Companies with robust third-party risk management programs clearly distinguish themselves in many ways from those whose programs lack maturity.
Those best practices were recently analyzed in NAVEX Global’s third consecutive report on third-party risk management (TPRM). Prudent ethics and compliance officers will want to check out the new report to gauge how their TPRM programs stack up against their peers.
In its 2017 “Ethics & Compliance Third-Party Risk Management Benchmark Report,” 427 survey respondents rated the maturity of their TPRM program based on the following four categories:
Reactive (13 percent of respondents): We address issues as they arise with no formal program in place.
Basic (29 percent of respondents): We are seeking to develop procedures to manage third-party engagements, but due diligence efforts lack consistency and uniformity between business units or geographies. We send questionnaires and screen a limited number of third parties. Management of third-party engagements lacks centralization, and we have an incomplete understanding of organizational exposure to risk associated with third parties.
Maturing (44 percent of respondents): We understand our organizational exposure to risks associated with our third parties, have some level of uniform policy, and are moving toward a centralized third-party risk management system. We are identifying internal stakeholders who will be accountable for defining risk and owning third-party engagements. We perform audits and require training and policy attestation from a limited set of third parties. We have confidence that we’re taking a risk-based approach to third-party due diligence but still have gaps to cover.
Advanced (14 percent of respondents): We have consistently identified and stratified potential exposure to risk across the organization and have a clearly defined global policy. We regularly perform audits, train third parties on our policies, and gain attestation at clearly defined intervals. Key internal stakeholders are informed and involved in the entire third-party risk management lifecycle. We measure program success and KPIs and adapt our program based upon results. We have confidence that our program is defensible and would withstand enforcement action.
New in this year’s report, the program maturity definitions were adjusted to more closely align with the FCPA Guidance and best practices, including performing audits, requiring training, and centralizing risk management operations. Additionally, much of the maturity-scale criteria was based on process, structure, and alignment—not on budget, number of full-time employees, or number of third parties, the NAVEX report stated.
“Not doing at least some basic level of screening for every third party is going to open you up to greater risk.”
Randy Stephens, Vice President, Advisory Services, NAVEX Global
Using the four categories as a baseline, the report provides a clear picture of what distinguishes mature and advanced TPRM programs from those that are reactive or basic. The core elements that define mature and advanced TPRM programs from basic and reactive are explored in greater detail below.
Due diligence and policy assessments. Overall, the data revealed that most companies (57 percent) conduct third-party due diligence by pursuing a risk management program that corresponds to the nature and level of risk that their third parties represent. Moreover, 55 percent of respondents indicated that their companies use formal processes—such as capturing business rationale and conducting screening to vet third parties and filter-out high -risk engagements.
“This reflects the kind of program criteria you see not only in the FCPA Guidance and other recognized guidance around third parties, but also the recent Evaluation of Corporate Compliance Programs from the Department of Justice,” Randy Stephens, vice president of advisory services for NAVEX Global, said during a recent Webinar discussing the findings.
WHEN DO YOU UPDATE?
NAVEX asked respondents to its TPRM survey: When do you reassess or update your third-party policy, including your third-party due diligence policy? Results are below.
Mature and advanced TPRM programs assess their third-party due diligence policies more often than reactive and basic programs. In the NAVEX report, 49 percent of companies with maturing and advanced programs assess their third-party due diligence management policy on an annual basis, 44 percent of reactive and 28 percent of basic programs indicated that they don’t even have a policy in place.
Third-party risk classification. Sixty-two percent of respondents, overall, said they use specific criteria to classify third-party risk as high, medium, and low. A significant 87 percent of respondents with maturing and advanced programs, however, are more likely to use specific criteria to classify risk, compared to 52 percent of both reactive and basic programs. “Your third-party risk management program should be consistent, but adaptable,” Stephens said.
Among those that classify third parties by risk level, the main criteria assessed are the type of third party (82 percent); amount of the contract (62 percent); and geography of the third party (61 percent). A risk-based approach includes applying different degrees of due diligence based on these classification criteria.
Another important classification consideration is to tie a third party’s risk level to the amount of revenue that it generates. “For example, you may have a high-risk third party in China who generates $5,000 in revenue versus a mid-risk third party that generates $1 million revenue through government interactions,” Michael Volkov, a former federal prosecutor and a white-collar defense attorney with the Volkov Law Group, said during the Webinar.
TPRM through automation. Mature and advanced TPRM programs are more likely to use automated systems to manage third-party risk, 43 percent compared to 30 percent of respondents overall. Automated systems are mainly used to help screen third parties (72 percent) and to conduct enhanced third-party diligence (60 percent).
Automation also helps when it comes to exercising audit clauses. “There is no better way to do that than to start with the data you have in your automated program,” Volkov said.
Across all aspects of program execution, companies that use automated systems perform significantly better, especially when it comes to screening third parties, the report found. Mature and advanced TPRM programs tend to screen all their third parties, while reactive and basic programs tend to screen only select third parties—such as those that are crucial to their business or those in high-risk industries or geographical locations. “Not doing at least some basic level of screening for every third party is going to open you up to greater risk,” Stephens said.
Furthermore, 92 percent of mature and advanced TPRM programs said they continuously monitor third parties, including 37 percent that monitor all third parties. In comparison, nearly one-third of respondents with reactive and basic programs said they do not continuously monitor third parties.
Overall, companies that use automated systems are more likely to continuously monitor all third parties than those not using automated systems (41 percent vs. 23 percent, respectively). “It’s easier to conduct due diligence and monitor when you’re using automation, particularly where an organization engages thousands or tens of thousands of third parties,” Stephens said.
Program effectiveness assessments. The most common approaches used to assess effectiveness of third-party due diligence programs, particularly among maturing and advanced programs, are periodic risk assessments and audits. “This best practice ensures the program is working as intended and can also be an early warning sign for gaps or opportunities to improve,” the report stated.
DO YOU USE SPECIFIC CRITERIA?
NAVEX asked respondents to its TPRM survey: Do you use specific criteria to classify third-party risks as high, medium, and low? Results are below.
Almost half of organizations with reactive programs (48 percent) and more than a third of those with basic programs indicate that they don’t assess program effectiveness, compared to 11 percent of maturing programs and eight percent of advanced programs.
Those with maturing and advanced programs are likely to assess the effectiveness of their TPRM program using a variety of approaches, including:
Periodic risk assessments (56 percent vs. 36 percent of reactive and basic programs);
Onboarding and screening efficiencies (32 percent vs. 13 percent);
Ability to proactively identify and mitigate third-party risks (36 percent vs. 19 percent);
Third-party training completion and attestation rates (13 percent vs. six percent);
Audits (53 percent vs. 36 percent); and
Benchmarking program performance against peers (20 percent vs. six percent).
The report highlighted that, surprisingly, 22 percent of respondents do not measure effectiveness using any means whatsoever. “You can’t improve what you can’t measure; the strongest compliance programs will be able to rely on data, metrics, and outcomes to measure effectiveness and apply resources accordingly,” the report stated.
Overall performance. Across all aspects of program execution, performance significantly improves with maturity. Respondents with advanced programs said they are able to do the following:
Implement a risk-based program (87 percent);
Comply with laws and regulations (87 percent);
Conduct deeper dives where needed (82 percent);
Defensibility of program with enforcement agencies (83 percent);
Accurately define risk (84 percent); and
Determine the ROI of the program (50 percent).
Beyond performance, the report showed that the less mature a TPRM program, the greater the likelihood of facing an enforcement action. In the report, 46 percent of those respondents with reactive programs faced legal action in the last three years where less than 30 percent of those with basic, maturing, and advanced programs faced legal or regulatory enforcement actions over the same period.
In sum, key findings from NAVEX Global’s 2017 TPRM benchmark report shows ethics and compliance professionals that today’s best practices include applying program diligence and consistency across all third parties; defining business justification for engagements; continuously monitoring higher-risk third parties; and applying due diligence analysis when and where it’s warranted.
Lastly, companies that use an automated third-party management solution to manage the scale and scope of their third-party risk profile enjoy improved program performance on multiple levels, helping to better protect both their legal and financial risk, as well as their reputational risk overall.