Third-Party Risks May Affect Compliance — Here’s How to Curb That Situation
by Francine Breckenridge, Chief Compliance and Legal Officer at U.S. Money Reserve
You may not know that there are risks until you have onboarded a new company or contractor. Here’s how to mitigate third-party compliance risks.
Any global company has to mitigate its compliance risks to remain above board and stay in business. When it comes to bringing in external companies or contractors, it’s crucial that they too meet the company’s compliance needs. But how do you ensure that they are well within compliance bounds without overwhelming your own staff and company needs or doing a complete, in-depth review of their business continuously?
Understand What Third-Party Risks Are
According to Gartner, third-party risks are often identified after a third party has been onboarded, and that can pose significant problems to any corporation leveraging outside contractors or companies.
According to Gartner’s 2019 report, “Today’s third parties require more access to the organization’s data assets and are increasingly working with their own third parties, multiplying the size and complexity of the third-party network. In fact, in the last four years, legal and
compliance leaders have classified 2.5 times more third parties as high-risk.”
Between the web of secondary — and their related tertiary — companies doing business with major companies and the required data access that goes along with this, more major corporations are highly vulnerable to all kinds of compliance risks. The risks can run the gamut from legal issues to documentation problems. As a corporate compliance leader for a major company, you can run awry of regulations and laws simply because your third-party partner has done so. Third parties can also risk your reputation and your corporate strategy. As the network of third-party providers expands, the risk becomes even more significant.
Many times, when a company goes outside for support or help from a contractor or third party, it’s because the business needs something that they can’t do or create internally. According to Gartner, many of those third-party businesses are providing information like data analytics and in-kind technology, which require quite a bit of access to internal company workings and data in order to integrate properly.
Additionally, many compliance checks for third parties only happen on a point-in-time basis, rather than an ongoing basis. For example, a compliance check is generally run just after a third party has been onboarded and then again once a year to ensure that the compliance standards continue to be met. According to Gartner, though, this approach can cause more problems than it solves. In their research, they found that 83 percent of the legal and compliance officers they spoke to identified third-party risk after the initial due diligence was done and before the recertification process took place. That gap in time poses a significant risk to major corporations using third-party vendors to supplement their businesses.
So how do you manage and mitigate this risk for your own company? Read on to find out.
Identify the Third-Party Players
The first step in mitigating third-party risk is to identify who your third-party partners are. While that seems obvious and simple, it can be far more complex in today’s world. You likely already have a list of those contractors you directly interact with, but do you know who those contractors or companies interact with?
After you have identified the initial list of direct relationships, the best approach to identifying all third-party players is to consider those who represent your company to the outside world. This can include consultants, service providers, dealers, resellers, subcontractors, and more. To compile this additional list, it makes sense to pull in other business unit heads like HR, legal, and procurement, for example, since each group likely has their own list of preferred vendors and associates. By working cross-departmentally, you can ensure that you get a complete view of the external third parties who hold your company’s reputation in their hands.
Identify High- and Low-Risk Groups
Once you have compiled your list, it’s time to separate them into high, medium, and low risk so that you and your team can prioritize those that need to be tackled first and those that can be put off till a later date.
Things to consider when creating your lists include:
● Country of origin/operation
● Type of industry (security, data, etc., would take priority)
● Services provided (how vital they are to the continuation of your business)
● Length of the relationship with the vendor
This is just a preliminary list of things to consider when examining your third-party risk exposure, and it should be tailored to your specific business and your partners.
Once you have identified the high-, medium-, and low-risk partners, you can begin to reach out to those that are high-risk and start working with them immediately to bring their processes up to speed.
Create Third-Party Compliance Processes
Once you have your list compiled, it’s time to move on to the next stage and work on your third-party compliance documents. Given that each vendor and contractor offers different value propositions and support for your company, you should come up with a set of blanket documents that each vendor and third party must comply with (and provide proof of compliance with).
These documents should lay out timetables for ongoing check-ins from your internal partners as well as required documentation for proof of compliance. Some things you should consider including in these documents are:
● Standardized documentation — What are the bare minimum requirements that your third-party vendors and contractors must meet in order to stay aboveboard?
● Recordkeeping requirements — What are the minimum standards that your third-party vendors need to maintain to comply with your standards and your business needs?
● Clear expectations — The key to managing third-party compliance risk is to be clear with your company’s needs and expectations around the requirements you put on your contractors and vendors. Realize that you are adding to their workflow and that they likely have other clients who also require compliance updates. Being clear and precise in your expectations will save you and your vendors from massive headaches down the line.
● Timeline for regular check-ins and recertification — While most businesses only recertify their vendors at set intervals, it pays to have regular check-ins and updates since the compliance landscape changes regularly. These could be as infrequent as twice a year or as frequent as every quarter. Depending on your industry, you should set the best timeline for your company and the vendor’s workflow.
Distribute these compliance processes and documents to your vendors and give them a set timeline to meet these needs. If a third party does not meet your company’s needs, you’ll have to decide whether to keep the vendor on board and work with them to bring them up to the same compliance standards or let them go.
Distribute and Train Your Third Parties
Once you’ve created and implemented your compliance documents and requirements, you must distribute them to your third-party vendors and ensure that they also share those requirements with anyone they hire to help support them in the work they do for your company. This ensures that everyone in the supply chain is operating under the same rules and compliance standards.
Additionally, you should be ready to train some of your vendors and third-party associates on how to use your tools and what you expect in terms of compliance. Since third parties are generally independent, it’s essential that you offer them some support if they need to meet specific compliance criteria to work with you.
Remember, the contractor is also running a business that has compliance needs, clients who don’t want to be identified, and proprietary processes and technology that they use — and it can be tricky to find the balance required for walking the line between transparency and overtly prying. When it comes to this, it could pay to invest in incentives for third-party vendors who meet your criteria. By involving your third parties as true business partners and offering support for any change or reputation management that you request from them, you create a better working relationship. In many cases, you can help contractors develop a sense of empowerment and urgency around the work.
Leverage Technology to Support Your Third-Party Partners
One of the biggest struggles that most corporations have in third-party compliance is managing ongoing monitoring. The best way to tackle this problem is to leverage existing technology to ensure that your vendors and partners are up to speed on your compliance needs. The best systems leverage what is known as the PESTLE framework. PESTLE stands for risks associated with:
● Politics
● Economy
● Sociocultural Issues
● Technology
● Law
● Environment
Leveraging technology can be as simple as setting alerts for negative news, legal cases, sanctions, watch lists, and federal alerts for each vendor. If and when a third-party partner or vendor triggers a red flag, you can then reach out directly and do your due diligence to ensure that they are, in fact, up to the standards you require.
Reap the Rewards of Increased Transparency and Better Working Relationships with Third Parties
Once you have worked through the process of bringing your third-party vendors and partners up to compliance standards, you can start to reap the rewards of your hard work. By improving transparency, opening up lines of clear communication, and monitoring third parties on an ongoing basis, you can ensure that your company remains on the right side of both public opinion and the law.
In the process, you’ll also create a stronger working relationship with your vendors by supporting them as they bring their compliance up to your standards. You’ll also demonstrate corporate responsibility to the world at the same time that you support the sustained and steady growth of your own business. Getting a good compliance plan into place is the best thing you can do for the health of your company and for the health of the companies who work closely with you.
