Third-Party Risk: What You Don’t Know Can Hurt Your Business

Thanks to globalization and advanced technologies, the world economy is increasingly interconnected and a borderless market. Businesses are no longer depending on their own resources and self-developed capabilities in order to achieve operational excellence, fuel growth and drive strategic success.

For example, a retailer headquartered in Toronto, Canada, doesn’t necessarily need to rely on local suppliers to meet its customers demand. A financial services company in London, England can now employ the services of a cyber security expert domiciled in Singapore. Today, businesses are no longer going it alone.

When entering into new lines of business or expanding into new markets, it is common for organizations to leverage third-party knowledge, skills or resources, and form partnerships, alliances, and other business relationships.  These external parties have suppliers, partnerships and alliances of their own too.

Given the interconnection between third-party relationships and the inherent risks, the ability to manage these relationships is critical to success.

Ignorance is no defense

The actions of third-party intermediaries have dire consequences on the business, not just financially but also legally, operationally and reputationally. Moreover, regulators are increasingly policing third-party relationships, and when something goes wrong, the penalties can be hefty.

Think of the U.S Foreign Corruption Practices Act, UK Bribery Act, EU General Data Protection Regulation, or Brazil’s Clean Companies Act. Even if a security breach or risk incident occurs on the other side of the world, entities or individuals found on the wrong side of the law will not escape unpunished.

Activities can be outsourced, but responsibility cant’t. It is therefore imperative that business leaders develop a deeper understanding of third-party relationships including the full spectrum of risks linking in each part of the organization.

You need to adequately examine your clients, vendors, consultants, agents and other business partners, know who they are and how they operate. A basic internet search or third-party website visit doesn’t cut it. A detailed integrity due diligence is required. You need to know your business partners’ qualifications, business history, reputation and their relationship with foreign government officials.

In addition, you also need to understand the business rationale behind including the business partner in the transaction. Failure to do so could expose your organization to reputational damage, operational risk, government inquiry, monetary penalties and even criminal liability. What you don’t know about your business partners can hurt you.

Visibility over third-party business relationships

In a number of organizations, the examination of business relationships and assessment of inherent risks is left in the hands of the procurement function. The function identifies potential savings from outsourcing, the legal team drafts the contract and it’s business as usual. There is no or little follow up on the relationships.

In some cases, external relationships are managed in silos within business units. The business unit that owns the relationship also manages the risk. These individual business units have different ways of tracking their suppliers, vendors or partners, making it difficult to compare and collate them across the entire business. In addition, sometimes there is a duplication of efforts and inconsistent application of risk assessment and management standards.

In other cases, companies adopt a centralized or hybrid approach in order to help overcome the challenges presented by the decentralization model. With the centralized approach, redundancies are reduced, and risk decisions reside with a single group in turn fostering accountability for risk assessment.

However, it is important to note that with this approach tensions can sometimes arise between business units that have a working relationship with the external parties and the centralized team accountable for risk assessments. As a result, some companies pursue a hybrid model in which risk ownership is clearly defined and decision making rights are spread across a number of business functions, such as procurement, finance, compliance and risk management.

As the business is constantly on-boarding or terminating external partnerships and expanding or reducing third-party services, it’s therefore important for business leaders to develop a strategy and road map to systematically identify third parties using an inclusive definition.

For many companies, key data about business relationships resides in multiple procurement systems and in emails, spreadsheets, and text documents. Manually building a complete inventory of current contracts from these multiple sources, and then analyzing and interpreting all the data in order to assess risks and make informed decisions can prove challenging.

New technologies such as robotic process automation and natural language processing can however help obtain visibility over third-party relationships. RPA helps integrate information from disparate sources and systems without manual intervention and embed control mechanisms into an automated process, thus increasing efficiency and streamlining third-party transaction risk management.

On the other hand, natural language processing helps to analyze documents written in plain text and signal critical risks, enabling third-party controls to be automatically reviewed for potential risks emanating from inadequate or unclear contract language.

Strong governance process

Traditionally, risk has been regarded as something to be minimized or avoided, with considerable effort spent on protecting value. However, in today’s global competitive environment, in order to progress and achieve strategic success, a business should develop an appetite for risk taking. A business cannot expect to grow and expand by avoiding risk or hesitating to expand its universe of third-parties.

However, given that today organizations are being held responsible not only for their own actions but also for the actions of customers, suppliers, vendors or partners, it’s critical for company boards to provide oversight to ensure that effective third-party risk management practices are in place.

To avoid confusion, there should be clarification on who owns third-party risk in the organization, including where third-party risk management sits within the organization. It is the board’s responsibility to ensure that management establishes a clear organizational model and process for third-party risk management.

In addition, management should provide a clear line of sight to the organization’s major external-party risks by establishing an effective reporting system and keeping the board informed of how critical risks will be mitigated.

The focus should not only be on achieving cost savings or efficiencies, but also on driving value creation and meeting set objectives of the business. Thus, there should be alignment to the broader strategy of the business.

As the world increasingly becomes digitally interconnected and the extended enterprise grows and gets more complex, third-party risk management should also become a top priority for any business.

Also important to note is that assessing and mitigating third-party risk is an ongoing process. It’s about prevention rather than reaction.