Most organizations engage with hundreds, if not often thousands, of third party vendors, suppliers, agents and business partners, creating a daunting and ever-expanding scope of risk. This risk arises from:

  1. the difficulty in efficiently and effectively vetting and managing these third parties; and,

  2. liability created by the actions or compliance failures of these third parties when acting on behalf of the party who engaged them.

This is especially true in the anti-bribery and corruption area where third parties may expose the contracting party to Foreign Corrupt Practices Act (FCPA) or UK Bribery Act liability if they provide bribes to government officials or other companies to obtain or retain business on behalf of the contracting company. Even with increasing awareness and high profile prosecutions of companies due to the unlawful conduct of third parties, many organizations are still not being proactive enough in taking actions to insulate themselves from third party compliance failures and the resulting damaging enforcement actions.

NAVEX Global recently conducted a survey of 300+ business professionals actively working in the ethics and compliance arena (nearly a third self-identified as either chief compliance officers or chief risk officers) to quantify awareness of third party risks and identify the drivers behind them. The survey also addressed current best practices, along with the importance of implementing policies that efficiently and effectively assist companies in preventing, or at least reducing, the prevalence and impact of third party risks.

KEY LEARNINGS:

1 - 

An overwhelming 92 percent of the respondents indicated either they would increase the use of third parties in the coming 12 months or weren’t sure. Only 8 percent expected to reduce reliance on third parties. 

2 -

Most companies do not conduct due diligence on third parties before onboarding them. A majority of respondents monitor some third parties for legal and ethical and compliance risks; however, most do not track this information for all of their third party relationships.

3 -

Of those who do track their compliance risks, many are limiting their tracking to corruption issues and legal risks such as civil and criminal filings. 

4 -

Finally, 40 percent of respondents do not feel their organizations are well prepared to reduce ethics and compliance risks associated with third parties and, on a related note, close to half do not feel their organization is prepared to meet new supply chain and distribution disclosure requirements.

The survey results suggest that, by not consistently monitoring for third party risks and adequately preparing for new requirements, companies are putting themselves at significant reputational and financial risk by relying on third parties to operate unchecked in the global marketplace.

1 -

An overwhelming 92 percent of the respondents indicated either that they would increase the use of third parties in the coming 12 months or weren’t sure. Only 8 percent expected to reduce reliance on third parties.

KEY TAKEAWAY: Use of third parties continues to increase or hold steady even as companies face an enforcement environment that is gaining resources and becoming more aggressive. In fact, more than 90 percent of Department of Justice (DOJ) investigations of FCPA violations in 2013 relate to the actions of third parties[1].

More and more, companies are relying on third parties to help them meet revenue and service goals. This may be a result of many factors, including:

  • globalization and the difficulty in meeting staffing demands using expatriates;
  • workforce flexibility needs in a challenging economic environment; and
  • specialization and local culture knowledge that third parties can provide

In today’s environment, third parties represent a much broader spectrum. In the past, companies often worried only about suppliers, agents, contractors and joint venture partners. 

However, enforcement actions have made it clear that third party damage can be inflicted by a much more complex network of third parties. 

Reliance on third parties does not insulate a company from liability for the actions of those third parties. In fact, increasing the use of third parties means that organizations need to use even greater efforts to ensure that the entire spectrum of third parties they engage – or acquire as a result of mergers and acquisitions activity – have a full understanding and commitment to the compliance principles and Code or culture of the engaging company. This should include training and awareness as well a ongoing monitoring and auditing of your third parties.

Please click here to view image

2 -

Most companies do not conduct due diligence on third parties before onboarding them. A majority of respondents monitor some third parties for legal and ethical and compliance risks; however, most do not track this information for all of their third party relationships.

KEY TAKEAWAY: Selective due diligence and monitoring is a risky strategy. Without a risk-adjusted strategy, deployed before the start of the relationship, it is difficult to predict which third parties may cause a compliance failure.

The regulators do not credit a proportional strategy whereby only certain “riskier” third parties receive attention. All third parties engaged by a company need some level of due diligence, although it can recognize the level of risk that a third party poses” to “All third parties engaged by a company need some level of due diligence, although the organization can recognize and adjust for the level of risk each third party poses. This sort of risk assessment can be compared to the strategy undertaken by companies when they are implementing corporate security practices. At the highest levels in the organization, as expected, many precautions are taken to ensure that only people with a need to know have access to material, nonpublic information. The high-risk executives may also be required to undergo rigorous training and annual certifications. However, even employees without access to high-level material, non-public information are expected to adhere to basic security precautions. This may be manifested in the need to enter a unique password for computer log-in or even the most basic precaution of having to present an employee badge to enter the building. 

A Resource Guide to the U.S. Foreign Corrupt Practices Act (“Guidance”), published November 2012 by the DOJ and Securities and Exchange Commission (SEC), provides direction on the due diligence expectations of an effective third party compliance program:

  • “First, as part of risk-based due diligence, companies should understand the qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface. 
  • Second, companies should have an understanding of the business rationale for including the third party in the transaction.
  • Third, companies should undertake some form of ongoing monitoring of third-party relationships. Where appropriate, this may include updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications by the third party. 
  • In addition to considering a company’s due diligence on third parties, the DOJ and SEC also assess whether the company has informed third parties of the company’s compliance program and commitment to ethical and lawful business practices and, where appropriate, whether it has sought assurances from third parties, through certifications and otherwise, of reciprocal commitments.” 

Despite the stated risk:

  • 71 percent of respondents indicated they do not track information on some or all of their third party relationships, exposing themselves to significant ethics and compliance risks. The breakout is as follows:
    • 36 percent of respondents only track information on their most critical third party relationships
    • 35 percent do not track third party information at all

Even for those who do conduct due diligence and track information on their third parties, many do not begin the process early enough. In fact, 8 percent of those surveyed indicated that they do not conduct any due diligence until after the contract has been signed. This puts the company in dangerous territory; it is much harder to cancel the contract and find replacements after it has been executed. Alternatively, at this late stage, it is more tempting to move forward even though risks have been identified and may not be capable of mitigation.

3 - 

Of those who do track their compliance risks, many are not going beyond the basic legal and corruption issues.

KEY TAKEAWAY: To efficiently manage third parties, companies need to address all third parties comprehensively and use an integrated and standard process, starting with appropriate areas of due diligence and including regular monitoring.

Many companies’ standard process does not include using a risk-based due diligence program. The level of due diligence needs to be appropriate to the risk identified and should increase as red flags appear. This due diligence can range from a minimum adverse publicity screen to the most extreme example: an on-site visit. The important consideration is that the program must address, in advance of the engagement, every third party to an appropriate degree and it should be consistent and reasonable for the risk. 

The most critical aspect of the standard process is to demonstrate that all third parties were evaluated to some appropriate extent. “Addressing all third parties” does not mean that a company must employ the same level of due diligence for all third parties. The due diligence can be proportional to the risk level the third party presents. Simply doing nothing however, should not be an acceptable practice when dealing with third parties. Regulators certainly will not find it is acceptable in the event of a compliance failure.

With respect to the risks that are monitored, many respondents were focused on bribery and corruption risks of third parties, however many also appropriately identified other areas of concern as well.

What categories of ethics and compliance data does your organization track for third-parties?

Please click here to view image

4 -

Finally, a full 40 percent of respondents do not feel their organizations are well prepared to reduce ethics and compliance risks associated with third parties and, on a related note, close to half do not feel their organization is prepared to meet new supply chain and distribution disclosure requirements. 

KEY TAKEAWAY: Companies cannot put off developing and implementing a plan for: 

  • assessing third party risk;
  • consistently onboarding third parties;
  • effectively identifying and mitigating risk; and,
  • continuously monitoring and reporting on their third parties.

At least a third (38 percent) of survey respondents reported confronting issues of ethics and compliance with their known third parties in the last 12 months. Since 35 percent of survey respondents indicated that they do not track third party issues, this percentage is likely underreported.

A majority (60 percent) of respondents agree that third party ethics and compliance risks are the most important risks to mitigate. Although generally respondents have a good grasp on these issues, almost all companies surveyed (85 percent) agree that ethical and compliance performance of third parties remains a growing concern. Over a third (39 percent) of respondents believed they do not have the tools in place and are not prepared to mitigate third party ethics and compliance risks, despite the following findings:

Please click here to view image

CONCLUSION

The use of third parties is here to stay and will only continue to expand. Most third party risks are identifiable and most are manageable, but only if discovered and addressed as soon as possible.

The good news is that reasonable solutions exist. In fact, many companies, both large and small, have recognized the risk and – acting alone or in partnership with a reputable solution provider – have implemented efficient and effective solutions.

Any solution will have certain consistent elements. After identifying the complete universe of third parties, a successful solution should include the following:

Please click here to view image

An effective, best-in-class automated solution should provide the following benefits:

While some companies with very small numbers of third parties (often located or operating in close geographic proximity to the company headquarters) might be able to manage this process manually with internal resources, the best solution for most companies will involve an automated solution.

Scalability: it needs to be able to expand as the number and complexity of the third party landscape grows.

Consistency: the process for due diligence and ongoing monitoring is developed and replicated for each third party.

Centralization of data: a secure, globally-accessible and dedicated repository of data on the third parties, due diligence, other documentation and risk mitigation efforts.

Continuous monitoring: third party risk is not static and the third party due diligence process should not be a point-in-time solution. A best-in-class solution will continually search for updates on current third parties. Updates may discover, in real time, that the third party’s actions subsequent to engagement may need attention or mitigation.

Companies who are not prepared or willing to implement programs to meet the challenges of using third parties have two options: 

  1. stop using third parties or 
  2. roll the dice, risk the company’s reputation and hope to avoid detection.

Neither of these options will provide senior management, stakeholders, shareholders, regulators or the public with much comfort. 

Organizations generally cannot be competitive in a modern economic world without using third parties. Eliminating the use of third parties could result in higher transaction and employment costs, thereby raising prices or lowering margins. Neither of those results will allow a company to successfully compete.

Using third parties without a consistent, efficient and automated third party due diligence and management process is a risk that company leadership should find untenable. Being wrong in this case is not purely a business risk in the traditional sense; being wrong may result in more than a fine or penalty. Leadership must appreciate that failure to address third party risk is risking the organization’s reputation and, potentially, their ability to compete or survive.

With a reasonable amount of planning and the dedication of appropriate resources, third party risk is just another manageable risk. Failure to address this issue upfront could have you looking back and wondering, “Why didn’t I see this risk and address it when I could have?”