NAVEX Global's 2015 Ethics & Compliance Third Party Risk Management Benchmark Report
Organizations are still coming to terms with the breadth and depth of their third party risk. An effective third party risk management program is in the interest of all organizations—regardless of their size, industry, and degree of involvement with third party providers. Regulatory agencies, the press, and the market are quick to link organizations to the behaviors of their vendors, partners, and resellers – and to hold them accountable.
As this report shows, despite growing scrutiny of third parties from regulatory agencies and the press, many organizations are not yet executing third party risk management programs that adequately communicate expectations to their third parties, provide defensibility in the case of compliance failures, and reduce the impact of bad behavior by third parties. Though there are signs that organizations—often at the behest of their Boards—are ramping up investments in third party due diligence and risk management programs, there are many organizations that appear to be struggling to align their program investment and management to deliver the confidence they need in their third party risk management programs.
Survey data revealed the top objectives, pain points and third party risk management program strategies for ethics and compliance professionals. The following key themes emerged:
- Budgeting ownership for third-party risk management often does not align with program responsibility.
- While most respondents recognize the severity of third party risk, our data shows that many organizations use a decentralized and manual approach to program budgets, ownership and processes, with varying degrees of success. In many organizations surveyed here, third party due diligence program leaders do not control their own budgets.
- “Bribery and corruption” is, by far, organizations’ top ethics and compliance concern regarding third party misconduct (39%).
- High levels of concern about bribery and corruption, fraud and conflicts of interest are not surprising given the amount of regulatory action being pursued related to third party compliance failures committed in the service of the organizations that contracted with them. Bribery and corruption in particular are on many organizations’ radars due to increasing enforcement and high profile prosecutions of the Foreign Corrupt Practices Act (FCPA) by the US Department of Justice, the UK Bribery Act, and the volume of whistleblower tips being communicated to the SEC’s Office of the Whistleblower.
- Most organizations (68%) evaluate third parties before engaging with them, and organizations are more likely to monitor third parties themselves than to outsource third party monitoring.
- Thirty-seven percent of organizations work with an outsourced third party due diligence provider to some degree, but just 14% use such a vendor to conduct continuous third party due diligence screening; 31% report that they continuously monitor third parties using internal resources only. Inconsistencies in program performance shown within this report indicate that in many cases, the initial evaluation is not robust enough. And without a consistent and continuous process where existing third parties are reevaluated prior to contract renewal or adjustment, inadequate screening which is not risk based and documented may come back to haunt the organization.
- Organizations that outsource third party due diligence are significantly more pleased with the effectiveness of their third party risk management program.
- Within this analysis, organizations that use an outsourced provider to help manage their third party due diligence programs report significantly higher program satisfaction ratings than those who do not. These higher satisfaction ratings apply across multiple best practice program criteria, including:
- Compliance with legal and regulatory demands: 78% compared to 65%
- Ensuring a Culture of Compliance: 65% compared to 44%
- Documentation Management: 49% compared to 41%
- Program Defensibility: 52% compared to 41%
- Overall Program: 53% compared to 32%