expiration, as well as incidents of non-compliance or dissatisfaction. At this point, all open assessments will be revoked, and no further assessments will be assigned to the third party.
Reports and Analysis
Gain powerful reports, analytics, and business intelligence capabilities for a sound understanding of third-party risks, compliance, and performance. Leverage a range of dashboards and charts to slice and dice third-party data based on organization, region, type, and other focus areas. Compare third-party scores based on each product or service type and track how third parties are improving over time. Allow third parties to monitor their own progress through graphical reports and dashboards. Use the status and summary reports to track the compliance and risk status of third parties. This data can provide insights into business performance.
Gain better simulation and analysis capabilities for predicting third-party related risks with advanced analytics through integration with Tableau and R-analytics. Enhance visibility, correlate third parties with assets and security ratings for better analysis.
MetricStream partners with multiple third party OEMs and leading content providers to help organizations improve their third party risk management around: Data Security, Cybersecurity, IT, Financial, Sustainability, Regulatory Intelligence, Disaster and Hazzard Intelligence, Country Corruption, Commercial and Reputational, Analytics.