Operating a global business today requires efficiently managing a network of third-party partners that supply product components, run operations in foreign markets, operate call centers, or act as outside consultants or agents.
The vast array of capabilities and specialized skill sets of a well-maintained third-party network makes operations easier for both the organization and its customers. But many organizations, from small businesses to multi-national corporations, can rarely afford the time and effort required in-house to manage these often complex third-party relationships.
Because of this, the risk of unethical business practices, bribery and other business corruption potentially increases if inadequate due diligence is conducted on third-party partners. The ramifications of a scandal related to a third-party partner can easily take down an organization, resulting in such risks as a damaged reputation and brand devaluation, to regulatory violations, legal proceedings and possible fines and jail terms for directors. The only way to fully protect the corporation’s assets, therefore, is through a strong and viable third-party risk management program.
Building a third-party risk management program is not a passive process. It requires time and effort on a continual basis, as the risks associated with third-party partnerships constantly evolve.
Consider the events of this past summer, during which the legislators of three separate nations signed new compliance regulations and standards into law. Without a doubt, if your organization’s third-party risk management program is unable to quickly adjust to these new regulations (or is not designed to anticipate future legislative movements) your organization is truly at risk.
Cutting corners: not worth the risk
Still, far too many organizations are willing to tempt fate by cutting corners on development and implementation of their third-party risk management program. Certainly, building a strong risk management program requires a significant investment of time and resources (both internally and from the outside), but the consequences of not doing it right could be dramatically severe.
One way organizations attempt to cut corners is by relying on outdated or stagnant tools to monitor, detect and prevent risks. Almost always, hiring outside industry professionals with proven track records of successful due diligence experience is necessary.
Relying too heavily on “desktop” due diligence is another dangerous shortcut. Desktop due diligence is an important initial step of the investigative process, involving background checks, lien searches, regulatory filing investigations and environmental reports. And while it is a vital component of any effective due diligence program, it’s not nearly enough to thoroughly evaluate a third-party.
Truly understanding a potential partner’s business requires a considerable amount of time spent face-to-face with the outside organization’s leadership, operations management and even current customers. This “boots on the ground” process will detect potential risks which are often hidden from a distance, and undetectable via web-based discovery tools.
The “boots on the ground” approach also helps to establish a relational dynamic required for ongoing negotiations and provides clear insight into two of the fastest-growing issues in third-party risk management: bribery and labor management.
Bribery as a compliance issue
Anti-bribery and anti-corruption compliance is a fast-moving target. New anti-bribery laws and regulations are being decreed around the world at a relentless pace. Complicating matters further, many countries may have laws in place but lack the ability to adequately enforce them. When this is the case, the responsibility falls to your organization’s due diligence program to ensure detection and protection.
High profile investigations in recent years have contributed to the rapid emergence of bribery and corruption as a societal issue. Never before has such a contrast been drawn so dramatically on a global stage between those that engage in bribery and those that suffer as a result. Any organization that finds itself mixed up in a scandal involving bribery has more than a legal mess to contend with. It has a long battle to win back the trust of its shareholders, employees, customers and the public.
Conducting sufficient due diligence surrounded by such varying factors is work that must be conducted in person. Gaining insight into a potential partner’s company culture requires a level of immersion with the organization’s leadership, management and staff. When it comes to evaluating bribery risk, some warning signs can only be discovered on-site.
Labor matters and compliance
From overtime issues and under-age workers, to unsafe working conditions and improperly documented accidents, labor compliance represents a major component of any strong third-party risk management program.
Once again, inadequate attention to risks related to labor compliance can bring on considerable penalties. Understanding which industries, geographic regions and management structures elevate the organization’s risk is key to efficiently operating an effective due diligence program. This understanding is nearly impossible to guarantee via ‘desktop’ due diligence. Spending the necessary time in person is the only way to be sure a potential supplier is properly compensating and managing employees while providing a safe workplace environment.
Make no mistake, even if your agreement with a third-party partner places the responsibility of payroll issues firmly upon the vendor, your organization — as a joint employer — can still be held accountable in many countries. After all, the labor being conducted at your partner’s facility benefits your organization’s bottom line.
Best practices
The demands of identifying and measuring third-party risk, monitoring those potential risks on an ongoing basis, and making recommendations based on empirical research is best met by a dedicated team of outside professionals. And while no two organizations are alike in terms of risk profiles, several factors have become consistent in building a strong and effective due diligence program:
Planning. Without a well thought out plan outlining ongoing monitoring efforts with assigned roles and responsibilities, efforts to mitigate risk will be haphazard at best, and dormant at worst. With a thoroughly established, management-advocated program that identifies specific risk factors for each affiliation, a process for addressing red flags, and an established mechanism for continual revision, the organization will remain vigilant in its efforts to protect itself from liability.
Documentation. Due diligence efforts are only as good as the information and data gathered and secured. Meticulous documentation and reporting enables the organization to recognize trends, communicate analyses, and sustain efforts during any future personnel changes. Effective risk management programs feature established guidelines for capturing data, contracts and research with uniformity.
Culture. An organization where leadership, management and workforce do not take third-party risk seriously will never be adequately protected from risk. Successful organizations in this respect dedicate themselves to building a culture in which every employee feels personally invested in the risk management of the operation. Employees must feel empowered and encouraged to report red flags. Passive engagement is simply not enough.
Done correctly, third-party risk management can effectively save the organization from risk, liability and other perils often associated with outside entities wanting to engage and transact with your business.