The list of companies tripped up over misconduct committed by their third parties is long. In fact, try recalling a big anti-corruption scandal that did not involve a company’s third parties.
Compliance officers straddle the horns of that dilemma: in today’s complex business environment, almost every company depends on outside vendors and other third parties to some extent. But for all the efficiency gains that tactic might bring to operations, good luck taming the growing risk exposure that comes along with it.
Pondering a way out of that dilemma was the subject of Compliance Week’s most recent executive roundtable, held in New York and co-hosted by Process Unity. The dozen participants all agreed that the idea of vendor governance is a valuable one, even if individual business’s success at it varies widely.
“Vendors are an integral part of a company’s service, so companies need to have the right risk assessment programs in place to protect themselves,” said Sean Cronin, general manager at ProcessUnity.
Data breaches at third parties, for example, have gained increased attention as the number of hacking incidents continues to rise. Cases abound where companies hire third parties that lack the right risk management systems to handle sensitive customer information. Cronin and several roundtable participants said the risk is so acute, they even use data security as the first test to assess the risks of a vendor—if the vendor can’t pass that one, the argument goes, don’t even bother with all the other risks; just drop the vendor right there.
The following panelists participated in the March 24 CW & ProcessUnity roundtable on vendor risk management. Click on participants' names to see their full bios.
William BrownChief Compliance Officer,Knights of Columbus
Luke BrusselAnti-Corruption Compliance Leader,GE Capital
David CamputoChief Audit Executive,Endurance
Jay CohenChief Compliance Officer,Assurant Inc.
Sean CroninVP, Field Operations,ProcessUnity
Pete FeeleyCorporate Chief Compliance Officer,Guardian Life Insurance
Noreen FierroChief Compliance Officer,Group Insurance Division,Prudential Financial
Elisabeth GehringerChief Ethics & Compliance Officer,Realogy Holdings Corp.
Michael GioffreChief Compliance & Ethics Officer,Voya Financial Inc.
Christopher ZentnerVP Ethics & Compliance,ACE
“Data breaches are one of the most common third-party risk we are seeing in the market,” Cronin said. “Risk and compliance officers should evaluate the data integrity practices of a third party to reduce the chances of a breach from occurring—full transparency should be required of all vendors, especially from those who deal with sensitive information.”
Several people at the roundtable admitted that even the first step for effective vendor governance—identifying all the vendors your company uses—can be a challenge. Multiple units of a large organization may approach the same vendor from different directions, which can leave the compliance officer unclear both on how many vendors you really have, and how much risk any specific vendor might bring. The question is how to develop a centralized system that monitors all vendor usage and ensures that vendor risks are well-understood.
“If someone were to ask if you know who all your vendors are, that would be a difficult question to answer,” said one compliance officer at the forum. “The challenge is prioritizing our focus accordingly, and identifying what types of vendors we need to do more due diligence on and what is the best approach to deal with the big risks.”
For many roundtable participants, providing an enterprise-wide view of the company’s vendors is only scratching the surface, since the risks within each vendor can be much more challenging: A large vendor delivering office supplies might be low-risk; a small vendor delivering cargo to foreign governments might be hugely risky.
“You must identify ‘other’ relationships, whether they are affiliates, partners, or other entities that are acting on your behalf, that may expose you to risks—that is considered a third-party relationship.” Cronin said. “Once you understand who they are, the next step is reviewing their services and looking for potential loopholes.”
“Compliance officers naturally take a risk-based approach to define what diligence must be applied to which third parties, by whom and how often,” added Elisabeth Gehringer, chief ethics and compliance officer at Realogy Corp. “Compliance officers should delineate who performs the diligence, who makes the determination on whether the vendor relationship can proceed against any findings, and when diligence must be performed again."
Doing the Risk Assessment
The best practice in theory is that business units themselves perform the risk assessment on vendors they use, with guidance from the compliance officer on how to perform that assessment and what to do when red flags are found. In practice, however, getting that guidance to business units, and ensuring that the guidance itself is useful to them, is no easy task.
Some companies have established committees that provide the necessary information to employees involved in vendor management. Others rely on other “second line of defense” functions like the procurement department (assuming your company has one).
“Risk and compliance officers should evaluate the data integrity practices of a third party to reduce the chances of a breach from occurring.”
Sean Cronin, VP, Field Operations, ProcessUnity
“Our business units have a renewed appreciation for vendor management,” said Jay Cohen, chief compliance officer at Assurant Corp. “We have a diverse set of vendors, and our sourcing office drives awareness among employees to ensure that we do a good job at selecting the right vendors and providing effective oversight.”
Developing a committee that sets the parameters for effective vendor governance is an emerging idea at multiple large companies. At GE Capital, for example, committees are involved in both “defining the population of what the company views as ‘third party’ for the purposes of risk management, and this also applies to the ongoing onboarding of vendors,” said Luke Brussel, chief anti-corruption officer at GE Capital. The compliance department helped to define the scope of third-party risk for GE, he said, and then established committees within each business area to evaluate vendor risk and decide whether to accept certain vendors as part of the onboarding process.
In cases where a company has thousands of vendors and monitoring them all might seem too daunting, Cronin suggests that compliance officers start by stratifying vendors based on the services that they offer. “As you start to dig deeper into the process, you get a better sense of which vendors can handle critical data, and what strategies are required to prevent or respond to a risk event,” he said.
David Camputo, chief audit executive at Endurance Holdings, walked through his company’s efforts to automate vendor management. Camputo explained that an application was established within the procurement function at Endurance to house contracts for the company’s vendors in a global database. The database contains information relating to the contract including the name of the employee responsible for the transaction in the first place.
In effect, when the time for renewal comes around, that employee is automatically notified, and the renewal terms and conditions are then reviewed by legal. At any point in the process, a report can be obtained to monitor the vendors and their contracts. “As we grow in size and complexity, vendor dependence is increasing and we instituted a formal process to track and monitor our providers to get ahead of the curve,” he said.
Even assuming a company can master its own vendors and other third parties, another concern raised at the roundtable was what to do about your vendors’ vendors—that is, your fourth-, fifth-, and other parties? So far regulatory guidance is rather scarce on that point, while reputational risks for those far-off vendors can be sky high. (Think of clothing retailers aghast at the 1,100 lives lost when a sweatshop collapsed in 2013 in Savar, Bangladesh, with Western-branded clothes among the victims.)
Staying ahead of such risks, Cronin said, requires a company to deconstruct its own immediate vendors; from there, crafting best practices to handle fourth and fifth parties gets easier.
“In our experience we have found that it is always good to act like a regulator with your own vendors,” Cronin said. “Once a compliance officer has an inventory of their vendors, they need to understand which services those vendors outsource to fourth and fifth parties. They need to regulate their vendors as you would to your own.”
Others at the roundtable agreed. “Whether it is a centralized oversight that all companies can rely on or establishing a process where the same work is not repeated is one potential approach,” Cohen said. “It is up to the compliance community to really drive new solutions here.”