Third-party risk continues to be a major concern for executives, and there is no shortage of high-profile compliance failures in recent years. That makes some of the findings in a recently released survey by NAVEX Global more than a little surprising.
The survey of more than 300 ethics and compliance professionals found that 32 percent of companies don’t evaluate third parties before engaging with them. While it may be encouraging that the other two-thirds of companies are vetting third parties prior to working with them, are those initial evaluations robust enough? Do they stumble when it comes to monitoring what can be thousands of vendors?
We recently spoke to Randy Stephens, vice president of advisory services for NAVEX Global about what companies are doing, or failing to do, when it comes to third-party risk.
We need to start with the finding that 32 percent of respondents don’t evaluate third parties before they enter into an arrangement or engage with them. That is somewhat shocking because there is so much concern and focus on third-party risk.
As a compliance professional before coming to NAVEX, it probably wasn’t as surprising to me. I saw first-hand the struggle people are having trying to operationalize some of these things. It is one of those things where everyone knows they need to be doing something, but can get crushed by the inertia of not knowing where to start or how to get their arms around it.
One of the findings in the survey is that about 17 percent of respondents have had regulatory or legal actions brought against them in the last three years. Some could view that as a pretty low number and see some security in it: “We are a small fish, not one of those big, targeted folks; what’s the chance that we are really going to have to suffer the consequences of one bad choice here and there.” There may be some of that, where people are hoping to be lucky, not smart. But a lot of it, really, is just not knowing how to get started or feeling overwhelmed by the process.
Risks come in many flavors for companies. What are some of the risks they could face through their partnerships with vendors, and are some treated more seriously than others? Are resources devoted to particular risks, like bribery and corruption, but not others?
Overall, 90 percent of respondents said the point of third-party risk management—the objective they had—was to protect the organization from risk and damage. Everyone has a pretty good understanding that third parties can create risk if they do something on the company’s behalf that is improper—bribery, corruption, or money laundering. If it is on behalf of your company, the liability flows back to you.
Bribery and corruption are certainly at the top of everyone’s list, because the penalties can be large and there may be individual liability. They are the biggest concerns people have, because they are real and can sully the reputation of the company is it appears to be unconcerned, negligent, or in bed with these people who are doing things that are improper and leading to violations of the Foreign Corrupt Practices Act or other international laws.
There are two components to consider: initial screening and monitoring. Is there a disconnect in how companies are approaching both halves of the whole?
Getting third-party due diligence done in advance of the engagement is critical. You need to gauge the likelihood of any bad activities having already occurred or the likelihood that an entity is not going to adequately align with your organization’s desire to comply with laws. If you wait until you have already engaged them and then conduct due diligence, you have bought insurance after the house caught fire.
A number of respondents indicated that it takes a trigger for them to do some due diligence—an enforcement action or hearing from a peer that a company is a problem. That’s not where you want to be. If you want to be a good steward of your company you want to do it in advance.
The Securities and Exchange Commission in their FCPA guidance from 2012 recognized that risk doesn’t have to be one-size-fits-all. Due diligence can be risk-based and can be applied appropriately. Companies don’t always see that. Sometimes they feel like, “I need to send a detective to Mongolia to visit a site, look at people, and ask questions; I couldn’t possibly do that.” But it doesn’t have to be to that level.
Internal and external challenges
The following, from NAVEX Global’s recent “Ethics & Compliance Third Party Risk Management Benchmark Report” detail what respondents to the survey view as the top external challenges to their third party risk program and internal issues those programs face.
Top External Challenges:
Top Internal Challenges:
Source: NAVEX Global
The reason that the monitoring is so important is you are most likely going to find a fairly unblemished report in that initial due diligence process. If you had everyone under appropriate due diligence on Jan. 1, but didn’t do anything again until either you renewed the contract or a regulator knocked on your door, then something could have happened in the intervening months that you were not aware of. Due diligence before engagement is better than nothing, but the expectation is for continuous monitoring. If you are not doing that, and miss something, you may be perceived as not having done adequate due diligence.
The study gets into something a lot of companies need to consider: having outside expertise and retaining consultants, as well as having automation or technology-based assistance. What did you learn about how companies view this?
What really stood out, and we have seen in other benchmark surveys, is that people who are utilizing technology and data-driven due diligence are much happier with the effectiveness of their program. That’s not surprising. Imaging a couple of people sitting in an organization somewhere in the United States trying to manage thousands, if not tens of thousands, of third parties all over the world and trying to continuously monitor them just boggles the mind. There are also local language issues and other things to consider. No matter how many employees you assign you will have difficulty.
The automation process can be one of the best opportunities for an organization because you can do so much with data that people struggle to do well, no matter how many are dedicated to it. Then, you can deploy those people, who might otherwise be sitting there Googling this person or that location, and have them go someplace else in the organization and be effective where you need those eyes on the paper or one-on-one interactions. A program is a combination of those things. You can’t rely solely on automation. You monitor this process and do all the things that an effective compliance program needs to do to be effective.
A well-managed due diligence program can also help vaccinate a company from enforcement actions, it would seem?
ABOUT RANDY STEPHENS
Randy Stephens is a vice president with NAVEX Global’s Advisory Services team. A lawyer and compliance specialist, Stephens has worked in roles with legal and compliance responsibility for over 30 years, including operations in Mexico, China, and Canada. In 2014 / 2015 clients engaged Stephens to train employees or conduct risk and program assessments in Japan, China, Australia, UAE, KSA, Kuwait, Jordan, Qatar, Romania, Serbia, the U.K., and Canada while also working with clients with offices and operations around the world. He has significant in-house experience leading compliance programs and working for some of the largest and most diverse public and private corporations in the United States, e.g. Home Depot, Family Dollar, and US Foods. Stephens is the author of numerous compliance-related articles and commentary and is regularly featured or quoted as a compliance expert in press and publications. He joined NAVEX Global’s Advisory Services team in 2012.
I always tell people not to design the compliance program to be litigation defense. The law department is responsible for that. The most effective compliance program is when you engage the company’s resources to do the things that severely diminish, if not eliminate, the likelihood someone is going to do something wrong. Something is going to go wrong. It always will. The best thing you can do is have a very rational robust continuous monitoring process.
No matter who your technology provider is, as long as they have the ability to reach data, be continuously monitoring, help you address red flags, and also serve as a way to risk-weight third parties and compile the documentation in one place, you can’t have a better defense
You don’t have to be right all the time. The expectation is that you go through a process and people can still do something wrong. You may still get a knock on your door, but when it comes you can say you did everything reasonable or to be a good steward of your stakeholder’s resources.