Skip to content

Why third-party risk shouldn’t mean sleepless nights

Howard Presland
Howard Presland
Global Head of Third Party Risk

A look at how increased globalization, outsourcing of non-core activities, regulatory pressure and consumer scrutiny are all contributing to a complex third-party risk landscape.

    1. Professionals now need to navigate the increasingly complex third-party risk landscape.
    2. What is third-party risk beyond regulation and the impact of reputational and operational risk?
    3. How can a risk-based approach provide effective third-party risk management?

Just ‘ABC’ or ‘XYZ’ too?

There are key regulatory drivers that demand any company’s attention when it comes to third-party risk, but is it only suppliers and bribery and corruption (ABC), or should other parties and wider risks be keeping third-party risk professionals up at night, too?

The phrase “Do you really know who you are doing business with?” should be applied not just to supplier relationships but to numerous other types including vendors, distributors, agents and subsidiaries particularly when moving into new markets across geographies.

Regulatory-driven risk assessment and monitoring is the minimum that should be undertaken in this complex environment where so many other risk-types are impacting global businesses.

But ABC is certainly a good place to start…

Over the last few years, there has been a significant increase in the number of enforcement actions and fines for companies who have breached the U.S. Foreign Corrupt Practices Act (FCPA).

Although not the only anti-bribery and corruption legislation (or widest in terms of application), it has certainly been the most enforced to-date and in 2017 resulted in 11 companies paying just over US$1.92 billion to resolve cases.

U.S. Foreign Corrupt Practices Act enforcement actions
Source: Gibson, Dunn, Crutcher 2018

And while the majority were U.S. based, the remainder covered Europe, Asia and South America  a truly global spread.

…as is sanctions

Doing business  whether knowingly or unknowingly  with a sanctioned entity or individual poses a significant risk to organizations with narrative and sectoral sanctions directives adding another layer of complexity. The value of screening against accurate and trusted data for these risks cannot be emphasized enough. Here are some practical tips.

Sanction breaches are pretty much as industry-agnostic as it gets  as shown in the diagram below which highlights U.S. Office of Foreign Assets Control-related industry penalties for doing business with sanctioned individuals and companies.

Penalties for non-banking companies breaching OFAC sanctions 2011-17

But don’t forget the ‘XYZ’…

As a leading defense lawyer in an FCPA case recently said: “Ignore the internet at your peril.” As mentioned in my introduction it’s not just about regulatory risk which is just the tip of the risk iceberg.

Reputational risk is equally important to effective third-party risk management and along with board-level exposure, robust governance and effective tools and processes, is a business priority.

Finding out that your third-party has connections to human trafficking, forced labor, narcotics trafficking or a host of other illegal activities can do significant harm to your brand.

No organization wants to be front-page news for the wrong reasons and subject to PR efforts and brand remediation costs  all of which are unnecessary with effective third-party risk management.

Additionally, the significant rise in public pressure for companies to operate ethically and with transparency should not be underestimated.

Financial and operational risk

In fact, in addition to regulatory and reputational risk, a truly holistic view of a third-party risk might include:

  • Modern-day slavery and human rights abuse
  • UBO
  • Negative media
  • Environmental Social Governance
  • Financial health
  • Cyber security
  • Country and industry risk

… the list goes on.

Country risk ranking
Sources: 300+ third-party public domain sources

This is where a risk-based approach is critical to effective third-party risk management. Whether growing your business in new markets or developing partnerships, the ability to understand the risks, define your risk-based approach and assess and prioritize what are often limited risk resources is instrumental to success.

Knowing when to go deeper…

A robust risk-based approach across multiple risk types will allow you to better understand when to delve deeper through enhanced due diligence to get a better view of any risks which might pertain to your third parties.

This includes connections to politically exposed persons, the financial health of a company, information on the directors and any connections to sanctioned entities of those associated to financial crime activities.

Next time

Although in this blog we have just scratched the surface of what may cause a sleepless night, we will dig deeper and continue the conversation in our second blog in the series later this month.

Watch this space for issues raised in our customer insights survey, what makes a comprehensive third-party risk workflow and what is required to form a workable anti-bribery-corruption program.