The more things change, the more things stay the same. As compliance matures as an industry, we sometimes forget the foundational best-practices that our programs are built upon. Every last Friday of the month, we revisit some of our most educational posts from the past. We think you’ll find they are just as relevant today.
Originally published December 2016
Of the wide range of challenges that compliance officers face with third parties, my favorite is: who “owns” third-party risk management?
The truth is that different people within the enterprise feel different types of pain for poor oversight of third parties.
The answer to that question isn’t clear. The 2016 Third-Party Risk Management Benchmark Report asked 394 compliance professionals about who had key responsibilities for third-party risk management at their organizations. More often than any other function, compliance got the call. It was the most likely to lead the effort (39 percent), to pay for it (27 percent), and to make the final decision on purchasing third-party risk management solutions (36 percent).(Download 2018 data.)
Still, those numbers don’t bring much clarity. If 39 percent of large companies tap compliance to oversee third-party risk, that also means 61 percent place the duty somewhere else. And as we can see from that survey question—which offered 10 possible answer choices—the other 61 percent of compliance professionals assign the job to any number of other functions in the enterprise.
We have no consensus here.
To my thinking, a better question for chief compliance officers to ask is this: How do you establish enterprise-level accountability for third-party risk? This question didn’t confront large organizations until the last few years, and it’s more difficult to answer than one might think—because implicit within it is another question: Who feels the pain for poor governance of your third parties?
The truth is that different people within the enterprise feel different types of pain for poor oversight of third parties. That’s why compliance officers struggle to articulate the value of good third-party risk management (another finding from the report); and why “accountability” is so hard to achieve. In very tangible ways, accountability means different things to different people, all within the same company.
Who Owns What
Let’s first consider how third-party risks have changed in the last few years. Regulators are holding companies more accountable for third parties’ misconduct (think FCPA); investors have done the same amid increased corporate disclosure (think conflict minerals or human trafficking); and businesses themselves have come to rely on third parties for more important tasks (think cybersecurity).
What’s really happened is that third-party risks have transformed. Where once upon a time they were disparate operational risks that could be managed locally, today they have evolved into compliance and reputation risks that demand senior executives’ attention. That’s new and difficult at the same time. No wonder companies haven’t figured out how to handle it.
The critical question is whether your other business procedures, processes and controls have kept pace with this transformation of third-party risk. If they haven’t, then employees out in the operating units—the people finding, contracting and working with third parties—don’t feel the same urgency for good third-party oversight that senior executives do.
That’s when enterprise-level accountability for third-party risk is elusive, and when “owning” third-party risk doesn’t translate into reduced risk.
For example, a survey published by Deloitte earlier this year, of 170 senior executives at large global businesses, found that 75.5 percent of respondents said their organizations were moving to a more decentralized structure. Well, if you empower local business units with more operational autonomy—including the use and monitoring of third parties—do you also assign responsibility for third-party governance to those local units? Or do you keep the vetting and contracting of third-parties under corporate control?
Either answer is fine. The issue is whether senior executives have fully considered their governance strategy here. Otherwise the local units see third parties as an operational issue –“How can I bring them aboard to meet my performance targets?”—while senior executives see them as a compliance and reputation issue – “How do we rectify this misconduct mess that just tarred our company?”
That is, two different parts of the company view third parties in two different ways. Third-party misconduct affects you in two different ways—unless the chief compliance officer, along with other senior executives, sit down and figure out how to ensure all employees view third parties the same way.
That "figuring out" can take the form of a strong corporate culture, robust due diligence, well-crafted compensation programs and the like. Those are all solid ideas that deserve their own blog posts on another day.
For now, we just want to establish the nature of the challenge. To create enterprise-level accountability for third-party risk, first understand that it manifests in different ways to different parts of the business. You’ll need to get your arms around all of them.
Our third party risk management software, RiskRate, works around the clock so you don’t have to, transforming third party due diligence. Get a customized demo to see how it will work for you.