Implementing a streamlined, resource-efficient, and sustainable approach to mitigating third-party risks, monitoring compliance, and managing issues and investigations.Download a Solution Brief
Who constitutes a third party?
In today's globalized world, the average company has numerous third-party relationships – be it with a supplier, a distributor, a lawyer, or even a client. These third parties help the company grow its business. Yet, they also bring along new risks -- including IT security risks, health and safety risks, anti-corruption risks, environmental risks, operational risks, regulatory compliance risks, and quality risks.
Some of these risks are usually assessed and analyzed by companies during the on-boarding process to determine whether or not one they are doing business with someone they can trust. But after that third-party risk management and due diligence usually takes a backseat.
This approach has serious drawbacks. Third-party risks which are not identified and mitigated in time can snowball into serious issues which affect one's profitability and reputation. It doesn't matter if the issue is the third party's fault. Ultimately, the company who hired the third party is held responsible by regulators and customers for not doing enough to uncover and address the issue in a timely manner.
That leaves companies in a bit of a dilemma. On one hand, they need to grow and stay competitive which involves, to some extent, expanding their third-party network. But on the other hand, if they happen to do business with a high-risk or non-compliant third party, they could get into trouble.
Compounding the challenge, regulators have become much more stringent in their oversight of third-party risks. A spate of regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Anti-Money Laundering (AML) requirements, conflict minerals reporting requirements, the Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, the Federal Trade Commission (FTC) Act, and the Dodd-Frank Act have increased the pressure on companies to enhance third-party due diligence. They need to effectively assess third-party risks, monitor compliance, conduct due diligence assessments, identify gaps that could create new risks or compliance violations, and proactively address and remediate issues that arise.
- In 2012, the SEC charged a top pharmaceuticals company for, among other things, using third party intermediaries to make improper payments to foreign officials in order to increase the sales of its products.
- In 2009, a healthcare provider in Dallas found that one its contract security guards had hacked into several computers, including systems that contained confidential patient information.
- In 2013, several top retailers in Europe were forced to recall their products after food suppliers were suspected of mislabeling beef as horsemeat.
- In 2012, major technology manufacturing companies were at the receiving end of negative publicity after their third-party contractor was found to be violating labor and working conditions rules in its factories with illegal amounts of overtime, crowded working conditions, under-age workers, and, in some cases, serious industrial accidents.
- In 2011, the FSA fined a global insurance intermediary based in U.K. for failings in its anti-bribery and corruption systems controls. These failings created an unacceptable risk where payments made by the company to overseas third parties could be used for corrupt purposes.
The Current Approach to Third-Party Due Diligence
Companies across the world are striving to establish effective processes and systems to manage third-party risks and regulatory compliance. Yet more often than not, their approach is ad hoc and fragmented. Some companies face growing difficulties due to constant changes in their third-party network. Others focus on areas such as third-party performance management, but fail to pay sufficient attention to third-party risk management and compliance monitoring. As a result, they aren't able to proactively unearth potential ethical issues resulting from security breaches, bribery, money laundering, regulatory violations, and so on.
The need of the hour is a comprehensive program for third-party due diligence and oversight. Strong policies, training programs, risk assessments, controls, audits, investigations, and timely issue remediation are critical in this regard, and are increasingly being expected by regulators and government authorities across countries.
Companies with a robust program for due diligence and third-party governance stand to benefit in several ways. They gain the risk intelligence and business insights necessary to not only mitigate third-party risks such as non-compliance or unethical behavior, but also protect their business against fraudulent transactions. They also streamline third-party management, and enhance due diligence. And finally, they are well-positioned to forge a reputation of integrity, credibility, and reliability that automatically attracts and sustains customer loyalty.
What Are the Challenges That Arise?
Despite the growing importance of third-party due diligence, many companies continue to struggle with it. Here are some of the challenges they face:
Increasing complexity of the third-party network:
As companies expand into new markets and geographies and diversify their business, many have begun to work with a broad range of third parties. As a result, it becomes increasingly overwhelming and resource-intensive to manage and monitor these third parties, or even know who to target and how much. Unlike one's employees, third parties have to be managed indirectly – which makes governance all that more difficult.
Limited collaboration, increased redundancies
Give the vastness of the third-party network, many companies opt for a "siloed" approach wherein different departments manage different third-party functions. So, for instance, the same third-party vendor may be subject to due diligence assessments by the purchasing department, inventory personnel, and the manufacturing department. If the assessment results are not centralized and consolidated across these different levels, they could result in redundancies and duplicate effort.
Many times, companies run the initial risk assessments and checks on third parties. But post that, third-party due diligence processes are often neglected due to cost pressures. Conducting audits and assessments, and preparing reports takes substantial manpower, time, effort, and resources since in most companies, these activities are done manually using spreadsheets or paper-based processes.
Regulatory compliance pressures
Companies across industries are faced with increasing regulations related to anti-bribery and corruption, conflict minerals reporting, vendor management, security, and privacy – all of which call for effective third-party management and due diligence. Non-compliance with these regulations can result in expensive fines, penalties, and legal prosecution, not to mention reputational damage. The challenge is compounded by the fact that different countries have different regulations. So a global company would be forced to implement multiple independent compliance assessments across the regions in which it operates.
Large volumes of data, limited transparency
Third-party governance, risk assessments, and compliance monitoring involve extremely high volumes of data. It becomes increasingly difficult to make sense of this data and transform it into meaningful insights. Many times, companies are unable to uncover third-party issues, trends, or loopholes in a timely manner because they don't have visibility into these areas of concern. All they have is a mountain of data but no way to derive actionable information that can drive decision-making accordingly.
Steps to Strengthen Third-party Due Diligence
As companies strive to overcome the challenges of third-party due diligence, here are a few important steps that can be taken:
Screen each third party
Companies that take the time to conduct proper background checks on each third party are well-positioned to build trustworthy relationships. These companies usually collect and analyze data on third-party executives, reputation, government dealings, past convictions, payment accounts, anti-corruption policies, and other critical areas. This data is then compared against government sanctioned lists and other external databases to verify the facts, and identify red flags, if any. These databases include the Specially Designated Nationals (SDN) list from the Office of Foreign Assets Control (OFAC), the Terrorist Exclusion List (TEL), the Office of Inspector General (OIG) sanctions list, and the Defense Trade Controls (DTC) list of debarred parties.
Conduct thorough risk assessments
Different third parties pose different levels of risk such as country risk (e.g. high corruption), transaction risk (e.g. charitable contributions), and employee risk (e.g. lack of clear policies and training). It's important to understand these risks by assessing them, and then categorizing and ranking third parties accordingly (e.g. high risk, low risk, and moderate risk). This approach helps determine the appropriate due diligence processes that need to be applied. For instance, a supplier located in a high-risk country would need a greater level of audits and investigations than one located in a low-risk country.
Maintain a comprehensive third-party database
A good practice is to maintain a comprehensive database of all third parties with clear definitions of their roles, responsibilities, and lines of reporting. So, if any issue arises, it can be traced back to the source. The database should enable easy access to and search of third-party licenses, questionnaires, analyses, background checks, certifications, and other important documents.
Develop a comprehensive code of conduct and policies, and communicate them effectively
Codes of conduct and policies helps third parties understand a company's rules and boundaries for ethical behavior and regulatory compliance. What is important is the way this content is communicated. Comprehensive training sessions supplemented with refresher courses are ideal. When it comes to a global audience of third parties, training programs should be customized to take into account cultural and language differences. The key is to focus on what behavior is expected of third parties, especially in "grey" situations – such as when one has to identify the difference between gift giving as a cultural norm, and gift giving as a means to win business.
Third parties are responsible for establishing and monitoring their own compliance controls. But the companies who hire them are also required to implement preventive, detective, and corrective controls to keep third-party risks and compliance violations in check. Controls need to be monitored, measured, and tested at regular intervals through appropriate due diligence measures.
Perform due diligence
Audits, inspections, and other due diligence processes enable companies to evaluate third-party controls and compliance with codes of conduct, policies, contract stipulations, regulations, and other requirements. A risk-based audit is a good idea as it optimizes costs and efficiency. Many companies choose different forms of audits including surveys, due diligence checklists, interviews with employees, and certifications from third-party executives. Whatever the method, it is important that the issues identified during the audit are addressed and remediated in a collaborative manner with the third parties.
Implement a robust process for issue reporting and remediation
Employees from third-party organizations should be encouraged to report compliance or ethics violations through hotlines, web-based interfaces, or direct access to the relevant legal and compliance officials. The idea is to foster a culture of honesty and accountability with the assurance that "whistle blowers" will be protected. Based on the issues reported, companies should initiate comprehensive due diligence investigation and remediation processes without any delay. Getting to the root cause of the issue is critical. Alongside, disciplinary and preventive actions are important in strengthening third-party management and ensuring that issues don't recur.
How MetricStream Can Help
MetricStream offers a broad and flexible solution to help companies strengthen third-party risk management, due diligence, and compliance. Built on a scalable GRC platform, the solution extends across the global enterprise unifying all third parties in a common framework. This kind of integration enables companies to collaborate more easily with third parties, and gain greater visibility into risks, ethics violations, and issues. The solution also streamlines end-to-end third-party due diligence processes, creating greater accountability, and driving optimal resource utilization.
Below, in greater detail are the key capabilities of the MetricStream solution:
Third-party Information Management and Onboarding
The MetricStream solution provides a centralized repository in which companies can maintain and easily access information on each third party, including contracts, profiles, due diligence assessments, audits, findings, and reports. The solution also facilitates a systematic, closed-loop approach to third-party onboarding, re-qualification, and contract management. Each third-party can be closely mapped to their roles, responsibilities, and other parameters for complete accountability and transparency.
Third-party Risk Management
The MetricStream solution enables companies to proactively identify, manage, and mitigate third-party risks. Powerful risk heat maps and calculators help assess, rate, and rank these risks, based on which companies can efficiently direct maximum resources to address high-risk areas. The solution also helps define and monitor risk indicators, with automatic alerts indicating when thresholds are about to be breached. A centralized risk library maintains all risk details, thus helping establish a common risk vocabulary across third parties. In addition, the underlying data model provides the flexibility for third-party risks to be mapped to the corresponding controls, control tests, policies, and regulatory compliance requirements in a one-to-one and one-to-many manner.
The MetricStream solution helps streamline the development, management, and communication of codes of conduct and policies for third parties. Integrated collaboration and workflow tools can be used to access, create, modify, review, and approve policy documents globally in a controlled manner. Built-in tools enable surveys and certifications to be configured and implemented to confirm policy distribution and acceptance among third parties. The solution also helps map policies to regulatory compliance requirements, and track exceptions.
The MetricStream solution provides powerful capabilities for managing third-party training, and creating awareness about a company's code of conduct and policies. It offers a comprehensive training content repository, simplifies training delivery and tracking, enables classes to be scheduled, and helps ensure that training requirements are fully met and recorded from a compliance standpoint.
Using the MetricStream solution, companies can design and establish controls to mitigate third-party risks, and prevent compliance violations. The solution supports control assessments based on pre-defined criteria and checklists, and provides tools for quickly scoring, tabulating, and reporting results. It also supports automated control monitoring and testing, thus saving effort and resources. A centralized database of all control assessments helps users identify if a specific control was tested or not, and if so, what the results were, and what future action is required.
The MetricStream solution streamlines end-to-end due diligence audits, right from audit planning and scheduling, to audit fieldwork, review and analysis of audit findings, reporting, and management of follow-up activities. Advanced capabilities such as an audit advisor, shared calendar, configurable due diligence checklists, automatic alerts and notifications, and graphical dashboards help drive optimum value and collaboration in each audit.
Issue Management and Investigation
The MetricStream solution integrates with multiple issue reporting systems such as hotlines and online interfaces to capture third-party issues and complaints. Through automatic rule-based routing, the issues are sent to the appropriate personnel for due diligence investigations. Inbuilt capabilities support root cause analysis, assignment of follow-up actions, and initiation of corrective and preventive action. The solution also enables companies to effectively collaborate with third parties to remediate existing issues, and avoid new ones.
The solution provides real-time visibility into third-party compliance, risks, and issues, thereby enabling companies to make more informed business decisions. Management gains a complete view of third-party due diligence with comprehensive aggregate reporting as well as individual case status tracking capabilities. Graphical executive dashboards and flexible due diligence reports with drill-down capabilities provide statistics, analytics, and trends on risks and compliance, enabling management to respond proactively.
Benefits of the MetricStream Solution
- Provides a centralized framework to manage the complete range of third-party risk, compliance, audits, due diligence, and issue management processes
- Transcends organizational siloes, facilitating seamless collaboration between companies and their third parties
- Minimizes due diligence redundancies, and optimizes costs
- Provides real-time visibility into third-party due diligence, helping companies make informed business decisions
- Enables proactive identification and mitigation of third-party risks and issues
- Provides advanced risk analytics that help transform third-party data into meaningful insights
- Simplifies and automates resource intensive due diligence processes such as third-party risk ranking and monitoring
- Enhances compliance with the full range of third-party management regulations including HIPAA, FCPA, the UK Bribery Act, the FTC Act, and the Dodd-Frank Act