Jean-Paul Sartre famously said that, “Hell is other people.” For many compliance officers, hell is dealing with other people known as third-parties, and the companies they own.
Third-party management is a perennial headache. Recently at the Compliance Week conference, on-the-ground polling found that third-party management was the greatest challenge facing compliance officers today. Tracking metrics around third-party management is critical to seeing trends in your company, and being able to respond to movements in the business quickly.
In this blog, we’re going to explore metrics relating to third-party management. This is Part 5 of our series. If you haven’t read Part 1, I recommend you go back and start there, as it sets the stage regarding why certain metrics should be chosen. We’ve already explored metrics that can be used with policies and procedures, which can be found HERE, monitoring and auditing, which can be found HERE, and training, which can be found HERE.
Too Much Information (for a change!)
Perhaps more than any other area of the seven elements of an effective compliance program, third-party metrics are usually the easiest to collect. Most large companies have some sort of online or technology-based system that can gather data. Even small companies managing third-parties on an Excel sheet can sort by column to find out how many third-parties they have in a certain country.
Because of this wealth of data, choosing the right metrics relating to third-parties is critical. Having numbers for numbers’ sake is not useful. You must carefully answer the most fundamental question when choosing third-party-related metrics. That question is: So what?
As with other programmatic areas, each metric needs context, so it tells a story. In addition, each metric needs to be tied to a goal or Key Performance Indicator (KPI), so you can tell if the trend is going in the right direction. Metrics without context are useless. When you choose a metric, make sure you ask, “So what?” If you can’t answer why the metric matters, or what the goal is for that metric, choose something else.
Following you’ll find example metrics for third-party management. Not all the examples will fit your program. Metrics, by their nature, need to be tailored so that they match the maturity of your program, the nature of your business, the size and geographical expanse of your business, etc. For each, a “So What?” answer and example KPI or goal is included.
Spot the Trends
Metrics relating to third-party management tell their story over time. A single snapshot is unlikely to give you large amounts of information, whereas the comparison of metrics month-on-month can tell a much fuller story. For instance, if in month 1 you see that you have 1,000 third-parties, in month 2 you have 1,100, in month 3 you have 1,200, and in month 4 you had 2,000 – you need to investigate why there was such a bump. Did one region hire a slew of resellers? Is there a new business unit that suddenly brought on a bunch of sales agents? If so, is there a good reason for doing that? Does the region or business unit understand the risk in doing so? Effective metrics show you where you need to investigate and communicate.
Good metrics tell the story of your program. They show its evolution and give you confidence in its effectiveness. By tracking the correct metrics, you’ll be able to show the growth in raw data to the C-suite and Board of Directors.
Next time in our series, we’ll be examining metrics relating to governance. In the meantime, have an excellent week!