Third party risk assessment: 5 best practices for ABAC compliance 

Third-party risk assessment protects companies from the risks tied to external partners such as suppliers, distributors, or agents. While a business can control its own actions, it can’t control what others do. The problem is, consumers don’t make that distinction. They hold companies accountable for the behaviour of those they work with. Third-party risk assessments prevent companies from getting involved in such situations.

These assessments require compliance teams to scrutinise third parties and uncover financial, operational, and reputational red flags before bringing them into the company’s ecosystem. While blocking a risky third-party relationship from moving forward can prevent future damage, it can also cause internal friction. Especially when other teams have already invested time, resources, and trust into building that partnership. 

That’s why third-party risk assessments should happen before the business commits time to nurturing a third party relationship. The challenge is that organisations are already asking compliance teams to take on more responsibility than ever. Budgets and resources aren’t growing in tandem with the complexity of their workload. Meanwhile, regulatory demands are growing more complex. The good news is that new technology is becoming more accessible and cost-effective, offering compliance teams a way to scale their efforts.

In this article, we explore five best practices for conducting third-party risk assessments effectively and efficiently.

Best practices for third-party risk assessments

1. Draw information from unstructured data 

Corporate compliance teams that don’t use unstructured, real-time data from the internet as part of third-party due diligence miss valuable insights. This kind of data can reveal potential risks that traditional screening tools can’t parse through and digest. 

Due diligence processes tend to rely on procured adverse media databases, which provide a richer view of third parties beyond AML screening. But the limitation lies in their curated nature, meaning they may not encompass everything available in the public domain, and updates lag behind. New risk information might take days or even weeks to surface. 

Using a dynamic due diligence platform like Xapien solves this problem by scanning the entire indexed internet in real-time, including local news sources and obscure blog articles, and transforming the findings into clear, actionable insights.

2. Apply a proportionate risk-based approach

Another issue with traditional screening tools is that they don’t provide a complete picture of risk. How can compliance teams take a risk-based approach if they don’t fully understand a third party’s risk level from the start? 

Teams need a triage process, where they assess third parties early on to determine which ones warrant deeper investigation. But that’s time-consuming and manual work. Most compliance teams don’t have the resources to investigate every third party in depth, so they pre-screen third parties. While it’s a manageable process, it’s not a scalable one.

Sophisticated AI technology completes in minutes the depth of due diligence that once took days. This allows compliance teams to identify risks early on and allocate their time more strategically. For instance, they can advise procurement teams to avoid moving forward with a high-risk vendor before the business relationship begins.

3. Lower the barrier for enhanced due diligence 

Global supply chains are more complex than ever, often spanning multiple countries and involving countless entities. It’s no longer enough to simply know your tier 1 suppliers. New ESG regulations are coming into sharper focus, stipulating that compliance teams go deeper into their supply chains. This puts pressure on already-stretched resources. 

Advanced AI technology like Xapien automates deep research, which lowers the barrier for enhanced due diligence across a company’s third-party ecosystem. This enables compliance leaders to allocate resources more intelligently and maintain comprehensive coverage across their entire third-party portfolio. 

4. Integrate ESG risk considerations 

Supply chains aren’t just at risk of bribery and corruption. Now, consumers are increasingly raising concerns about environmental issues, labour practices, human rights, and corporate governance. For many compliance teams, the challenge is figuring out how to integrate these ESG risks into their existing ABAC programmes.

Mapping the interplay between ABAC and ESG risks to help make a clear case for their connection. If your ABC framework already includes Ultimate Beneficial Ownership (UBO) checks, it can also help identify entities with poor labour practices or those operating in high-risk labour environments. This is just one example of how integrating ABAC and ESG risk frameworks can create a stronger, more effective approach to compliance.

5. Continuously monitor third parties 

Third party due diligence is often treated as a one-off activity. But this exposes companies to unquantifiable risks. A low-risk third party today could quickly become a reputational liability tomorrow if new information comes to light or a firm’s risk tolerance changes. For example, a change in ownership, the exposure of a bribery scandal, or a corruption exposé could all significantly impact a third party’s ABAC risk score. 

Dynamic due diligence enables two capabilities: Interrogating existing data on third parties in real time when new risks emerge, and re-running due diligence checks easily and frequently. Xapien does both. It searches, analyses, and summarises real-time internet data that’s relevant when you run a report. And our “Ask your own question” feature means you can return to your original due diligence report and explore the data again. This lets you check for any new risks that may have come up since the initial check.

Final thoughts

ABAC risks today aren’t the same as they were yesterday, and they won’t be the same tomorrow. What was considered an ‘adequate’ compliance system ten years ago wouldn’t meet today’s regulatory standards. To stay effective, you need the ability to quickly analyse large volumes of unstructured data, and that means using AI. As both technology and regulatory expectations advance, third-party due diligence must keep pace. With powerful AI tools now widely available, choosing not to use them could soon be seen as negligence. Third-party actions today can become tomorrow’s risks. Stay ahead, don’t wait to catch up.