Earlier this week, Refinitiv released a report entitled “The Real Risks: Hidden Threats Within Third Party Relationships” (the Report). The Report had some very sobering information about the state of third-party risk management. Every Chief Compliance Officer (CCO), compliance practitioner and compliance professional needs to read and digest the Report. It is not simply for your own organization but also the organizations with which you do business, both on the sales side, through the Supply Chain and customers as well.

Phil Cotter, Managing Director, Risk Business, said in the foreword, “in an increasingly interconnected and globalized world, many third-party risks are going undetected.” Indeed, the Executive Summary revealed that large organizations often have an average of nearly 10,000 third-party relationships to deal with. Further, almost one-half organizations are not fully carrying out due diligence at onboarding and over 60% are not engaging in ongoing monitoring stages. These numbers have only been “compounded by competitive pressures, greater globalization and increasingly complex supply chains.” Obviously the Covid-19 health crisis and attendant economic dislocation are making things more difficult as well.

While companies seem to acknowledge the legal risks under laws such as the Foreign Corrupt Practices Act (FCPA), it appears such risks are “not feared”. Indeed, the highest reported reason to manage third-party risks listed in the Report was  to “protect your company from reputational damage.” Interestingly, some of the key drivers and blockers have caused organizations to struggle to gain visibility over third-party risks and take appropriate action. This is in the face of greater regulation, stronger enforcement action and ever-present reputational damage. The numbers here were equally telling:

  • 61% perceive that prosecution would be unlikely if they breached third-party related regulations.
  • 25% of an organization’s corporate value would be lost as a result of a regulatory breach.
  • 50% say they know of an enforcement action being taken against their company in relation to a third-party risk.
  • 84% of respondents believe that ‘greenwashing’, by providing misleading environmental credentials, is becoming increasingly common.

Yet the Report notes there are ways a company can overcome some of these clearly dispiriting findings. They include creating and obtaining better data, using greater innovation and more applicable technological tools. With greater transparency into third parties and greater business resiliency, companies can move forward to more accurately manage these risks. Alison Taylor, Executive Director, Ethical Systems, notes, “This makes a strong case for a due diligence process that considers environmental, social, and governance issues in a more holistic manner, bringing more rigor to disclosure on environmental and social performance evaluation, incorporating regulatory risk, and understanding the relationships between these issues.”

I was more than disheartened to learn that only 51% of respondents had the full five steps in their lifecycle management of third parties in place. But even those who have the policies and procedures admitted they needed better training and education for their staff. While high value third parties were noted to receive a higher level of due diligence, the Report noted, “More holistic factors such as political exposure (36%) and jurisdiction/country risk (32%) rank lower, with the retail sector (18%) well below average for the latter. In the professional services industry, 6% say that they do not screen for risks at all, twice the overall average of 3%. This suggests that organizations need to deepen and broaden their approach to due diligence.”

The Report concluded, “The good news is that action is already being taken. More resources and greater technological innovation are helping organizations to get a clearer picture of risk. But more needs to be done. Although respondents cite a lack of data as the biggest challenge in identifying supply chain risk, the sheer volume of data when managing third-party risk can overwhelm organizations if not handled correctly. The right tools are needed to structure and streamline that data in order to find the signal in the noise and pinpoint areas of higher risk.”

All of these steps are needed in the full life cycle of third-party risk management. Moreover, every CCO and compliance professional needs to understand not only the implications of this Report but more importantly how to use the information with a wide variety of stakeholders. Obviously, it should be shared internally in your compliance function but also with your senior management and Board so that they will give you the tools, monetary resources and headcount to assess and manage these risks. An equal but often overlooked stakeholder is your own third-party base. For if you do not know what is in your Supply Chain, it may well be that your own third-parties are not managing their corruption risks, modern slavery and trafficking risks, Corporate Social Responsibility mandates and environmental risks.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2020