The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the lifecycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area the DOJ specifically articulated in Evaluation that companies need to consider.
In an issue of Supply Chain Management Review in an article by Mark Trowbridge, entitled “Put it in Writing: Sharpening Contracts Management to Reduce Risk and Boost Supply Chain Performance”, provided useful insights into the management of the third party relationship. While the focus of the article was having a strategic approach to contracts management, the author’s “five ways to start professionalizing your approach to outsourcing contracts” provide an excellent manner to consider steps in the management of third party relationships. To achieve these goals, I have revised Trowbridge’s prescriptions from suppliers to third parties.
Consolidate Third Parties but Retain Redundancy-It is incumbent that consolidation in your third-party relationships to a smaller number to “yield better cost leverage.” From the compliance perspective, it also should make the entire third-party lifecycle easier to manage, particularly steps 1-4.
Keep Tabs on Subcontracted Work- If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third-party relationship has your approved compliance terms and conditions in their contracts with their subcontractors.
Make Sure Your Company is Legally Protected-This is where your compliance terms and conditions will come into play. One of the things that I advocate is a full indemnity if your third party violates the FCPA and your company is dragged into an investigation because of the third party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract.
Keep Track of Your Third Parties’ Financial Stability-This is one area that is not usually discussed in the compliance arena around third parties but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third-party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward red flag that is raised in such circumstances.
Formalize Incentives for Third Party Performance-One of the key elements for any third-party contract is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third party. If you have a long-term stable relationship with a third party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance.
Auditing Third Parties-Auditing of third parties is critical to any best practices compliance program and an important tool in operationalizing your compliance program. This is a key manner in which a company can manage the third-party relationship after the contract is signed and one which the government will expect you to engage in going forward.
Managing your third-parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four step in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.
Three Key Takeaways
- Have a strategic approach to third party risk management.
- Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing.
- Managing the relationship is where the real work begins.
Execution of your 3rd party program by managing your third parties is where the rubber meets the road.Click to tweet
As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.