TORONTO—I had the good fortune today to attend the Thomson Reuters Financial Risk Summit, where Thomson had asked me to speak on a panel about third-party risk management. This is one of my favorite compliance subjects, and I planned to begin with one of my favorite points about it: that many companies still struggle simply to define and count all the third parties they have.
A big reason for that struggle is lack of effective, enterprise-strength IT. Companies have been acquiring each other in a low-interest rate frenzy for years now, and as a result, compliance officers are mired in a swamp of business software systems—all of them kinda sorta answering the questions you have, but never quite giving you that clear, comprehensive answer you want. Sound familiar?
One compliance officer told me her business now has fifty-five different accounting software systems, thanks to a corporate strategy of acquiring every small competitor the CEO could find. (She holds the record. If you deal with more, let me know.) Compliance officers spend more time unraveling the IT systems they have to manage third parties, rather than doing actual third-party management. 2015 is the busiest year for M&A deals ever, and to underline the point, today Pfizer and Allergan announced a merger worth $160 billion—the largest corporate merger ever. This M&A climate is one prime fact compliance officers must confront today.
Some of the implications for compliance officers are obvious. As I mentioned, you might have a half-dozen business software systems or more, all giving you part of the story about third-party risk. You need the whole picture, so that means—wait for it—even more IT investment, in some GRC software application that can bundle together all those shards of information into a cohesive whole.
Now, you large companies still trying to solve this problem via spreadsheets know who you are. But more of you are jury-rigging solutions from SAP, IBM, or Oracle; or are layering on software from a specialty GRC software vendor. None of that is easy, especially if senior executives are still acquiring even more companies, and you need an IT strategy can that can keep pace with that binge.
Yes, in theory the compliance officer might be part of the pre-acquisition due diligence team to evaluate a target’s compliance systems. In practice, with interest rates so low and pressure on the CEO to find new growth so enormous—well, let’s just call me a cynical person.
The other implication for compliance officers of this M&A craze is structure: you inherit business operations already up and running, some of them likely with their own compliance programs in existence as well. The chief compliance officer needs to merge those two programs somehow, or impose your program onto a target business if it has no functioning program itself. So yes, you still have that fundamental question about IT strategy that I mentioned above—but you also have many more questions about policy, procedure, and staffing.
Think about what that means. You may have some distasteful personnel decisions to make if you, say, suddenly have two chief Europe compliance officers, or two heads of training. More likely is that you’ll have clashing policies—perhaps compliance officers in charge of vetting third parties at one business unit, and local business executives in charge of that task at another. So now you have the task of bringing some uniform approach (as much as you can) to a diverse set of policies and procedures for third party oversight. Yet again, the CCO is spending more time in the “white board” phase of making plans for good third-party oversight, rather than executing them. And the C-suite’s strategies keep forcing you to wipe away parts of the white board and improvise all over again.
In theory the compliance officer might be part of the pre-acquisition due diligence team to evaluate a target’s compliance systems. In practice—well, let’s just call me a cynical person.
Unfortunately I see none of these headaches going away any time soon. The first driver is that relentless M&A craze, which won’t end until the Federal Reserve raises interest rates several times. But equally important is the relentless pressure on CEOs to grown their businesses organically, too. A big part of that is betting on expansion into emerging markets—yes, even now, when many emerging markets are not doing so well.
I haven’t even mentioned regulators’ pressures to oversee third parties because that’s like the landscape: whatever it may be, you always have to deal with it. Compliance officers can have plenty to ponder and worry about just with their companies’ own strategies for growth, and how much those ideas complicate your compliance efforts. The task is something like driving down the road at full speed without a detailed map (expanding into new markets), trying to avoid obstacles in the road (rogue third parties), while giving yourself an oil change (improving your program’s operations), and bolting yourself to another car in the next lane (merging with another business)—all at the same time.
In fact, the more you think about it, the better the “Road Warrior” metaphor fits for compliance officers these days. Good luck out there.
Matt Kelly has been editor of Compliance Week for 10 years. He will step down from that role at the end of this year. You can find him on LinkedIn at www.LinkedIn.com/in/mkelly1971 or on GoogleTalk at MattCompliance@gmail.com.