An earlier post touted the benefits of embedding the business justification for the use of third parties into compliance programs. This post talks about the importance of requiring the employee who prepares that business justification to be the business sponsor of that third party, a key component for weaving compliance into the fabric of everyday operations.
The business sponsor can provide the most direct means of communication to the third party and can be the point of contact for compliance issues going forward, including an annual compliance review. The use of a business sponsor has at least two drivers for the further operationalization of the compliance program. This requires not only business unit buy-in, but business unit accountability for the business relationship and puts the onus on each business stakeholder to more fully operationalize this portion of the compliance program.
What are some of the basic pieces of information needed from the business sponsor? Senior management should learn the name and contact information for both the business sponsor and the proposed third party and how the business sponsor came to know about the third-party—this is essential, as it is a red flag if a customer or government representative pointed the company toward a specific third party. The information should then be detailed in a report for the compliance department to review and then be signed by the business sponsor.
The business sponsor should then provide a review of the qualifications of the third-party candidate, the resources to perform the services for which they are being considered, and the third party’s expected activities for the company. More detailed inquiries should include how the third party was identified and why no current third-party relationships can provide the requested services. Gathering all of this information, supplied by the business sponsor, makes the business unit the owner of the relationship—both from the business perspective and the compliance perspective. Having this in check will work to more fully operationalize the company’s compliance regime.