As they look to manage third-party risks, compliance departments are increasing their reliance on outsourcing.
Consider, for example, the wide spectrum of external threats compliance departments face today: ever-present bribery and corruption, geopolitical events, intensified climate-change activism, state-sponsored cyberattacks—and all during the time of a global pandemic. Moreover, as more companies make the journey to digital, many compliance functions are struggling to find employees with the necessary technological skill sets and expertise.
These combined factors are driving compliance departments to realize they’re better served outsourcing areas outside of their core responsibilities. At Compliance Week’s virtual Europe event this week, a panel of experts talked about both the benefits and risks of outsourcing from a compliance point of view.
Ridesharing giant Uber has experienced just about all these growing pains. “Uber started as a simple idea: Push a button, get a ride,” said the company’s director of legal compliance, Dianna Jones. “Over the last decade, we’ve evolved from moving just people to moving meals and goods throughout cities all over the world.”
As Uber matures from its tween years into adulthood, Jones said it is “looking at the supply chain from tip to tail.” In practice, that means working across internal audit, vendor management, and compliance and engaging with senior leaders to identify areas where it makes sense to insource and, potentially, outsource, she said.
To the extent some tasks are outsourced, from the perspective of compliance, “We are stressing that you cannot outsource the action, as well as the responsibility,” Jones said. You still maintain responsibility for the actions of third parties. It’s not an opportunity to wash your hands of liability, she said.
Because the risk of third-party liability still exists, a common fear about outsourcing compliance responsibilities is “loss of control,” said Catherine Muldoon, former chief legal officer at logistics and transportation provider BDP International. But that’s not necessarily the case. “With outsourcing, you can have as much control as you want,” she said.
One compliance benefit that a managed service provider can bring is staying current on regulatory changes, scanning for further changes that may be on the horizon, and being able to provide expertise and context around those regulations. “They stay on top of changes happening in regulations, so you find it actually improves your compliance position to outsource,” Muldoon said.
Other examples of compliance functions that can be outsourced include compliance monitoring, checking against sanctions and politically exposed person (PEP) watchlists, and employee training. In any of these areas, it’s important to emphasize best practices.
Muldoon recommended, for example, if your company has robust training and internal policies and practices to “make sure you drive them to your third parties.” If you don’t continuously manage and monitor third parties, regulators will take note.
Jones said she expects companies to take a hybrid—internal and external—approach to compliance. “I foresee that being the case for a lot of organizations for some time to come,” she said. It’s about being strategic in who to partner with, she said, and working with those who can fill those blind spots where further skills and expertise may be needed.