What are some of the ways to consider third party risk, management of that risk and strategic risk in a compliance program? Typically, a Chief Compliance Officer (CCO) or compliance professional will consider the ownership structure to see if there is any involvement by a government official or employee of a state-owned enterprise, or a close friend or family member. There may also be inquiry into knowledge of anti-corruption legal regimes such as the Foreign Corrupt Practices (FCPA) and compliance programs. Other information about criminal and legal history and references, both professional and commercial, may also be required.
One thing that is most generally not considered is the financial health of the third party. It turns out such an oversight may have some significantly ramifications for an accurate picture of a third party. I recently explored this issue with James Gellert, Chairman and Chief Executive Officer (CEO) of RapidRatings. His company focuses on the financial health of third parties as not only a key metric but also a key due diligence tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed.
Gellert explained for public companies, RapidRatings reviews public filings and for private companies “we get the financial statements from private companies either from our clients or, on their behalf, directly from their third parties in a solicitation process that we’ve created”. This information allows “insight into the long term and the short term financial health of companies, and that gets worked into supply chain risk management, third party risk management, customer evaluations on the credit side and the finance side of shops, underwriting and insurance, lending and banks, investing for asset management” and a variety of other uses.
A third party which is in a weakened financial position can come back to damage your business in a variety of ways. Obviously, a company which is under financial strain is more susceptible to cutting corners to obtain business. You can almost begin to see the fraud triangle forming at this point and a rationalization for committing a FCPA violation forming in the mind of a third party.
But it is more than simply being open to potentially illegal conduct such as violating the FCPA to get business. I asked Gellert to provide an example and he explained, “Cyber security is, obviously, a hot topic for everybody. A company that, at the beginning of a working relationship, maybe onboarding or the due diligence procurement event, one may do a series of checks from a compliance and info security perspective and that company looks fine, it gets green lit and it comes on board as a supplier. Over time, if that company is weakening in its financial condition, the chances are likely that they are going to begin under-investing in maintaining the quality of their cyber security program. In a case like that, over time, a company partner of that firm is taking increased risks for cyber security breach, because that company is weakening but because they’re not managing the financial condition of it on an ongoing basis, they’ve missed a leading indicator of that cyber security problem and when that problem actually hits, it’s too late, it’s effecting revenue, it’s effecting reputation, it’s effecting all sorts of things.”
In addition to the review of individual third parties, RapidRatings has evaluated close to 12 million company years of financial data. As Gellert stated, “This database informs the financial health rating and the core health scores that we are producing on every company that we rate”. This is important because “traditional risk management has focused more on protecting downside risk and detecting downside risk is being able to understand where a company or a partner exists on a spectrum of risks that can be from poor to really good, and that means a user of our data is in a position to be able to do more than just protect from a company’s failing for one reason or another, but be able to align with the strongest partners and that creates resiliency and a third party ecosystem”.
This is considering your third party in much broader manner which allows a more robust assessment of their strengths and weaknesses. The financial health of a third party may tell you how well that third party will perform. Such information can be useful to you for business planning, particularly around strategic risk. Understanding the financial viability of third parties, be they traditional vendors, business partners, inter-affiliates, or even fourth parties, can help you meet your FCPA compliance requirements, maintain operational stability, through the avoidance of business disruption and support business continuity initiatives. Even better, you can cut through siloes to develop risk management strategies across multiple business functions.
This moves compliance into the business process cycle, creates greater efficiencies and at the end of the day, more profitability. This type of approach allows the compliance function to demonstrate solid return on investment going forward. It also allows compliance to cut through many corporate siloes including such disciplines as business development, supply chain or procurement, manufacturing and finance.
Another important aspect of what the RapidRatings approach can bring is around what Gellert termed “criticality”. He defined this as only managing those third parties which you believe are critical to your organization, either for business or risk-management reasons such as FCPA compliance. Yet this may cause “you to not monitor other areas of an organization to understand that they need to be looking at not just the critical third parties, but those in the next rung out and the next rung out and the next rung out, because all of those names really do have some impact.”
At this point many compliance practitioners might well throw up their collective hands and relate they are managing all the risks they can do so. However, this is where technological solutions such as those provided by RapidRatings, can have an impact. Understanding the financial viability of third parties can help the compliance practitioner meet the Department of Justice (DOJ) requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2017