Abercrombie & Fitch Co. senior compliance counsel Rob Seibel, a specialist when it comes to the implementation of a third-party risk management program, chatted with Compliance Week about a number of trends and challenges around managing risks with third parties.
Q. Generally speaking, what are the biggest risks third parties pose to companies, and how do you mitigate against those risks?
A. While companies typically have their own specific hierarchies of risks, two of the highest, universally-recognized risks posed by third parties are information security risk and corruption risk. Indeed, it seems that anytime you read the news there’s another headline about a data breach affecting customers of some well-known company, or a story about corruption allegations involving a company’s foreign operations. A common thread seen in many of these stories is the use of third parties that have somehow failed the company, or even worse, intentionally inflicted the harm done. For this reason, it is critical that companies take a strategic approach to third-party selection and evaluation, and conduct commercially reasonable due diligence in an effort to mitigate the risk of an incident occurring. This is best achieved through the development of a defined third-party risk management program. The goals should be to identify potentially high-risk third parties, evaluate their business practices and backgrounds, and decide whether to engage them and under what circumstances (i.e., specific anti-bribery contract provisions, SOC 2 requirements, etc.). Of course, keeping up with your own company’s internal policies and employee trainings is also a big part of minimizing the risk of incidents, as it is your employees who are best positioned to identify and raise potential concerns about their third-party business partners.
Q. How much do the specific risks you evaluate change based on industry, part of the world in which the third party is located, or estimated spend with the third party?
A. Each of these are factors that should be considered when determining the risk profile of the third party. Not all third parties present the same types of risks to your company, so it is important to understand as much as you can about the third party, including their local environment and what they will do for your company, before attempting to evaluate them from a risk perspective. Most of the time, the employee that manages the third-party relationship will be able to provide this information without even needing to reach out to the third party. For example, a contractor that will secure government licenses and permits for store construction in China will have a different risk profile than a software company in California that will have access to customer and employee confidential information. By understanding the specifics of the proposed business relationship, you should be able to get a pretty good idea of where the risk to your business, if any, is going to be.
“Not all third parties present the same types of risks to your company, so it is important to understand as much as you can about the third party, including their local environment and what they will do for your company, before attempting to evaluate them.”
Rob Seibel, Senior Compliance Counsel, Abercrombie & Fitch
Q. What third-party challenge are you faced with most frequently in the clothing retail industry?
A. Apparel companies, particularly those with an international or global network, typically engage many different types of third parties in the course of doing business. Manufacturing, logistics providers, construction contractors and IT vendors are just some of the types of third parties involved in the process. Even with a wide range of vendor relationships, some companies still follow a traditional path of applying a single due diligence process to their diverse third parties, asking them the same list of questions, and having the responses reviewed by the same team of people. With so many different types of third parties, each bringing their own unique sets of risks, it is neither feasible nor effective to evaluate them all under the same set of standards.The biggest risk to such an approach is that it fails to tailor questions on the specific risks that each particular third party may bring to your company. For these reasons, it is important to establish a TPRM program that evaluates third parties according to their individual risk profiles, and applies a dynamic due diligence process allowing for individual tailoring of questions and subject matter expert (SME) reviewers. In doing so, you are able to eliminate the irrelevant questions and identify what is critical to know about each particular third party. Then, by engaging SMEs from your company to review the questionnaire responses that apply to their specific risk area, you are able to make sure that the right people, best placed to make an informed decision, are reviewing the right information.
Q. In what ways have recent technological advances changed the way you manage and monitor your third-party risks?
A. Many companies used to manage their TPRM programs (and many still do) through the use of the tried and true Word and Excel document applications. However, as TPRM programs become more sophisticated and comprehensive, oftentimes relying on people from across the entire enterprise, the need for a more efficient and scalable system becomes greater. A TPRM software solution, with functionality such as automatic third-party screenings, questionnaire scoping and routing, and risk area decision tracking, can be used to facilitate the workflow of a TPRM program and drive greater efficiency. There is no shortage of TPRM software solutions on the market, each with their own unique functionalities and vastly different pricing structures. But none of them will be of much use to your business if you don’t first develop a TPRM program that fits your company’s unique structure and approach to risk. I have heard plenty of horror stories about companies that have purchased a TPRM software solution before developing and piloting a TPRM program, only to find out later that the software does not fit with their processes. It is critical to establish a defined TPRM program prior to shopping around for an automation tool.
Q. What’s the best strategy for continuously monitoring your third parties? Is automation the answer here, or just part of the equation?
A. Just because a third party has successfully completed the due diligence process does not mean you should close their file and never look back. Continuous monitoring procedures need to be put in place so that companies can stay informed, real-time, about any changes or incidents involving their third parties that could potentially lead to contractual changes or even terminations. One way to do this is through automatic screenings of your higher-risk third parties. This way, you can receive notifications if any of them suddenly appear on a sanctioned-party list or are otherwise involved in alleged wrongdoing. It is also important to have a defined reassessment process in place so that you can perform regularly scheduled due diligence checks on your higher-risk third parties, including reviewing new information and updating contract language where appropriate. As with most things with a good TPRM program, the level and frequency of such reassessments should depend on the risk profile of the third party, and your company’s unique hierarchy of risks.
Special report: Third-party risk management
- Currently reading
Q&A: Five questions with a TPRM specialist