If sanctions enforcement is top of mind for the Department of Justice (DOJ) in the wake of Russia’s invasion of Ukraine, third-party risk management (TPRM) must be at the forefront of businesses’ priority lists.
After all, a company is responsible for the actions of its supplier on its behalf. And when those suppliers are using suppliers of their own to provide the services you’ve engaged them for, the risk landscape grows exponentially. Prudent businesses are determining what lines need to be drawn to protect themselves and preparing to exit relationships that pose more risk than they can tolerate.
The key to reaching those conclusions is understanding the criticality of your third parties, said Melanie Gallagher, head of TPRM at financial software company Intuit, at Compliance Week’s TPRM Summit held last week in Chicago. Critical third parties should be subject to extra due diligence during times of heightened scrutiny, she said, and companies must remain flexible when those suppliers have touchpoints linked to high-risk countries.
“To be nimble, you have to be informed.”
Melanie Gallagher, Head of TPRM, Intuit
“If you understand if there’s anything critical going in any of these regions or in Russia, then you need to make sure you have contingency plans and you’re doing scenario planning,” Gallagher said. “‘Do I have a backup? Is this the sole supplier? What happens if anything goes wrong here—am I prepared to deal with that?’ … You can do scenario planning, say what’s the worst thing that can happen, and think through how you would deal with that.”
For some compliance departments, the worst-case scenario is happening. The increased attention being paid to sanctions compliance combined with inflation and supply chain woes are stretching thin budgets that were likely already under-resourced.
But the silver lining, said Gallagher, is the opportunity to convince business leaders now is the time to invest in compliance. The philosophy at Intuit, she said, is being “regulator ready,” meaning demonstrating and documenting how decisions are being made and ensuring “you’ve made a reasonable effort at putting into place an effective compliance program.” Top brass at the DOJ have made no secret resource support is one of the key areas they look to in reaching their enforcement determinations.
If you can, Gallagher advised, form a risk governance committee comprised of decision-makers from various risk domains, including the chief information security officer, chief procurement officer, and chief compliance officer. “You’re sharing these risks and you’re making these decisions as quickly as possible with as much information as possible,” she said.
“To be nimble, you have to be informed,” Gallagher added.
Addressing outsourcing in onboarding
A good way to manage nth-party risk is to set terms for the scope from the start. At Intuit, Gallagher noticed the following regarding her company’s onboarding process:
“We asked at the time of onboarding, ‘Do you plan on outsourcing any of the activities related to this engagement we’re about to contract for?’ I thought, ‘Great, we have that question,’ but then I ran a report, and I think 90 percent of the answers were blank,” she said. “We ask the question, but clearly it’s not mandatory.”
Getting the answer to that question can help a business keep one hand on the steering wheel of its critical engagements. “I don’t have to allow [outsourcing],” said Gallagher. “I can say in the contract either we’re not going to permit any outsourcing or we’ll permit it but we need to be able to review and approve. … If I have a critical third party, I would want to understand how they manage their third parties.”
Yet, knowing too much is also a risk, Gallagher noted. “If you ask for information and now you have it, you’re obligated to do something about it,” she said.
In any case, working with your critical third parties to fully understand all the information you’re provided—including the names of potential fourth parties—is crucial. From that point, appropriate diligence levels can be determined.