How to make the case for implementing third party compliance training in your organization.
A recent article in the San Francisco Chronicle profiled Jay Jorgensen, the new Global Chief of Compliance at Walmart. The article outlined some of the steps he and the company are taking to rebuild the public’s trust and recapture the compliance high road. As part of that initiative, Walmart is focusing heavily on addressing and lowering the risks related to the use of third parties; something all of us should be concerned with.
Third Party Use is On the Rise—So is the Risk
Third party risk management is troublesome for many companies. Providing ethics and compliance training is one of the most effective ways to the reduce risk of misconduct by third parties, and helps establish key defenses when violations occur. However, as our NAVEX Global Training Benchmarking report shows, more than 57% of the companies surveyed said they provided no training for their third parties.
Recognizing the Problem is Not Enough
Additional NAVEX Global research emphasizes the disconnect between the recognition that third parties are a growing risk (92 percent of respondents expected to grow the use of third parties or weren’t sure) and the solutions survey respondents implemented to address the risk (36 percent of respondents only track information on their most critical third party relationships and 35 percent do not track third party information at all).
Related Resource: A Prescriptive Guide to Third Party Risk Management
Implementing Third Party Training Can Be Complex, But Effort is Worth It
It is a significant challenge for compliance officers to identify and train all of their employees, much less third parties. Third parties can be hard to identify, risk rank and train or certify before engaging them.
Increasing the difficulty level is the fact that your business partners often profess to need these third parties “yesterday.” Nevertheless, engaging third parties before completing due diligence places companies at unnecessary risk. And failing to train them after you’re working with them is missing an opportunity to significantly reduce risk.
Training is also clearly a preferred method for meeting the standard suggested in the SEC/DOJ’s “A Resource Guide to the U.S. Foreign Corrupt Practices Act.” When it comes to third parties, the guide makes it clear that, in addition to a risk based due diligence and business purpose tests:
"[The] DOJ and SEC also assess whether the company has informed third parties of the company’s compliance program and commitment to ethical and lawful business practices and, where appropriate, whether it has sought assurances from third parties, through certifications and otherwise, of reciprocal commitments. These can be meaningful ways to mitigate third-party risk. (p.60-61)"
Making Third Party Training a Reality in Your Organization
Effective third party training can be challenging for many companies to manage on their own. Companies without the resources of a company as large as Walmart—or the added sense of urgency a regulatory investigation brings into focus—may find little support for the necessary effort needed to train hundreds or even thousands of third parties.
One key to making third party compliance training a reality in your organization is to conduct a risk assessment and make a business case for implementing best practices, which should include:
- Have clear anti-bribery and third party supply chain statements in your code of conduct as well as separate policies;
- Identify and rank the risks of third parties;
- Complete appropriate risk based due diligence on the risk level of each third party before engaging them, and continuously monitor the third parties for any red flags (optimally using an automated system), and
- Ensure that third parties have an effective compliance program in place, and are aware of and trained on your company’s expectations with respect to bribery and corruption.
