Lesson number one at school, we all learn from mistakes. Third-party risk management is no different. In the current environment of increased global enforcement and expanding regulatory legislation, a suboptimal compliance program is no longer tenable. There are significant costs associated with non-compliance and a large potential for disruption to your business in the event of regulatory scrutiny.
Learning from the most common third-party risk examples will allow you to uncover potential gaps in your approach and plan a response strategy. Let’s go back to the drawing board and look at the most common risk scenarios, as well as best practices for success.
Third-Party Risk Scenarios
Over the years, we have seen a number of real-life examples of when weak third-party risk management policies and/or lack of adherence or enforcement of such policies exposed businesses to significant risk. Here are some of the most common risk scenarios we come across:
- Faulty and incomplete screening: When you are dealing with screening thousands of third parties, there are many ways to develop a framework. Unfortunately, we often see holes in third party compliance programs as organizations struggle to navigate global regulatory requirements while maintaining a practical risk-based approach. Screening at the wrong level, limiting screening to known high risk intermediaries, and no screening at all are scenarios we see regularly.
- Operating in a high risk environment: Operating in new jurisdictions or emerging markets can expose businesses to a high-level of bribery and corruption risks, sanctions risk, or political interference by corrupt actors. Third parties are particularly weak links in the chain when not screened in the correct way, and are often targeted by regulators looking to bring lapses to light.
- Changing circumstances: Change at a third party often occurs unexpectedly, leaving a business at risk. Common issues we see involve being added to sanctions watchlists, falling foul of local regulations, changes in ownership, or accusations of improper behavior in the media. And do not expect third parties to notify you of such changes — whether on purpose or not this is a common problem. In addition, despite training being in place, there may be gaps in your third parties’ knowledge of your code of conduct and policies.
- Successor liability issues: During acquisitions, it is vital to assess FCPA liability issues, specifically relating to third parties. Review closely the type of reviews previously completed (if at all) by the firm being acquired. Remember – you are now responsible for the prior actions by these adopted third parties. We have seen circumstances where the target business does not have strong compliance policies in place, leaving the acquiring company left to deal with FCPA violations post-acquisition.
- Cybersecurity and data privacy: Research from the Ponemon Institute found that 56 percent of organizations have had a breach that was caused by one of their vendors. With GDPR making its mark and the California Consumer Privacy Act (CCPA) debuting in the US at the beginning of 2020, organizations are at significant risk from third parties with lackluster data security. Not only are potential fines significant, but reputational damage is at high risk as consumers become more assertive about protecting their privacy rights. Thorough due diligence should include security evaluations to reduce exposure of confidential data.
Best Practices for Managing Third-Party Risk
If you are concerned about any of these issues, or want to prevent these at your organization, we suggest applying these six best practices to ensure your third-party risk management is up to par.
- Make it comprehensive
Screening every third-party intermediary, without exception, ensures a baseline standard is met. Checks would include ongoing sanctions and enforcements and company registry records.
- Be consistent
Adhering to an effective and documented compliance process will allow you to escalate third parties in need of a further review in a consistent, defensible, and well-thought out manner no matter where in the world they might be.
- Monitor perpetually
Traditional screening at onboarding offers only a snapshot in time and doesn’t allow for identifying and escalating new and unexpected red flags. Screening on an ongoing basis will ensure you have an up-to-date view of all risks that doesn’t hinge on third-party disclosures.
- Make sure it’s auditable
Use technology to maintain a comprehensive documentation audit trail and get full oversight of your third-party universe. Using a platform as a single repository for information, documentation, and decision-making processes will save time and reduce the risk of human error.
- Customize it
It might have been said many times before, but no business is the same, and as such, no third-party risk management framework can be either. Instead of struggling with workarounds to accommodate one-size-fits-all solutions, look for a service that seamlessly augments your current compliance processes.
- Ensure it is defensible
The right technology will simplify third-party due diligence to provide greater visibility and transparency as well as assurance that regulatory requirements are being met and adhered to for 100 percent of your intermediaries.
We have the experience, expertise, and access to the appropriate compliance tools to ensure our clients can build and operate a compliance environment that is comprehensive, consistent, perpetual, and fully fit for purpose.