Group-Level Accountability for Third-Party Risk: Why It’s So Hard


Of the wide range of challenges that compliance officers face with third parties, my favorite is: who “owns” third-party risk management?

The truth is that different people within the enterprise feel different types of pain for poor oversight of third parties.

The answer to that question isn’t clear. The 2016 Third-Party Risk Management Benchmark Report asked 394 compliance professionals about who had key responsibilities for third-party risk management at their organizations. More often than any other function, compliance got the call. It was the most likely to lead the effort (39 percent), to pay for it (27 percent), and to make the final decision on purchasing third-party risk management solutions (36 percent).

Download Report: 2016 Third-Party Risk Management Benchmark Report

Still, those numbers don’t bring much clarity. If 39 percent of large companies tap compliance to oversee third-party risk, that also means 61 percent place the duty somewhere else. And as we can see from that survey question—which offered 10 possible answer choices—the other 61 percent of compliance professionals assign the job to any number of other functions in the enterprise.

We have no consensus here.

To my thinking, a better question for chief compliance officers to ask is this: How do you establish enterprise-level accountability for third-party risk? This question didn’t confront large organizations until the last few years, and it’s more difficult to answer than one might think—because implicit within it is another question: Who feels the pain for poor governance of your third parties?

The truth is that different people within the enterprise feel different types of pain for poor oversight of third parties. That’s why compliance officers struggle to articulate the value of good third-party risk management (another finding from the report); and why “accountability” is so hard to achieve. In very tangible ways, accountability means different things to different people, all within the same company.

Who Owns What

Let’s first consider how third-party risks have changed in the last few years. Regulators are holding companies more accountable for third parties’ misconduct (think FCPA); investors have done the same amid increased corporate disclosure (think conflict minerals or human trafficking); and businesses themselves have come to rely on third parties for more important tasks (think cybersecurity).

What’s really happened is that third-party risks have transformed. Where once upon a time they were disparate operational risks that could be managed locally, today they have evolved into compliance and reputation risks that demand senior executives’ attention. That’s new and difficult at the same time. No wonder companies haven’t figured out how to handle it.

Read More: Third-Party Risk Programs Should Focus on Offense, not Defense

The critical question is whether your other business procedures, processes and controls have kept pace with this transformation of third-party risk. If they haven’t, then employees out in the operating units—the people finding, contracting and working with third parties—don’t feel the same urgency for good third-party oversight that senior executives do.

That’s when enterprise-level accountability for third-party risk is elusive, and when “owning” third-party risk doesn’t translate into reduced risk.

For example, a survey published by Deloitte earlier this year, of 170 senior executives at large global businesses, found that 75.5 percent of respondents said their organizations were moving to a more decentralized structure. Well, if you empower local business units with more operational autonomy—including the use and monitoring of third parties—do you also assign responsibility for third-party governance to those local units? Or do you keep the vetting and contracting of third-parties under corporate control?

Either answer is fine. The issue is whether senior executives have fully considered their governance strategy here. Otherwise the local units see third parties as an operational issue –“How can I bring them aboard to meet my performance targets?”—while senior executives see them as a compliance and reputation issue – “How do we rectify this misconduct mess that just tarred our company?”

That is, two different parts of the company view third parties in two different ways. Third-party misconduct affects you in two different ways—unless the chief compliance officer, along with other senior executives, sit down and figure out how to ensure all employees view third parties the same way. 

That “figuring out” can take the form of a strong corporate culture, robust due diligence, well-crafted compensation programs and the like. Those are all solid ideas that deserve their own blog posts on another day.

For now, we just want to establish the nature of the challenge. To create enterprise-level accountability for third-party risk, first understand that it manifests in different ways to different parts of the business. You’ll need to get your arms around all of them.

Our third party risk management software, RiskRate, works around the clock so you don’t have to, transforming third party due diligence. Get a customized demo to see how it will work for you. 

What do you have to say? Share your thoughts in the comments below or join a discussion group on Compliance Next.

Ironic Lessons Learned From the Higher Ed Bribery Scandal

Third-Party Risk Programs Should Focus on Offense, not Defense

The number of organizations evaluating third parties is going down, while the number of third parties they are planning to engage with is going up, according to a recent survey. This means organizations are not only going in blind to critical business decisions, but also not maximizing the benefit effective due diligence can have on third-party relationships.
Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

New Compliance Regulations for France and Italy Demonstrate the Growing Convergence of Anti-Corruption and Whistleblowing Standards in Europe

The French anti-corruption and whistleblower protection law, Sapin II, was passed last month and an updated piece of Italian whistleblowing legislation for banks is currently under discussion in the form of Bill proposal no. 2208. These regulations will have implications for your firm if you do business in France or Italy. In partnership with Baker & McKenzie, we have prepared a legal brief that summarises the fundamental features of both laws and the next steps to take for organisations to achieve compliance best practices.
Next Post Previous/Next Article Chevron Icon of a previous/next arrow.


Email Signup