As if compliance officers don’t have enough on their plates, their responsibilities frequently extend beyond the bubble of their own companies and into the ever-expanding, increasingly risky world of third parties, vendors, service providers, and supply chain partners.
As the business world diversifies and goes global, companies more and more are turning to specialized firms to fulfill complicated niche services and meet product needs. Examples include cloud services, emerging technologies, payment services, licensees, and providers of commodities, parts, and finished products.
Although vital, the extended enterprise is nonetheless ripe with escalating risk. A recent Deloitte report detailed some of the reasons why: “During the recession, we saw many organizations push more of their business out to third parties in an effort to reduce internal costs across the extended enterprise. Higher volume, of course, can mean higher risk.”
There is also an increasing focus by regulators. Outsourcing doesn’t allow you to export your compliance obligations, they say. Guidance issued by the Office of the Comptroller in 2013, for example, laid out its expectations regarding third-party relationships for financial institutions.
It “expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party,” OCC examiners wrote. “A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”
Institutions, it added, “should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.” An effective risk management process throughout the lifecycle of the relationship includes plans that outline the bank’s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party.
The Securities and Exchange Commission and Department of Justice have similarly issued guidance and advisories on the importance of assessing third-party risk, with the latter agency focusing on bribery and violations of the Foreign Corrupt Practices Act.
Steve Klemash, who leads the EY Center for Board Matters, says a starting point for assessing vendor risk starts, quite logically, with an inventory of the third parties partnered with a company.
“Then the assessment gets back to what is the risk appetite, how material are these third parties, and what is the likelihood that something could go wrong? How are they connected to our systems? It actually comes down to just classic business management,” he says. “A lot of these organizations are extensions of the enterprise, but it’s easy to kind of forget about them when you’re just thinking about management and the people you’re seeing, day to day, reporting to the board.”
Third-party risk must be understood as just another facet of overall, ongoing risk assessments. “It’s another risk in the universe,” Klemash says. “[These risks] continue to grow given the nature of how businesses are creating more agility through outsourcing and a contingent workforce. You need to understand it from that perspective.”
Boards, more so than ever before, need to consider whether third-party risk should fall under their purview. “If something is material, and it has a high likelihood of having a negative impact on the organization, the board is going to spend more time in that area,” Klemash says. “If it’s not, you’re going to let management do their thing. It all depends upon materiality. The more material and significant a vendor is, then boards are more likely to go in and try to understand the contractual terms, understand security, and what happens if something goes wrong.”
Tom Grundy, senior director of Wolters Kluwer’s U. S. Advisory Services, stresses the importance of managing the “entire lifecycle of the relationship.”
“Third-party risk is getting more complex because it bleeds into so many other areas.”
Kristy Grant-Hart, Founder and CEO, Spark Compliance
“You’ve got to be able to envision that relationship when it’s in place and plan for all aspects of the lifecycle,” he says. “Are they a good fit in terms of strategy? Are you going to be able to achieve shared goals? There needs to be a qualitative and quantitative risk assessment of the relationship. You’ve got to look at the inherent risk that that third party is bringing to the table and into the relationship. If you don’t, you’re going to wind up in a relationship where maybe you’re managing issues that you should have already thought through.”
“Third-party risk is getting more complex because it bleeds into so many other areas,” says Kristy Grant-Hart, founder and CEO of Spark Compliance and author of “How to be a Wildly Effective Compliance Officer.”
“There can be cyber-security risk, modern slavery and supply chain risk, and reputational risks surrounding shareholder activism and social media, particularly around political statements,” she says. “If you’re closely involved with a company that is making political statements and choices, that can be risky as well.”
The biggest challenge Grant-Hart sees is in-company compartmentalization and the “silo effect that has made it so that you really don’t get the sort of joined-up due diligence that is required, particularly for big companies in this day and age.”
“Moving forward, that will be the biggest push and the biggest requirements as we continue to build compliance and develop more mature systems,” she says. “The lack of centralized systems is really problematic, and mergers and acquisitions make that even harder. Data doesn’t work together.”
Contractual language laid out at the start of a vendor relationship and during renewals can provide a framework for the relationship. The requirement for certain risk-related disclosures should be a key element of that process.
“The contract has to be very clear in establishing expectations,” Grundy says. “It’s a whole laundry list of things. If you look across industries, there are a lot of common elements that go into these. You’ve got to have a right of access to data and reporting, so that you can understand what they’re doing and what they’ve promised to do for you. You need to have an understanding about data security standards.”
A company should establish service-level agreements to set expectations, including those for a reporting cycle, Grundy says. You can, for example, set expectations for ensuring consumer complaints are handled according to the agreement.
“If you think you have a problem or even if you get the whiff of a problem you haven’t confirmed yet, you have to tell us,” Grant-Hart says of the preemptive language in a contract that can clarify expectations regarding data breaches, FCPA violations, and sanctions-related problems.
Five-step lifecycle of third-party risk management
The management of third parties is absolutely critical in any best practices compliance program, as third parties continue to be the highest risk under the Foreign Corrupt Practices Act (FCPA). We suggest that the risk management process around third parties be separated into five steps in the lifecycle of third-party management.
1. Business justification: The purpose of the business justification is to document the sufficiency of the business case to retain a third party. The business justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed.
2. Questionnaire: The term “questionnaire” is mentioned several times in the Justice Department FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. This requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company.
3. Due diligence: Most compliance practitioners understand the need for a robust due diligence program to investigate third parties. You must evaluate the information and show you have used it in your process. If it is incomplete, it must be completed. If there are red flags, they must be cleared or you must demonstrate how you will manage the risks identified.
4. The contract: In compliance terms and conditions, there are a few basic minimum clauses required. These include right to audit, certifications and training clauses, and the right to termination for an FCPA violation. The 2012 FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.”
5. Management of the relationship: This is where the real work begins, for if you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA or U.K. Bribery Act violation. There are several different ways that you should manage your post-contract relationship: auditing, monitoring, training, and ongoing communications, among them.
“You try to put the onus on the third party to tell you,” she says. “That’s pretty effective because then it is the obligation of the third party to proactively tell you. You can put damages clauses in there, attorney’s fees, and all sorts of things that make it ugly for the third party if they don’t follow through.”
Contractual language can also impose audit and termination rights. “When getting audit and termination rights, really think about how they are going to work in practice,” Grant-Hart says. “One of the challenges that compliance folks deal with is they need to talk to the business units. It is all well and good to have audit and termination rights, but if it is your most important supplier and it’s going to take six months to get a new one, what are you going to do? Are you really going to terminate that contract right now? Do you have a backup supplier? What would that mean in terms of operations, as well as for the compliance and legal team, and prosecution risk?”
Those conundrums tie into another best practice: assessing critical suppliers as part of a risk assessment. “It is important to assess who you can really not manage without,” she says.
Grant-Hart stresses the importance of internal auditors when vetting third parties.
“Internal audit is often underutilized, compared to the expense of hiring an external audit firm to go in for a two-week-or-longer assignment. Let’s say that there is a requirement for training from your third party, or that they need to submit an annual attestation,” she says. “That is a basic internal audit function checkbox. You can see if they’re not doing a training every year, for example. If you look for the small things, you can sometimes be clued in that maybe you should look for the bigger ones as well.”
A common practice is for companies to send their third-party partners periodic questionnaires and surveys that are intended to better understand their operations, commitment to regulatory compliance, and potential red flags.
Grant-Hart is not a fan of how these questionnaires are traditionally deployed. The idea is good, she says, but forms overthink and overcomplicate the process. “Most of them are far too long and make my head spin,” she says.
Expect pushback from vendors, frequently along the lines that certain disclosures could compromise data privacy laws, especially when employee information comes into play.
“There are really good arguments about why due diligence complies with GDPR and why it’s necessary,” she says. “Then there are people who feel very differently, and we don’t really have a good answer from the EU’s [statute]. There definitely are divergent opinions about that.”
Nevertheless, the exercise can be an informative one, Grant-Hart says, even as she urges that the questions be streamlined. It is important to ask for information about beneficial ownership, for example, although it may require an outside form to properly confirm the provided information for high-risk parties.
Grant-Hart recently published a list of potential questions on her firm’s blog.
Sought-after information should include basic company background: the name of key leaders, whether any executives are current or former government officials, the percentage of ownership of each owner, and whether the company is wholly or partially state-owned.
Will the third party be hiring sub-contractors? Is it going to be reimbursed for gifts, hospitality, or entertainment it gives on your behalf? Will the third party be dealing with government officials on your company’s behalf?
Other questions to ask:
- Has the third party or its executives ever been convicted of a crime?
- Has anyone associated with the third party been indicted, plead guilty to, or been convicted of a crime related to bribery or corruption?
- Has the company ever been under a consent decree, corporate monitorship, deferred prosecution, or non-prosecution agreement related to bribery or other compliance-related failures?
- Has the third party been included on a sanctions list?
- Is anyone at the third party related to or in an intimate relationship with a person at your company?
A questionnaire can also assess other areas of corporate concern, such as modern slavery prevention, data privacy, information security, anti-trust, and confidentiality, Grant-Hart says.
Special report: Third-party risk management
- Currently reading
How to insulate your company from third-party risk