Earlier this month news broke that the venerable British automaker Rolls-Royce had settled an international prosecution alleging that the company’s third-party intermediaries bribed local officials in Asia. The company agreed to pay $809 million, ending an investigation that began in December 2013. At that time, investors valued Rolls-Royce at more than $28 billion, thanks largely to its reputation as one of the world’s most prestigious brands. But its valuation fell by more than 20 percent in the two months after the investigation became public. Today it trades at about half of its pre-scandal value.
...every time I see a story like the one above, I think not only of the lost shareholder value but also of the reputational hit
We live in a world where reputational damage can happen fast, and with devastating consequences. As a marketer, I’ve spent a career building corporate brand equity. So every time I see a story like the one above, I think not only of the lost shareholder value but also of the reputational hit the company’s brand is sure to take. Repairing reputational damage is an arduous process that is both time consuming and expensive and, unfortunately, some brands never make it all the way back.
Today’s companies are often sprawling organizations with operations on every continent. And, as NAVEX Global’s 2016 Ethics & Compliance Third Party Management Benchmark Report shows, they rely more and more on contractors and vendors, not only as suppliers but often as their representatives in far-flung locations. Once you contract with a third party, they are part of your organization. Their mistakes are now your mistakes. Risks they create are shared, even owned, by you. And even if contractual arrangements appear to insulate your organization from financial exposure due to third-party malfeasance, there’s no negotiating away the reputational risk. Throw in a 24-hour, worldwide news cycle and you’ve got reputation risk that never sleeps—and a compliance officer who can’t.
Throw in a 24-hour, worldwide news cycle and you’ve got reputation risk that never sleeps—and a compliance officer who can’t.
Fortunately, it is possible to automate much of the detailed work required to monitor your third parties and to mitigate the exposure they might create for your firm. Recent advances in cloud-based, third-party risk assessment and monitoring systems make what used to be a nearly impossible task both possible and completely manageable.
The best of these systems use a risk-based approach to third-party risk management that aligns nicely with the imperatives and methods of robust compliance programs. Fully aware that their organizations’ reputations hinge on diligent third-party management, forward-thinking compliance professionals seek to ensure that all key stakeholders have access to reliable data on third parties that is updated in as close to real time as possible. This reflects a commitment to thorough due diligence – including screening for reputational risks through the examination of adverse media, sanctions lists, PEP and politically compromised persons lists – as part of structured third-party onboarding and monitoring processes. Given how quickly an organization’s list of third-party partners can grow, the only effective way to manage this risk is through automation.
The good news is there are solutions available today, including NAVEX Global’s RiskRate Enterprise Due Diligence platform, which provide the necessary level of automation and structure for successful third-party risk assessment and management. The key is to centralize all key processes, documents, workflows, and records review in a single platform that is accessible to key users and all stakeholders across the organization.
...your platform must scale for number as well as complexity.
Think about your third parties today, and how many of them your organization uses compared to five years ago. The number is certainly larger and likely to grow. Individually, each third-party presents a certain level of risk. Collectively, it could be one of the biggest areas of risk your organization must manage. Your third-party risk management due diligence must account for the number of third parties you employ, but just as importantly, it must have the ability to drill down and provide in-depth, global, real-time information that allows you to respond quickly and decisively if there is an issue. In short, your platform must scale for number as well as complexity. Your reputation depends on it.