Third parties are involved in about 80 percent of all Foreign Corrupt Practices Act (FCPA) enforcement actions, so it’s no wonder there has been such a clamor for Compliance Week and FRA to add a second third-party risk management conference to our event slate.
In addition to our annual TPRM Summit in New York each March, we’re debuting a TPRM Summit on the West Coast, in San Francisco, from Dec. 9-10. Our agenda features a keynote from former chief of the Securities and Exchange Commission’s (SEC) FCPA Unit Kara Brockmeyer, who will discuss how the government’s expectations for third-party vetting and monitoring have changed and how to design a best-in-class TPRM program. The two-day program also includes sessions with TPRM experts from some of the world’s most influential companies: Google, Microsoft, Uber, Wells Fargo, and SAP, to name a few.
Working with third parties is one of the biggest blind spots in a company’s risk matrix today—especially large, public companies with complicated and extensive international supply chains and outsourced services. The bigger the organization, the more third parties are likely involved in operations. And the more third parties that are relied upon, the bigger the risk for the business if one of them skirts the rules or proves to be the weak link in a growing chain.
These startling survey results tell a troubling story about the rate of businesses’ subcontracting outpacing their ability to properly vet and monitor each individual vendor:
- According to a recent survey conducted jointly by CW and Aravo, 18 percent of respondents indicated their companies work with more than 1,000 third parties, and another 16 percent said they work with more than 10,000 third parties. Try managing that with an Excel spreadsheet. You need a robust, fully mature, technologically enabled program in place to deal with vetting and monitoring that many partners.
- So how many of those same respondents indicated their TPRM programs are mature? Just 6 percent, with an additional 50 percent describing their program as “evolving.” Most troubling is that about 18 percent of respondents called their program “fragmented.” A fragmented solution is not going to jive with regulators. Not in 2019.
- So companies must be pumping money and resources into beefing up their TPRM programs, now that it’s been flagged as such a big risk both by regulators and the business community at large, right? Not so much. According to a recent Deloitte survey, 70 percent of organizations believe they are underinvested in TPRM.
Don’t consider these numbers a scare tactic but rather an eye-opening indication of a mismatch between resources that are needed and resources that are currently being dedicated to a growing risk area.
It’s clear third-party screening, training, and ongoing monitoring and due diligence is not something you can tackle alone. And it’s not hard to argue the value of technology tools and services to your board of directors, especially in the context of the potential financial and reputational harm that could come, should one of your vendors prove to be on a sanctions watch list or on a Politically Exposed Persons database, and it goes unnoticed.
The point is, you need help managing your third parties, and over the course of two days in San Francisco, we hope to help you find the answers to the questions that keep TPRM stakeholders up at night.