Organisations are still coming to terms with the breadth and depth of their third party risk. An effective third party risk management programme is in the interest of all organisations—regardless of their size, industry, and degree of involvement with third party providers. Regulatory agencies, the press, and the market are quick to link organisations to the behaviours of their vendors, partners, and resellers – and to hold them accountable.
As this report shows, despite growing scrutiny of third parties from regulatory agencies and the press, many organisations are not yet executing third party risk management programmes that adequately communicate expectations to their third parties, provide defensibility in the case of compliance failures, and reduce the impact of bad behaviour by third parties. Though there are signs that organisations—often at the behest of their Boards—are ramping up investments in third party due diligence and risk management programmes, there are many organisations that appear to be struggling to align their programme investment and management to deliver the confidence they need in their third party risk management programmes.
Survey data revealed the top objectives, pain points and third party risk management programme strategies for ethics and compliance professionals. The following key themes emerged:
- Budgeting ownership for third-party risk management often does not align with programme responsibility.
- While most respondents recognize the severity of third party risk, our data shows that many organisations use a decentralised and manual approach to programme budgets, ownership and processes, with varying degrees of success. In many organisations surveyed here, third party due diligence programme leaders do not control their own budgets.
- “Bribery and corruption” is, by far, organisations’ top ethics and compliance concern regarding third party misconduct (39%).
- High levels of concern about bribery and corruption, fraud and conflicts of interest are not surprising given the amount of regulatory action being pursued related to third party compliance failures committed in the service of the organisations that contracted with them. Bribery and corruption in particular are on many organisations’ radars due to increasing enforcement and high profile prosecutions of the Foreign Corrupt Practices Act (FCPA) by the US Department of Justice, the UK Bribery Act, and the volume of whistleblower tips being communicated to the SEC’s Office of the Whistleblower.
- Most organisations (68%) evaluate third parties before engaging with them, and organisations are more likely to monitor third parties themselves than to outsource third party monitoring.
- Thirty-seven percent of organisations work with an outsourced third party due diligence provider to some degree, but just 14% use such a vendor to conduct continuous third party due diligence screening; 31% report that they continuously monitor third parties using internal resources only. Inconsistencies in programme performance shown within this report indicate that in many cases, the initial evaluation is not robust enough. And without a consistent and continuous process where existing third parties are reevaluated prior to contract renewal or adjustment, inadequate screening which is not risk based and documented may come back to haunt the organisation.
- Organisations that outsource third party due diligence are significantly more pleased with the effectiveness of their third party risk management programme.
- Within this analysis, organisations that use an outsourced provider to help manage their third party due diligence programmes report significantly higher programme satisfaction ratings than those who do not. These higher satisfaction ratings apply across multiple best practice programme criteria, including:
- Compliance with legal and regulatory demands: 78% compared to 65%
- Ensuring a Culture of Compliance: 65% compared to 44%
- Documentation Management: 49% compared to 41%
- Programme Defensibility: 52% compared to 41%
- Overall Programme: 53% compared to 32%