Most companies by now understand the escalating risks that third parties pose to their business and are ramping up their third-party risk management efforts accordingly. Even still, many struggle with how to achieve full transparency into the breadth and depth of their third parties, exposing themselves to significant legal and compliance risks.
Global companies must closely monitor thousands—if not tens of thousands—of third parties to ensure each one adheres to the company’s business practices. It should come as no surprise, then, that many still get stuck on the first step toward effective vendor governance—identifying all the vendors the company uses. According to a third-party risk management benchmark report conducted by NAVEX Global, 11 percent of 321 respondents polled said they still don’t know how many third parties they manage.
“As a first step, you’ve got to figure out who your third parties are,” says Randy Stephens, vice president of advisory services for NAVEX Global. “If you don’t know who is representing your company, then you cannot possibly assess risk accurately.”
This means paying attention to not just traditional third-party relationships—agents, suppliers, distributors, and joint ventures, for example—but virtually anyone who represents the company. These third parties might include consultants, service providers, suppliers’ suppliers, dealers and resellers, sub-contractors, and more.
At many companies, different departments, units, and locations all have preferred vendors and suppliers, so it makes sense to pull together an inter-departmental team that includes regional and business leaders—risk, compliance, legal, HR, and procurement, for example—to identify the size and scope of your third-party universe. Assembling an initial inventory of third parties involves leveraging multiple databases from multiple business units.
Develop a matrix
After compiling a master list, the next step is to separate high-risk third parties from low-risk third parties to better manage the third-party risk management process.
“If you don’t know who is representing your company, then you cannot possibly assess risk accurately.”
Randy Stephens, VP of Advisory Services, NAVEX Global.
Criteria used to assess and rank the risks associated with each third party will vary by company and may include:
Country of operation where service is provided
Nature of third-party relationship and services provided
Type of industry
Length of the third-party relationship
Degree of involvement with foreign government officials
While many companies are still building a comprehensive third-party risk management program, most (68 percent) are conducting at least basic screening of their third parties prior to engaging with them, according to the NAVEX report. Furthermore, companies that use an outsourced provider to help manage their third-party due diligence programs also reported significantly higher program satisfaction ratings than those who do not.
These higher satisfaction ratings apply across multiple areas, including:
Compliance with legal and regulatory demands: 78% compared to 65%
Ensuring a culture of compliance: 65% compared to 44%
Documentation management: 49% compared to 41%
Program defensibility: 52% compared to 41%
Overall program: 53% compared to 32%
According to the NAVEX report, the top external challenge relating to third parties—cited by 51 percent of respondents—is getting them to certify compliance with the company’s policies. The second and third top challenges were “training third parties on our policies and compliance requirements” and “getting third parties to enforce our ethics and compliance policies in their organizations,” cited by 48 percent and 41 percent of respondents, respectively.
Stephens recommends selecting a sample of your highest-risk third parties and ask them to provide a syllabus of the types of training they provide their employees. “To the extent that they don’t conduct their own training, provide them with online training,” he says.
An effective third-party risk management program, the NAVEX report stated, should include standardized documentation, recordkeeping methodology, timelines, well-defined expectations in terms of behavior and communications, and an ability to reassess engagements on a continuous basis.
Once a company has mapped out its total universe of third-party relationships, it’s important to continuously monitor third parties to ensure that you are catching and addressing any new risks.
“You don’t want to do that with all your third parties,” says Todd Boehler, vice president of product strategy for GRC software provider ProcessUnity. “You only want to do that with the ones that you deem as posing the most risk to your business.”
Companies generally discover “red flags” or other potentially negative third-party information via multiple channels, but the most common way is through internal due diligence monitoring, as cited by 62 percent of respondents in the NAVEX report.
Ranking second, 41 percent said they discover such issues through regulatory or legal action, “which may indicate that many organizations fail to use screening mechanisms and safeguards,” the report said.
Some third-party risk-management solutions automate the assessment and monitoring of a company’s third parties, screening for issues related to sanction and watch lists, politically exposed persons lists, and adverse media, for example. “It would be very difficult for individuals to look through that amount of data,” says Stephens.
Even when organizations get all of their third parties to certify compliance with their policies, those same organizations go back to square on when new service providers come on board, says Stephens. That’s where an automated process can best serve the companies with respect to monitoring and auditing.
Furthermore, the NAVEX report found that companies that use an outsourced third-party due diligence providers discover more “red flags” or other potentially negative third-party information than those who don’t. They uncovered, for example, more politically exposed persons, government investigations, adverse media reports, and more.
Other avenues of continuous risk mitigation may include performing additional due diligence, exercising audit rights, providing third-party training on topics such as anti-bribery and conflicts of interest, and requesting annual compliance certifications.
One area where there is significant room for improvement is getting ethics in compliance better aligned with advances in analytics and technology, whether that means other parts of the business working closer with the compliance department, or seeking the help of outside experts to drive analytics. “It’s the biggest challenge, but it’s also the biggest opportunity,” says Don Fancher, national and global leader for Deloitte’s forensic services.
An emerging best practice in this space is being able to effectively track and analyze both internal data—such as financial information and contracts—with external data, including from third-party vendors or third-party suppliers, says Fancher. Organizations that analyze all this data combined can better identify specific risks “not only as they may be happening, or historically as they have happened, but, hopefully, you can actually begin to see predictive scenarios of where risks may emerge,” he says.
By using analytics to predict what risks an organization company may face, Fancher says, “that can go a long way toward averting a bigger problem, or even avoiding a problem altogether.”