Organizations may choose to enlist the services of third parties for a variety of reasons – gaining access to expertise that is not available in house, acquiring additional capital and other resources, and expanding the size and scope of their enterprise, to name a few.

But while establishing third party relationships can provide many valuable business benefits, it can also increase an organization’s vulnerability to certain types of risk. Because third-party entities such as consultants, agents, vendors, suppliers, distributors and partners in joint ventures are not employees of the organization, it makes their actions much more difficult to control. Hence, the need to develop and implement effective risk management strategies becomes imperative for organizations that deal with third parties in any way.

What Approaches Are Organizations Taking to Third Party Risk Management and Due Diligence?

A recent study shed some light on how organizations are approaching the process of third party risk management. The study respondents consisted of senior professionals encompassing various ethics and compliance, human resources, employee relations, risk management, legal, and information security functions.

The study identified several common themes regarding the objectives of risk management programs, key areas of concern and the execution of third party risk management strategies:

• Many respondents indicated that those in charge of the third-party risk management program within their organization do not have complete control over their budgets, which means they may not always have the resources they need to perform their jobs as effectively as possible.
• Approximately two-thirds of organizations evaluate third parties on their own prior to initial engagement. However, only 14 percent of the respondents indicated they use an outside vendor to conduct ongoing third party monitoring. This often results in inconsistencies when reevaluating third party performance from an ethical perspective.
• The top concern regarding third party ethical breaches is bribery and corruption, followed by conflicts of interest. Organizations are becoming increasing aware of ramped up enforcement activities related to the Foreign Corrupt Practices Act and the UK Bribery Act, as well as the existence of incentive programs for whistleblowers.
• Outsourcing third party due diligence typically leads to greater satisfaction regarding the overall effectiveness of the third-party risk management program. Specifically, survey respondents reported higher satisfaction levels in the following areas:
  • Legal/regulatory compliance
  • Creating a culture of compliance
  • Program documentation management
  • Program defensibility
  • Overall program performance

What It All Means to Your Organization

The study reached several important conclusions that impact every company that engages with third parties:

• You are ultimately responsible for the actions of third parties: Customers, stakeholders, regulators and the public do not distinguish between organizations and the third parties that represent them. Therefore, when a third party acting on your behalf engages in unethical behavior, your organization will be deemed responsible for any negative consequences.
• Many organizations are not taking appropriate steps to monitor third party risk programs: While the majority of organizations appear to have instituted a third-party risk management program that includes some form of vetting process, relatively few have adequate controls in place to monitor third parties on an ongoing basis. The institution of a continuous third party due diligence monitoring program is crucial to the long-term success of your risk management efforts.
• The more comprehensive the risk management program, the better: While the concept of what constitute a “comprehensive” risk management program is still evolving, the results of enforcement activities in cases involving the Department of Justice and Securities and Exchange Commission clearly indicate that “more is better.” Specifically, your organization should take transparent steps to ensure that third parties are receiving adequate training on, and ultimately adhering to your code of conduct and other ethics and compliance-related policies and procedures.
• An automated third party due diligence vendor can provide a cost-effective monitoring solution for your organization: While too little due diligence leads to insufficient risk management program monitoring, too much due diligence can result in a valuable waste of time and resources. Working with an automated vendor enables you to get the level of analysis that meets your monitoring and budgetary requirements. It can also overcome the shortcomings that may exist in your internal monitoring program.

Relying on third parties is an unavoidable reality in today’s global business climate. A carefully developed and closely monitored risk management program is essential for any organization that wants to mitigate the inherent risks that come with third party engagement.