Third-party relationships: advantageous or an Achilles’ heel?

September 2017  |  FEATURE  |  RISK MANAGEMENT

Financier Worldwide Magazine

September 2017 Issue

In an ever-more globalised business world, third-party relationships provide companies with a multitude of opportunities to increase productivity and revenue. However, at the same time, these relationships also present a considerable corruption risk.

Strictly speaking, every third party and their associated contracts pose a certain degree of risk to a company. With that in mind, recognising and managing that risk is essential. This may include protection from reputational damage and regulatory fines, or safeguarding the ability to profitably deliver goods and services to customers, without disruption.

According to a recent global anti-bribery and corruption survey by KPMG, companies consider third-party due diligence as one of their most challenging anti-bribery and corruption issues. On the one hand, respondents said, volume and geographic distribution makes it difficult to monitor third parties and, on the other, there is reluctance by these parties to disclose the necessary information for companies to make informed decisions.

“The use of third parties has always been one of the greatest drivers of corruption risk,” points out Brian J. Mich, a partner at Control Risks. “To a large degree, this is because a company’s visibility into the operations of a third party and influence on the third party’s culture and ethics are limited. Moreover, the compensation of the third party, which is typically tied to sales production, creates an enhanced incentive for corruption. Furthermore, as a company becomes more global and moves into new geographies, it likely will need to rely upon local third parties to gain a foothold in those new locations. This only increases the company’s corruption risk.”

Rebecca Palser, global product director, LUMA at The Risk Advisory Group, suggests that third-party relationships are the Achilles’ heel for companies when it comes to their anti-corruption practices. “They present a challenge because companies hold less sway over third parties than they do over their own employees, and this filters down into every aspect of the relationship, including embedding the right ethical culture,” she says.

So with the risk of violations obviously high, it is clearly beneficial for companies to take stock of the scope of their third-party relationships and refine the approach to how they are monitored accordingly.

Effective vetting

The effectiveness of third-party vetting is a ‘must-have’ for companies with a global outlook. This often requires a culture shift to integrate oversight and maintenance of third-party relationships into existing organisational frameworks.

“Although companies are now vetting their third parties in a more structured fashion, with budgets always under pressure, not all assessments are effective,” notes Ms Palser. Illustrating this point is Risk Advisory’s ‘Compliance Horizon’ survey, which found that 73 percent of respondents expect their budgets to be maintained (while being asked to do more) or cut. As a consequence, this forces compliance teams to make tough decisions.

“Spreading the budget thinly across all of your counterparties can leave you vulnerable to the risks posed by your high-risk third parties,” says Ms Palser. “Changing this approach is challenging, though. To integrate and embed an effective programme into the day-to-day of the business really calls for strong advocates who understand the business and the level of risk its third parties pose.”

In the view of Greg Matthews, a partner in KPMG LLP’s risk consulting service network, the challenge that many organisations face is to ensure due diligence work is completed by the right subject matter experts prior to the execution of the contract. “These experts are responsible for the particular risk that they oversee and their insights are required to ensure the third party concerned has the ability to mitigate the risk in a manner consistent with its internal policies and risk and regulatory requirements,” he affirms.

Generally speaking, the consensus is that third-party numbers will ebb and flow as companies attempt to strike the right balance between gains and risks.

Clearly, the reason why the due diligence carried out by many companies is often ineffective is because resources are not concentrated on the third parties which represent the highest risk. In fact, many consider an internet search to be sufficient. “For those third parties that present the highest risk, a much more rigorous procedure is required and often involves an on-site investigation,” says Philippe Montigny, president of Ethic Intelligence. “There are still many companies, particularly mid-sized companies, which do not even appreciate the risks represented by their third parties and which do no verification whatsoever.”

Regulatory attitudes and enforcement

An influential factor in how companies go about monitoring their third-party relationships is the attitude of regulatory authorities to compliance programmes and their anti-bribery and corruption enforcement resolve. “There has been an increased focus in recent years by the US Department of Justice (DOJ) on individual accountability and the effectiveness of a company’s compliance programme,” explains Amanda Rigby, principal and US service network leader for investigations & disputes at KPMG LLP. “With the issuance of the ‘Individual Accountability for Corporate Wrongdoing’ memorandum in 2015, the DOJ focused on the role individual culpability plays in Foreign Corrupt Practices Act (FCPA) related matters.”

Furthermore, it is the formation of the DOJ’s FCPA pilot programme in 2016 – which involved an increase in the number of resources focused on FCPA related matters – that further demonstrates the continuing priority that regulators are placing on enforcement of anti-bribery and anti-corruption regulations. “We have seen the DOJ issue guidance on evaluating corporate compliance programmes in recent months, a move which increases the consideration of the composition and depth of a company’s compliance programme to address FCPA matters,” believes Ms Rigby.

In addition, the DOJ and the US Securities and Exchange Commission (SEC) have increased their investigatory resources and begun to share more data with other countries. “The most significant development in recent years is the increasing globalisation of anti-corruption regulation and enforcement, combined with enhanced cooperation among various countries’ law enforcement and regulatory authorities,” says Mr Mich. “Anti-corruption enforcement used to be the province of the US and several European countries. Increasingly, other countries, including those that are considered high risk from a corruption perspective, are becoming more vigilant in the fight against corruption. The active involvement and cooperation of foreign authorities are an increasing aspect of many FCPA settlements entered into by the DOJ.”

Proactive and persistent monitoring

With many companies struggling to implement effective compliance programmes for third parties, upscaling their pre-onboarding and post-onboarding monitoring strategies is one option for instilling greater efficiency, consistency and transparency into the process.

Randy Stephens, vice president of advisory services at NAVEX Global, considers it advisable for companies to at least develop a written third-party programme policy document and then closely adhere to it. Such a document, he states, should address due diligence, risk ratings, business purpose, red flags and mitigation. Furthermore, the process should be automated so that it is repeatable, robust and documentable. “Many organisations are struggling with even identifying all parties that should be included under the third party definition,” he explains. “Often this process may be spread among different departments and not universally implemented.

“The most important advice is to do something. Luck is not a strategy, so there is no third party that should be engaged without at least a basic level of risk assessment. The higher the risk, the greater the due diligence and monitoring needed. Do not take a ‘one and done’ approach. The best process is continuous monitoring. In a risk-based approach, there should be at a minimum a review cadence or a repeat review as things change,” concludes Mr Stephens.

For some companies, the best way to manage due diligence requirements pre-and post-contract is via a dedicated third-party risk management (TPRM) programme. A TPRM programme can ensure that the right components of a company are brought to bear at the appropriate time to execute due diligence activities. Therefore, it is critical that contracts are not executed prior to due diligence being completed.

Although beneficial, many companies grapple with the sustainability of their TPRM programmes. “There are a number of levers that can be pulled to manage sustainability,” says Mr Matthews. “These include reducing the number of third parties that have to be assessed while managing concentration risk, and reducing the number of questions that have to be completed by being more focused on the risks used to stratify the populations of third parties.”

Moreover, companies can also reduce their types of assessment activities by moving reviews from onsite to offsite, centralising assessment activities and outsourcing resources performing the assessment. “There are many initiatives across various industries looking to share assessments and assist with the due diligence process,” advises Mr Matthews.

However, third parties are not all equal and some clearly require greater scrutiny than others. Therefore, thought must be given to developing a risk-based process for identifying the amount of due diligence and monitoring to which each third party should be subject. “Third-party risk-ranking of third parties should not be limited to the pre-on-boarding process,” says Mr Mich. “Rather, companies should regularly assess the risks presented by their third parties and base post-onboarding monitoring procedures for each third party upon that assessment.”

Ultimately, companies with the most advanced third-party compliance programmes are not considered as such solely because they implement stringent onboarding due diligence procedures on their riskiest third parties. “It is because they continue the monitoring of those third parties throughout the duration of the relationship,” explains Mr Montigny. “This monitoring includes onsite visits, training sessions and, more frequently, verification that an anti-corruption compliance programme exists.”

Ebb and flow

Despite their problematic nature, the outlook for third-party relationships is positive due to the productivity uptick and financial benefits they offer. Generally speaking, the consensus is that third-party numbers will ebb and flow as companies attempt to strike the right balance between gains and risks.

Indeed, 30 percent of respondents to NAVEX Global’s recent ‘Ethics and Compliance Third Party Risk Management Benchmark Report’ anticipated an increase in the use of third parties in the coming year, while 29 percent said they planned to expand existing relationships.

The role of third-party relationships as a factor in corruption risk will definitely not diminish and will likely increase in the near future,” claims Mr Mich. “As companies take steps to increase their global footprint, their reliance on third parties will, by necessity, increase. This will undoubtedly present challenges for companies, particularly middle-market and smaller companies, many of which do not have extensive compliance resources.”

For Mr Matthews, the post-financial crisis world has seen a change in the global business models involving third parties, as companies try to drive costs down and enhance operating efficiencies. “Big businesses will continue to shift core activities to third parties which are specialists in those areas,” he suggests. “It appears we are at the point now where there is a peak in sourcing activities.”

Going forward, the key for companies is to marshal their resources toward defining and executing a sustainable approach to third-party monitoring. A comprehensive programme of due diligence and compliance screening procedures is needed to ensure third-party relationships are looked upon as advantageous, rather than risky.

© Financier Worldwide


Fraser Tennant

©2001-2019 Financier Worldwide Ltd. All rights reserved.