Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Shop Talk: Managing Third-Party Risks

Jaclyn Jaeger | March 13, 2012

The list of risks from third parties is long: corruption, product defects, supply chain disruption, bad publicity, theft of intellectual property, and much more. Little surprise, then, that when Compliance Week and audit firm Crowe Horwath gathered 15 compliance executives in San Francisco last month to discuss third-party risks, the frustrations and exasperations were just as long too.


The following executives participated in the Feb. 28 roundtable on managing risk with third parties.

Stephen Arietta,
Vice President, Internal Audit,
United Online Inc.

Tyson Avery,
SVP, Global Compliance,
CB Richard Ellis

John Beeler,
Chief Audit Executive,

Sara Duncan,
Corporate Counsel,
Pandora Media Inc.

Martin Espinosa,
VP of Internal Audit,
Electronic Arts Inc.

Lupe Garcia,
Associate General Counsel,
The Gap Inc.

Inder Gulati,
Head of Internal Audit,

Anne Hoge,
Chief Compliance Counsel,
NetApp Inc.

Jae Kim,
VP of Corporate Law,
Rambus Inc.

Tony Klaich,
Crowe Horwath

Jo Levy,
Global Director of Ethics & Legal Compliance,
Intel Corp.

Mark Meaney,
Systemwide Director of Ethics & Compliance,
University of California

Tracy Preston,
Chief Compliance Officer,
Levi Strauss & Co.

Amyn Thawer,
Senior Director & Counsel, Global Compliance,
eBay Inc.

K.C. Turan,
Chief Compliance & Ethics Officer,
Blue Shield of California

Rick Warren,
Crowe Horwath

For More Information on Compliance Week Roundtables

Several executives at the forum said their most immediate challenge is simply keeping track of their third parties: who their vendors, suppliers, and resellers actually are; what those businesses do; and what risks they potentially pose. “If you were to ask most companies to give a list of all their third parties, they couldn't do it,” said Rick Warren, a principal at Crowe Horwath.

Indeed, several of those attending the roundtable admitted as much. “I think it's very difficult to quantify how many third parties you're dealing with,” said one executive who, perhaps not surprisingly, asked not to be named.

Even those companies that do know who their third parties are still don't always understand all the risks those parties bring along. “By and large, most companies are really struggling with that,” Warren said.

“I don't know that you can necessarily anticipate everything,” agreed Amyn Thawer, senior director and counsel for global compliance at eBay. “Given that our supply chain is so diverse and broad, and we are all operating at global levels, it's really challenging to do so. That's where a risk-based approach [to managing third-party risks] comes into play.”

A good idea, to be sure, but it's easier said than done, since the highest risk factors aren't always the most visible. For example, Warren stressed that the size of a business partner isn't a good indicator for how much of a risk it poses; the partner might be in a poor nation where small bribes accomplish a lot, or have control over a small but crucial component. “Sometimes it's the smaller third-party relationships that could get you into trouble,” he said.

Many roundtable participants cited third-party risks springing from privacy or data security, although their specific risks varied by industry. For example, organizations affiliated with the healthcare industry—such as Blue Shield of California and the University of California—worry about protecting personally identifiable information. For others, such as microchip design manufacturer Rambus and online retailer eBay, their big challenge is protecting intellectual property.

Customers as Third Parties

Many organizations that undertake a full review of third-party risks often end up culling their list of suppliers and vendors. But that can be a tricky exercise, especially in industries such as technology, where “cross pollination,” thanks to a brisk churn among employees, partners, and customers, is the order of the day. Roundtable participants talked about the careful balance required when mitigating risks posed by third parties that are also customers.

“Any time you turn away sellers, which in our case are our customers, you must have a good reason,” Thawer said. “For us, it comes down to sustaining and growing trust in the brand and the eBay marketplace; if you lose trust in the marketplace, you will eventually lose business,” he says.

Thawer added that boards absolutely must understand third-party risks. “At the end of the day, if you don't take a long view of what the effect is on your brand or your marketplace, that's where you will fall down,” he said.

A common refrain during the discussion was that companies need to mitigate third-party risk—not eliminate it. Just because a third party poses a certain risk, that doesn't necessarily mean all ties should be cut—and third parties should understand that to alleviate their own fears that might prompt them to withhold important information, attendees said.

Helping business partners understand the organization's risks and due diligence process, and getting them to understand that not every red flag will end a business relationship, is important, attendees agreed.

“If your internal teams are not abiding by the third-party due diligence program, it's worthless,” said Lupe Garcia, associate general counsel at clothing retailer Gap Inc. “Giving them confidence that they're not going to be prevented from doing business in each instance is critical, because otherwise they're not going to comply. It's about educating the business on the value of the process for long-term success.”

Roundtable participants also discussed the need to communicate how the due diligence process works, and what the company wants to achieve with it. That process is even more important when it takes place across cultural barriers. “A lot of times, education is not necessarily about U.S. law and U.S. perspective, it's understanding what their cultural perspective is,” said Tracy Preston, chief compliance officer of Levi Strauss & Co. “When you educate employees coming from their perspective, it works so much better.”

Risk Ownership

Then there's the chore of parceling out responsibility for risks to various parts of the business; to that end, the audit, finance, and compliance teams must be highly coordinated, one attendee noted.

Tracy Preston, chief compliance officer at Levi Strauss & Co., discusses how best to educate employees. On her left sits Tyson Avery, SVP, Global Compliance at CB Richard Ellis.

”If your internal teams are not abiding by the third-party due diligence program, it's worthless,” said Lupe Garcia, associate general counsel Gap Inc.

“At the end of the day, these stakeholders are all trying to address third-party risks from different angles. Efficiencies can be gained by developing a single third-party risk program that incorporates all of the stakeholder considerations,” said the executive. “Also, it helps manage the practical risk of partners and vendors not being contacted by multiple individuals from the same company.”

Several attendees also said they depend on right-to-audit clauses in contracts with third parties, especially in emerging markets—and, yes, they exercise that right when necessary. Others have provisions in their contracts that require third parties to notify the company of a potential violation of local or U.S. law.

Whistleblower Fears

Concerns around the new Securities and Exchange Commission whistleblower program were many. The main question: How do companies continue to hone their compliance programs, when the SEC now offers employees incentives to report problems externally?

“I will tell you from an emotional perspective, it's a very scary thing,” said one executive, who asked not to be named. The best any company can do once it catches wind of an issue is to tackle it immediately, he said. “You need to work toward getting the issue resolved, using as much resources as you can, so you can show you're being proactive,” and getting to the bottom of the matter before the SEC, he said.

Most companies can't list all their third parties, noted Crowe's Rick Warren.

K.C. Turan, chief ethics and compliance officer for Blue Shield of California, offered additional words of advice for how companies can protect themselves. “The most viable defense that companies have regarding whistleblower programs in general is to foster a company culture and atmosphere wherein employees feel as comfortable as possible in raising their hands and making reports,” he said.

“If employees feel that their reports are taken seriously and properly investigated, and if they feel comfortable that they won't be retaliated against in making good faith reports, this is the most preemptive and effective defense that a company can have to mitigate potential risks regarding whistleblower programs,” Turan added.

Tony Klaich, a partner at Crowe Horwath, said that compliance and risk officers know perfection is difficult to achieve. “You're not going to prevent every risk from occurring, but as long as you're diligent and you have repeatable, sustainable processes, it will help in the eyes of any regulators.”