Business leaders often think third-party risk management (TPRM) is onerous, manually intensive, and expensive, but it need not be. If properly designed and managed, TPRM policies, procedures, and technology tools can cost-effectively improve business relationships and efficiencies in managing third parties, while mitigating exposure to risk.
Businesses are dependent on relationships with third parties for needed functions such as outsourced labor, distribution, and brokers/agents. Naturally, these relationships subject companies to financial, operational, reputational, legal, and regulatory risks.
As a result, TPRM programs must be designed to proactively limit risk, accommodate sustainable, long-lasting relationships, and ensure third parties are reputable extensions of the business’ brand.
Regulatory Guidance Drives the TPRM Theme
Businesses often look to regulatory guidance when developing their TPRM compliance programs. Although the basic requirements of an “effective” compliance program are well known, the “how-to” and “how-much” are dependent on each company’s risk profile.
Moreover, the risk and regulatory environments are constantly changing, thus requiring TPRM programs to simultaneously evolve and adapt. As such, instead of prescribing exact stipulations, leading practice and the prevailing regulatory guidance focuses on a recurring theme: documented and risk-tailored TPRM solutions.
In 2012, the Department of Justice and the Securities and Exchange Commission jointly published “A Resource Guide to the U.S. Foreign Corrupt Practices Act”, outlining 10 hallmarks of an effective compliance program, most of which emphasize three TPRM action areas: oversight, internal controls, and ongoing due diligence.
More recently, on June 1, the DOJ updated their “Evaluation of Corporate Compliance Programs” guidance document, which continues the TPRM theme (and not detailed mandates) by including a “Third Party Management” section that states that a company’s “well-designed program should apply risk-based due diligence to its third-party relationships.”
Global regulations support the TPRM theme. For example, the U.K.’s Ministry of Justice’s “The Bribery Act 2010” guidance includes six principles that help organizations mitigate bribery risk. While the six principles are broad, the “Due Diligence” principle specifically relates to TPRM and emphasizes that a “proportionate and risk based approach” is paramount when effectively managing third party risk.
Industry-specific guidelines also influence leading practices for TPRM. The USA Patriot Act implemented due diligence requirements for financial institutions, often referred to as know your customer (KYC) rules. The KYC rules established a baseline for performing customer due diligence, which then must be supplemented by the company’s own risk assessment.
Similarly, the pharmaceutical industry is supported by two ethics organizations, AdvaMed and MedTech, which help promote standards across the industry. Within their respective codes of ethics, they stress the importance of transparent interactions between companies and third parties but do not explain how those third parties should be vetted for risk.
TPRM Due Diligence Leading Practices
While existing guidance is not prescriptive, it does reinforce the importance of using due diligence as an essential and fundamental TPRM tool. Companies should consider, among other characteristics, industry, country, size, nature of the transaction, and the type of relationship with the third party when tailoring their due diligence procedures.
Companies have varying, and sometimes unique, facts and circumstances and, as such, should tailor their due diligence procedures. However, the following considerations generally apply to all businesses when developing their TPRM strategy:
- What types of third party risks are in-scope?
- Are certain risks more prevalent or “riskier” than others?
- How do third party risk attributes impact the nature and extent of due diligence procedures?
- What controls and procedures ensure third parties are properly vetted?
- Which department manages third party risk (e.g., business vs. compliance)?
In conducting due diligence, the following questions should be considered:
- What risks does the third party present (e.g., cybersecurity, operational, legal, regulatory, compliance, reputational, financial, strategic)?
- What qualifications, affiliations, and associations does the third party have?
- Who are the beneficial owners and executives of the third party?
- Does the third party have connections to political or government officials?
- What is the third party’s reputation?
- Is the third party qualified?
- Is the third party properly licensed?
- Does the third party provide legitimate services or is it a shell entity?
- Why is the third party needed (i.e., can the company perform the required services)?
- How is the contract structured (e.g., payment terms and conditions)?
It is important to remember that TPRM and due diligence procedures are not intended to provide absolute assurance that risks will not cause future legal and compliance issues. Instead, these tools should serve as a well-documented, flexible, and consistent framework that prescribes leading practices in order to help mitigate risk before it manifests into a larger problem.
Uncertainty Requires Renewed Focus
The overall global uncertainty surrounding the Covid-19 pandemic, including the effects of government orders for social distancing and sheltering-in-place, inevitably impairs a company’s ability to conduct business under normal circumstances. However, it is important to realize that compliance is not only a fair weather topic.
The U.S. attorney general released a memorandum on March 16, to all U.S. Attorneys stating, “the critical mission of the Department of Justice must and will continue.” It is clear that government officials expect robust compliance through both good times and bad.
The ability to proactively identify and mitigate risks can be adversely impacted during a crisis due to limitations such as labor and supplier disruptions, protocol workarounds, or limited real-time leadership. As a result, more scrutiny and oversight should be applied to help combat third parties trying to take advantage of the situation.
For example, if a third party must be on-boarded outside of the normal protocol (i.e., during a crisis or as a replacement for an existing, yet incapacitated third party), a plan should be developed to ensure deviations from standard practices are documented. Moreover, additional risk management steps should be designed to retroactively ensure the third party is a reputable business partner.
TPRM is not only an indispensable compliance tool during normal operations, but one that requires an enhanced focus when normal protocols require circumvention or when uncertain times plague normal business operations.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Kevin Bandoian, CPA, is a partner and Andrew Coles, CPA, is a director in New York at Resolution Economics LLC, an economics, statistics, forensic accounting, and compliance services consulting firm with offices in Los Angeles, Chicago, Washington, D.C., and New York. Resolution Economics assists counsel and clients with complex financial and compliance issues, including those arising in litigation, investigations, mergers and acquisitions, and government and regulatory inquiries.