When Compliance Doesn’t Stop with Your Company: Managing Third Parties
Matt Kunkel | June 3, 2019
The modern corporation is less a single entity as it is a constellation of third parties, vendors, suppliers, and outsourced workers.
These arms-length business arrangements have become a necessity to compete effectively in today’s economy. Third parties help companies save on costs and labor, free up infrastructure, concentrate on core business activities, and ultimately deliver value for shareholders. Many of them even provide mission-critical functions to the primary business on a daily basis—functions that were unthinkable candidates for outsourcing in the past.
While these effects are incredibly beneficial to the bottom line, they can create problems of their own. Outsourcing brings with it an array of risks, compounding the inherent riskiness of any business activity. The risks are myriad and diverse—including operational, compliance, reputation, strategic, and credit risks as well as their interrelationships.
When it comes to regulatory requirements, demand for compliance extends from the primary company to every partner in its web of third parties. Moreover, multiple regulations have increased their focus on third-party governance in recent years. These include the Health Insurance Portability and Accountability Act (HIPAA), Anti-Money Laundering (AML) requirements, Conflict Minerals Reporting requirements, the Foreign Corrupt Practices Act (FCPA), and the Dodd-Frank Act, to name but a few.
A Widening Web of Responsibility
As the network of third parties proliferates, so too does the sphere of the Chief Compliance Officer’s (CCO's) responsibility. After all, he is accountable for not just the compliance of his own company, but that of every third-party partner as well. It doesn’t matter if a compliance shortcoming is attributable to the third party alone—ultimately, the company that hired the third-party is held responsible by regulators and customers for failing to identify and address the issue.
Put another way: as the network expands, the CCO’s headaches can multiply, too. It doesn’t have to be this way. A bit of proactive, strategic thinking can help to dispel many of the issues before they start.
The right tools help. In this post, we’ll lay out a few approaches that compliance officers can take to manage a third party network.
Third party governance fails when it is managed as a system of parts that do not integrate and work as a collective whole. This increasingly becomes the case when third party networks expand and new relationships are added to a shaky foundation. Relevant information—including contact, financial and business information, contracts, agreements, certifications, risk assessments, compliance assessments, and audit results—inevitably becomes unmanageable.
A centralized third party management program will be able to integrate this information from across third party management systems, ERPs, procurement solutions, and third party databases. Doing so requires a robust and adaptable information architecture that can model the complexity of third party activities and all the moving pieces. Within a centralized Third-Party Risk Management program, business users should have access to master data records, compliance requirements, policies and procedures, and KPIs, among other information.
Most organizations screen third parties prior to onboarding, and it remains a crucial step before entering into a contract. However, not every screening process is as well-defined as it could be. There should be a checklist of due diligence requirements and analysis that must be satisfied—and then double-checked to ensure conformity. Document and artifact collection should be comprehensive and thoroughly analyzed by experienced subject matter experts. Finally, the overall goal should be to determine the criticality of the third-party relationship, and whether the risks are worth the business benefits.
One recommended action is to screen potential partners against lists of high-risk individuals or entities. These include sanction lists (such as from the European Union or UN), law enforcement lists, and those of governing bodies such as financial and securities commissions.
3) Risk Scoring
Managers should identify the risk and compliance categories deemed critical to the organization and then develop each category’s weighting criteria—which will inform requirements like assessment and touchpoint frequencies. For each third party, a cross-functional team should then score the risks based on impact and likelihood so that the third parties can be categorized into tiers and prioritized. Once all third parties are scored and subsequently tiered, managers can develop risk mitigation plans and allocate resources to focus on the higher-risk third parties.
With a complete inventory of third parties and their relative risks in hand, the firm can categorize its supplier relationships based on the level of risk to organizational objectives. Even a simple system of “high,” “medium,” or “low” risk categories can be useful. An effective segmentation helps the firm efficiently allocate resources.
4) Ongoing Compliance Assessments
Third-party compliance must be monitored throughout the relationship lifecycle, not just at the onboarding stage. Considering how rapidly threats can emerge and evolve, the findings from one risk assessment can become outdated quickly—even in a matter of days. A company previously rated as compliant can quickly become a liability. Ongoing monitoring should capture fluctuations in compliance after the third party has been onboarded, and limit the implications of potential failures in the due diligence process. It should also help to ensure third parties continue to fulfill the firm’s needs and abide by contractual arrangements. Monitoring should be tailored to third-party compliance profiles, including more frequent and thorough check-ins with high-risk entities and simple monitoring for less severe threats.
As this task can be resource intensive—not to mention difficult to keep up with over time—organizations should automate the process to the extent they can. The regular input of information can help facilitate further analysis of the third party, and enable organizations to take appropriate and timely actions.
Each of the above activities helps to mitigate compliance risks; the risks cannot be avoided completely. In the event of a compliance exigency, a formal escalation process is required to limit the damage. Additionally, there is great pressure from regulators to document the process of identifying, reporting, investigating, and escalating compliance incidents. An escalation framework is critical to expediting the decision-making process.
LogicGate Can Help Keep Third Parties in Check
Whether an incident stems from a company or its partners, the costs of non-compliance are significant. The consequences aren’t limited to simple monetary fines, either: the opportunities an organization sacrifices as a result of a regulatory infraction can add up to significant competitive disadvantages. Meanwhile the fallout from reputation damage can be incalculable.
Third party programs are complex, dispersed, multi-layered, and information-heavy. Proactive due diligence is a difficult undertaking, but incredibly important. Embedding a culture of compliance across the supply chain is an end goal worth achieving. One of the steps toward this will be to establish a robust third-party compliance program, consisting of third-party screening and onboarding procedures, risk assessments, ongoing monitoring, and corrective or preventive actions. LogicGate’s Compliance Management solution can help your company put such a program in place.
For more on Third Party Risk Management, check out LogicGate's Third Party Risk eBook: Driving Cross-Functional Alignment Across the Vendor Lifecycle.