Many third-party risk-management efforts start with the goal of providing full visibility over a company’s universe of third-party relationships.
The trouble is that many companies still don’t have a firm grasp on how to achieve that transparency, or even where to begin, exposing themselves to significant legal and compliance risks. “Companies often underestimate their universe of third parties,” Randy Stephens, vice president of advisory services for NAVEX Global, says. Most tend to focus on traditional third-party relationships—such as suppliers, distributors, agents, and joint ventures, for example.
Stephens advises, instead, that they cast a broader net to include anyone who represents the company. These third parties might include suppliers’ suppliers, resellers, sub-contractors, and more.
Most global companies, however, have thousands—if not tens of thousands of third parties—and all of them must be monitored to ensure they adhere to the company’s business practices. To efficiently and effectively get better control over a company’s full universe of third-party relationships, the real difficultly is to “take that population of third parties and get it down to a manageable number,” Graham Murphy, a principal in KPMG’s U.S. forensic advisory services practice, says.
Stephens advises starting with a plan. Pull together an inter-departmental project team that includes regional and business leaders, as well as any country representatives, he says.
Next, identify the size and scope of your third-party universe—a task much easier said than done. “Most businesses procure services in a decentralized way,” Walter Hoogmoed, a principal with Deloitte, says. Without any sort of master list, assembling an initial inventory of third parties involves leveraging multiple databases from multiple business units.
Develop a Matrix
Once you’ve gathered that master list, you’ll want to separate high-risk third parties from low-risk third parties in order to more easily manage the third-party risk-management process, depending on which risk the company wants to focus on most. “If you want to concentrate on the FCPA, for example, you may want to eliminate domestic suppliers,” Murphy says. “You should look at your third-party risk mitigation program as a part of your anti-bribery and anti-corruption program.”
“The business manager that runs the business process should own the risk and be accountable for the exposure associated with that third party.”
Walter Hoogmoed, Principal, Deloitte
Criteria used to assess and rank the risks associated with each third party will vary by organization and may include:
Country of operation where service will be provided;
Nature of third-party relationship and services provided;
Type of industry;
Length of the third-party relationship; and
Degree of involvement with foreign government officials.
Third parties that pose the greatest risk from an anti-bribery and corruption standpoint are those that have regular interaction with foreign government officials. “Because a company has political connections, it doesn’t mean you don’t do business with them; it may just mean you want to put processes and controls around that so you don’t run afoul of anti-corruption laws,” Murphy adds.
Another consideration when vetting third-party risk is to consider how frequently you use that particular third party. “You may want to eliminate those entities that you haven’t done any business with over the last few years,” Murphy says.
Triaging third parties helps set the wheels in motion for how much due diligence to perform on each third-party relationship moving forward. “Based on the inherent risk of that relationship, you might do more rigorous control testing,” Hoogmoed says. For some third parties, a due diligence questionnaire might suffice, whereas others might require on-site audits, he says.
Then determine who actually owns the risk. Who is purchasing from that third party? Who is approving payment to that third party?
“Every line of business has some sort of procurement, operation, or relationship manager that deals with third parties on a day-to-day basis,” Hoogmoed says. “The business manager that runs the business process should own the risk and be accountable for the exposure associated with that third party.”
Once a company has mapped out its total universe of third-party relationships, the next step is to continuously monitor third parties to ensure that you are catching and addressing any new risks.
Many companies still perform this task on an ad hoc basis. “They don’t have a process in place to address third-party risk from a holistic standpoint,” Murphy says. “A lot of companies, for example, are managing the process on Excel spreadsheets, and it becomes very difficult to manage from that perspective.”
Elements of a Third-Party Risk Management Program
Randy Stephens, vice president of advisory services for NAVEX Global, recommends a few basic steps toward developing an effective third-party risk management program:
Identify/Prioritize: Identify your universe of third-party relationships and prioritize by risk. Cast a broad net and include anyone who represents your company, especially those who have regular interaction with foreign government officials. Don’t limit your search to suppliers, agents, and distributors.
Assess: Conduct due diligence on a risk-adjusted basis; uncover and assess risks. The FCPA Resource Guide states that the degree of appropriate third-party due diligence “may vary based on industry, country, size, and nature of the transaction, and the historical relationship with the third party.”
Mitigate: Take steps to mitigate risk that was uncovered. This means checking multiple sanction lists, adverse publicity, the extent to which the third party might have relationships with foreign officials, and more.
Monitor: Even if your due diligence process did not turn up any red flags or issues with your existing or newly on-boarded third parties, resist the desire to close the book. Continuous monitoring and periodic re-screening is necessary to identify risk events, keep information current, and ensure policy compliance remains in force.
Source: NAVEX Global.
Conducting risk management from a manual process standpoint makes it difficult to capture all third parties and the level of risk that each one poses. As a result, Murphy says, “a lot of companies right now are looking to technology-enabled solutions and putting systems in place to really help take them from a manual process to an automated process.”
Some third-party risk-management solutions automate the assessment and monitoring of a company’s third parties, screening for issues related to sanction and watch lists, politically exposed persons lists, and adverse media, for example.
Other avenues of continuous risk mitigation may include performing additional due diligence, exercising audit rights, providing third-party training on topics such as anti-bribery and conflicts of interest, and requesting annual compliance certifications. “You may decide to, in the worst case scenario, terminate the relationship,” Murphy says.
In addition, companies should conduct a thorough on-boarding process when going through a shift in business operations, or a merger or acquisition. A company that is expanding into an emerging market, for example, will want to ensure that it understands all the permits and licenses needed to build new facilities in that region. “Where you can run afoul of the law is by having an agent or third party do a lot of the gathering of that information for you,” Murphy says.
“Companies can outsource the function, but they cannot absolve themselves of any responsibility,” Murphy adds. “So you want to make sure agents and those acting on your behalf have a good reputation and prior experience.”
The risks associated with third parties will continue to grow more prevalent as more multinational companies turn to third parties. According to a third-party risk report conducted by NAVEX Global, 92 percent of more than 300 respondents indicated that they would either increase the use of third parties over the next year, or weren’t sure. Only 8 percent expected to reduce their reliance on third parties.
An effective third-party risk-management program doesn’t require an unlimited budget or sophisticated tools, but it does need to be reasonably tailored to the company’s level and type of third-party risk. By not monitoring third parties, and failing to document due diligence processes, companies expose themselves to significant legal, financial, and reputational risk.