Running worldwide businesses requires effectively recognising, analysing and managing risks and ensuring compliance. We have identified that many organisations having third-party relationships conduct inadequate due diligence that might posses significant risks. In this article, we look at the possible risks and the best practices for conducting adequate due diligence and third-party risk management effectively such as:
Continouos risk management
Operating a global business today requires efficiently managing a network of third-party partners that supply product components, run operations in foreign markets, operate call centres, or act as outside consultants or agents.
The vast array of capabilities and specialised skill sets of a well-maintained third-party network makes operations easier for both the organisation and its customers. But many organisations, from small businesses to multi-national corporations, can rarely afford the time and effort required in-house to manage these often complex third-party relationships.
Because of this, the risk of unethical business practices, bribery and other business corruption potentially increases if inadequate due diligence is conducted on third-party partners. The ramifications of a scandal related to a third-party partner can easily take down an organisation, resulting in such risks as a damaged reputation and brand devaluation, regulatory violations, legal proceedings and possible fines and jail terms for directors. Therefore, the only way to fully protect the corporation’s assets is through a strong and viable third-party risk management program.
Building a third-party risk management program is not a passive process. It requires time and effort continually, as the risks associated with third-party partnerships constantly evolve.
Consider the recent events, during which the legislators of three separate nations signed new compliance regulations and standards into law. Without a doubt, if your organisation’s third-party risk management program is unable to quickly adjust to these new regulations (or is not designed to anticipate future legislative movements) your organisation is truly at risk.
Cutting Corners Not Worth the Risk: Adequate Due Diligence
Still, far too many organisations are willing to tempt fate by cutting corners on developing and implementing their third-party risk management program. Certainly, building a strong risk management program requires a significant investment of time and resources (both internally and from the outside). Still, the consequences of not doing it right could be dramatically severe.
One way organisations attempt to cut corners is by relying on outdated or stagnant tools to monitor, detect and prevent risks. Almost always, hiring outside industry professionals with proven track records of successful due diligence experience is necessary.
Relying too heavily on “desktop” due diligence is another dangerous shortcut. Desktop due diligence is an important initial step of the investigative process, involving background checks, lien searches, regulatory filing investigations and environmental reports. And while it is a vital component of any effective due diligence program, it’s not nearly enough to thoroughly evaluate a third-party.
Truly understanding a potential partner’s business requires a considerable amount of time spent face-to-face with the outside organisation’s leadership, operations management and even current customers. This “boots on the ground” process will detect potential risks, which are often hidden from a distance, and undetectable via web-based discovery tools.
The “boots on the ground” approach also help to establish a relational dynamic required for ongoing negotiations and provides a clear insight into two of the fastest-growing issues in third-party risk management: Bribery and Labor Management.
Bribery As a Compliance Issue
Anti-bribery and anti-corruption compliance is a fast-moving target. New anti-bribery laws and regulations are being decreed around the world at a relentless pace. Complicating matters further, many countries may have laws in place but lack the ability to enforce them adequately. When this is the case, the responsibility falls to your organisation’s adequate due diligence program to ensure detection and protection.
High profile investigations in recent years have contributed to the rapid emergence of bribery and corruption as a societal issue. Never before has such a contrast been drawn so dramatically on a global stage between those that engage in bribery and those that suffer as a result. Any organisation that finds itself mixed up in a scandal involving bribery has more than a legal mess to contend with. It has a long battle to win back the trust of its shareholders, employees, customers and the public.
Conducting sufficient and adequate due diligence surrounded by such varying factors is work that must be conducted in person. Gaining insight into a potential partner’s company culture requires a level of immersion with the organisation’s leadership, management and staff. When it comes to evaluating bribery risk, some warning signs can only be discovered on-site.[/vc_column_text]
Labour Matters and Compliance
From overtime issues and under-age workers to unsafe working conditions and improperly documented accidents, labour compliance represents a major component of any strong third-party risk management program.
Once again, inadequate attention to risks related to labour compliance can bring on considerable penalties. Understanding which industries, geographic regions, and management structures elevate the organisation’s risk is key to operate an adequate due diligence program efficiently. This understanding is nearly impossible to guarantee via ‘desktop’ due diligence. Spending the necessary time in person is the only way to ensure a potential supplier is properly compensating and managing employees while providing a safe workplace environment.
Make no mistake, even if your agreement with a third-party partner places the responsibility of payroll issues firmly upon the vendor, your organisation — as a joint employer — can still be held accountable in many countries. After all, the labour being conducted at your partner’s facility benefits your organisation’s bottom line.
What are the best practices?
The demands of identifying and measuring third-party risk, monitoring those potential risks on an ongoing basis, and making recommendations based on empirical research are best met by a dedicated team of outside professionals. And while no two organisations are alike in terms of risk profiles, several factors have become consistent in building a strong, effective and adequate due diligence program:
Without a well thought out plan outlining ongoing monitoring efforts with assigned roles and responsibilities, measures to mitigate risk will be haphazard at best and dormant at worst. With a thoroughly established, management-advocated program that identifies specific risk factors for each affiliation, a process for addressing red flags, and an established mechanism for continual revision, the organization will remain vigilant in its efforts to protect itself from liability.
Due diligence efforts are only as good as the information and data gathered and secured. Meticulous documentation and reporting enable the organisation to recognise trends, communicate analyses, and sustain efforts during any future personnel changes. Effective risk management programs feature established guidelines for capturing data, contracts and research with uniformity.
An organisation where leadership, management and workforce do not take the third-party risk seriously will never be adequately protected from risk. Successful organisations in this respect dedicate themselves to building a culture in which every employee feels personally invested in the operation’s risk management. Employees must feel empowered and encouraged to report red flags. Passive engagement is simply not enough.
Done correctly, third-party risk management can effectively save the organisation from risk, liability, and other perils often associated with outside entities wanting to engage and transact with your business.
A TPRM customised solution that best suits your needs
CRI Group’s own exclusive, expert-developed 3PRM™ services help you proactively mitigate risks from third-party affiliations, protecting your organisation from liability, brand damage and harm to the business. Whether your organisation has a large, well-established third-party program, is in the early stages of development, or is anywhere in between, the 3PRM™ solution can improve the health of your program and future-proof your entire business in many forms.
Our 3PRM™ solution streamlines the third-party risk management process through scalability, and efficiencies – from third-party risk identification to assessment what sets us apart is that our 3PRM™ solution includes:
- Due Diligence
- Screening & Background Checks
- Regulatory Compliance
- Business Intelligence: Information Management
- Investigations: i.e. IP, Fraud, Conflict of Interest, etc
- Anti-bribery & Anti-Corruption (ABAC) Compliance
- Employee auditing training & education
- Monitoring & reporting
Where should TPRM sit within an organisation?
TPRM can sit within various business units depending on your organisation’s structure. Many organisations involve multiple departments such as procurement, information security, operational risk and compliance to provide input to manage the risks related to engaging third parties. Depending on your business’ internal structure, you may choose to apply a centralised, mixed or decentralised model when focus on TPRM. At CRI Group we observed a trend with many of our clients implementing a centralised model when managing their third-party relationships, given the required input from their multiple business lines. A centralised model allows you as an organisation to track common risks across departments and identify emerging trends that may require a response from more than one department.
Risk management goes beyond TPRM
CRI Group provides the knowledge required to navigate unfamiliar markets and mitigate third party risk by assessing the backgrounds, integrity and character of those with whom you do business. Our 3PRM-Certified™ program is therefore key for managing an organisation’s third party risk levels. However, this is only one of the several vital steps towards a robust risk management strategy implementation.
Risk management is the identification, evaluation, and prioritisation of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimise, monitor, and control the probability or impact of unfortunate events or to maximise the realisation of opportunities. Risks can come from various sources including your employees.
At CRI Group, we understand that managing compliance and risk activities might be a daunting task. That’s why we present you with the insights library where you can dive deep into these topics to make your job easier. If you can’t find what you are looking for, just get in touch – we would love to have a chat!