Shop Talk: Cooling Off Red-Hot Third-Party Risks

Around every company lie concentric circles of third-party risk.

Inside the innermost circle, colored green, sit the company's core of trusted employees and customers. Then around that is a wider circle of primary third parties used by the company—suppliers, agents, joint venture partners, and others—colored in yellow.

Then comes the third, final circle: the third parties of those third parties—sub-contractors, local agents, and many others, nearly untraceable to corporate headquarters. That final circle is, of course, bright red and for good reason: some multinational companies refer to it as the circle of fear.

Indeed, several compliance and risk executives who attended two separate executives forums conducted by Compliance Week and NAVEX Global in London and Amsterdam last month said that the outer two circles was where significant compliance danger, along with financial and reputational risk lies due to reliance on third parties int he supply chain and distribution network.

One message that became strikingly clear throughout the forums is that European companies struggle just as much with third-party risk mitigation as U.S. companies. “It was really amazing to hear almost exactly the same set of concerns,” said Bob Conlin, chief products officer at NAVEX Global, a corporate compliance solutions and services firm.

Those concerns, Conlin said, go something like this:

We don't have visibility into all of our third-party relationships, but we know they number into the thousands.

We can't identify who the primary internal business owner is for each of our third-party relationships.

We have no way of automating the risk process; we're doing it manually today, and we're not doing a very good job at it.

We're only assessing the vendors that we think pose the highest risk.

We have no way to monitor changes in the risk profile for each vendor over time.

For multinational companies, in particular, the risks associated with third parties are rising fast, due to the proliferation of anti-corruption legislation on a global scale, as many attendees attested. Aside from the U.S. Foreign Corrupt Practices Act and U.K. Bribery Act, countries like Canada and Brazil have also enacted their own versions of anti-bribery and corruption legislation or expanded existing laws in just the last few weeks.

Mark Bromley, head of governance, risk, control & compliance at EDF Energy, speaks to the panelists at the London forum.

Also in attendance were: Jennifer Aikins-Appiah, CPA Global regulatory compliance officer, and Barry Matthews, director of legal affairs for ITV.

“The biggest risk is corruption by third parties,” said Sylvie Bleker-van Eyk, chief compliance and risk officer at construction and engineering company Ballast Nedam, based in the Netherlands.

Due Diligence Done Right

Attendees at both forums agreed that third-party risk mitigation begins with the initial screening process at the start of any relationship and continues with the daily interactions with all the organizations a company touches. “You need to have a consistent on-boarding process for vetting any new third party with whom you're going to do business,” said Conlin. “At minimum, that should involve some type of a preliminary background check screening for issues related to sanction and watch lists, politically exposed persons lists, and any relevant adverse media.”

A thorough on-boarding process becomes especially important for companies that are going through a shift in their business operations, or are experiencing a merger or acquisition. One executive, whose company is currently undergoing a series of mergers, touted the importance of the on-boarding process as a way to shift from a corporate culture historically used to completing handshake deals to a more formal and structured process.

Barry Matthews, director of legal affairs for U.K. commercial television network ITV, said the company begins the third party bribery act due diligence process with a profiling exercise to ascertain the risk category of the “associated person”. Third parties that are categorized as “high risk” undergo a much more thorough questionnaire and document production process than those classified as “low."  The Legal Team control the AP database and prompt commercial colleagues to refresh due diligence on an annual basis; this process is complimented by bi-annual spot checks.

Tonnis Poppema, director of compliance at Hasbro International Holdings, a subsidiary of Hasbro International based in Amsterdam, said its office of corporate compliance similarly employs a very thorough inspection process before any employee can do business with a third party. “For us it's non-negotiable not to agree to our standards. If a business partner says ‘no' to our compliance standards, we don't work with them,” he said. “It's as simple as that.”

From left to right at the London event: NAVEX Global's Dan Kline; Susan Sturrock, head of ethics and business integrity for BT Group; and Kristy Grant-Hart, Director of Compliance, EMEA, at Carlson Wagonlit Travel. .

Then comes the question of who actually owns the risk. “Every third party needs to have a business owner, and that business owner has to have some responsibility for managing the risk associated with that relationship,” Conlin said. Who is purchasing from that third party? Who is approving payment to that third party?

If there is a third party out there to whom nobody in the business is claiming ownership, “you have to get rid of them,” said Conlin. “You can't afford the risks associated with ambiguous business relationships.” Although, that can be a bit of a challenge, he said, because many companies have thousands—if not tens of thousands—of third-party relationships.

At ITV, the commercial operating team and the legal team work together to negotiate contracts with third parties, Matthews said. The legal team's job is to guide the decision-making process during the negotiation, ensuring that the parties to the contract fully understand their obligations to reduce the likelihood of future litigation. The ITV legal team prides itself on a “prevention rather than cure” approach to the delivery of legal services.

After the legal team helps to negotiate the contract, risk ownership moves to an appointed contract manager. “It's not an agreement entered into by the organization. It's an agreement owned by the individual within the organization,” said Matthews.

The obligations flowing between the parties is summarized for the contract owner, Matthews continued. "We then check in with them from time-to-time to assess how those relationships are going.” If that contract manager was to then leave the company, the legal team is there to ensure that knowledge of the workings of the contract does not leave with them. "We provide continuity by ensuring  that someone picks up the reins and is properly briefed on that agreement," he said.

From there, it's all about getting third parties to buy into the due diligence process. “Our main challenge is to make sure that our local business partners are up to speed on our compliance standards,” said Poppema.

If there is a third party out there to whom nobody in the business is claiming ownership, “you have to get rid of them,” said Bob Conlin of NAVEX Global at the Amsterdam event. At right is Lucianne Verweij, Royal Philips senior director of business conduct & ethics.

In Asia, where Hasbro produces many of its products, local entities don't have that direct connection to the United States or the United Kingdom, so they aren't too concerned about the FCPA and U.K. Bribery Act, said Poppema. “We constantly have to convince them of the fact that they have to adhere to our standards. That's a challenge,” he said.

Some attendees said they give their employees' code of conduct to their third parties and have them attest that they have read it. Conlin said this process can be fortified by using a third-party risk-management tool to distribute their policies and then track those attestations on a continual basis.

Remediation Measures

Forum participants also shared ways in which they monitor the level of risk that each third party poses, both from an IT systems standpoint as well as a cultural standpoint.

The most effective way to adequately address third-party due diligence is to have a continuous monitoring process in place, advised Conlin. NAVEX Global launched a new third-party risk management solution this month that automates the assessment and monitoring of all of a company's third parties.

Pictured here at the Amsterdam forum: Cees Klumper, chief risk officer of The Global Fund, and VimpelCom Legal Counsel Elena Fedotova.

The tool also assists companies in identifying high-risk third parties by cross-referencing information from more than 400 international sanction, watch, and debarment lists, while combing through more than 9,000 global media outlets to identify any adverse activity related to money laundering, terrorism, or fraud.

“The problem is that many companies still depend on manual processes for third-party risk assessments, rather than having fully automated systems in place,” Conlin said. Even among companies with automated solutions, they're typically performing risk assessments only on third parties where exposure is thought to be greatest, “which creates a substantial risk through inevitable gaps and lack of consistent evidentiary record,” he said.

Don't expect such a scatter-shot approach, however, to hold water with the Department of Justice or Securities and Exchange Commission in the event one of your perceived lower-risk third parties—such as one in that yellow circle of risk—commits a bribery act. “They're going to say that's too bad,” said Conlin. “You had adequate procedures in place for assessing your third parties; you simply failed to extend those procedures to all of your vendors.”

An equally important element of a robust third-party due diligence program is the training, said Poppema. “It stands or falls with the personal staff managing that.”

According to Matthews, all compliance programmes should have a face-to-face component; “You can write policies until they're coming out of your ears, but unless they come to life through face-to-face training, in my experience, they are rarely embraced and followed," he said.

Make sure training is tailor-made to the company by citing real-life examples, said Bleker-van Eyk. “The best way to learn is from mistakes,” she said.

She also stressed that educating employees about third-party due diligence is more than just making employees aware of risk. Rather, she said, it's a “state of alertness” that needs to be embedded in the DNA of employees.

When it comes to building a culture of compliance, front-line employees are much more likely to listen to mid-level executives—such as business unit leaders and divisional vice presidents—than they are to the CEO. It's about tone-at-the-top down to the middle, and then tone-at-the-middle down to the bottom, Bleker-van Eyk said.

“The point is if you don't do third-party risk assessment and mitigation right,” said Conlin, “you expose your organization to huge financial and reputational risk.”