NAVEX Global’s fourth annual Third-Party Risk Benchmark Report is expected to provide important insights on the current state of third-party risk management and how third-party risk programs fit into larger compliance and organizational objectives. This year’s data pulls from 1,200 respondents, 500 of whom are responsible for their third-party risk management function.
This year’s data pulls from 1,200 respondents, 500 of whom are responsible for their third-party risk management function.
Within this holistic context, the Benchmark Report contains important findings and identifies trends and performance measurements for third-party risk management strategies. Today, as I work with NAVEX Global to prepare the 2018 Third-Party Risk Benchmark Report for release, two early findings have surfaced as key indicators of the state of third-party risk management in 2018.
1. Advanced Programs Apply a Risk-Based Approach to Third-Party Due Diligence
There is no well-established procedure or strategy to implement an effective third-party risk management program. However, respondents indicated they apply due diligence based on the classification and the risk level assigned to the third parties (37%), or by treating all third parties the same regardless of risk level (27%).
- Advanced programs apply a risk-based approach to third-party due diligence (69%), while organizations with Maturing programs are mixed between using risk-based approaches (45%) or applying the same procedure to all third parties regardless of risk level (31%).
- A sizable number of government/non-profit organizations apply the same procedure regardless of risk level (40%).
The most common practices for managing third-party risk across all levels of program maturity are screening (70%) and monitoring (61%).
- Advanced programs are more likely to employ all approaches to managing risk compared to less mature programs, although only just over a third (39%) deliver third-party training incentives, certifications or program compliance.
- Almost half of Mature programs perform enhanced due diligence (47%).
- Only a minority of Basic and Reactive programs employ any specific third-party risk management practices beyond screening and monitoring.
The Benchmark Report confirmed that organizations are increasing focus on third-party risk by the fact that 37 percent of respondents indicated they rely on a risk-based program that applies different degrees of due diligence based on certain classification criteria and risk level. Even more positive is the fact that 69 percent of Advanced programs and 45 percent of Maturing programs are building a robust risk-based program. Aside from these positive developments, the survey results reveal that there are still a number of organizations with Reactive programs that do not classify nor assign risk levels to third parties. The three-quarters of Reactive programs that don’t do anything currently to address third-party risks reflects a lingering group of organizations that have failed to make any commitment to addressing third-party risks.
It is surprising that 30 percent of all respondents do not perform screening, and nearly 40 percent of respondents do not monitor their third parties.
A majority of all survey respondents screen and monitor their third parties. Such steps are a basic requirement for any organization that engages third parties. Still, it is surprising that 30 percent of all respondents do not perform screening, and nearly 40 percent of respondents do not monitor their third parties.
As explained in the FCPA Guidance, a third-party risk management program is incomplete and unable to achieve its purpose if the engaging organization does not screen all of its third parties consistently and comprehensively. There is no way to accurately risk-score third parties and to identify and stratify their respective risks unless all data points are reviewed. Risk data allows organizations to gain visibility across third parties and unambiguously identify where their third-party risk lies. With such information, organizations are able to mitigate their risks, including conducting enhanced due diligence of third parties when necessary. Without doing so, organizations are needlessly exposing themselves to avoidable risk.
2. Third-Party Risk Managers Say Top Objective Is Organizational Culture
Creating a culture of ethics, integrity and respect is the top ethics and compliance program objective (68%) and is seen as more important than implementing preventative measures and practices to avoid future issues (62%) and navigating and complying with laws and regulations across jurisdictions (47%).
- Responses from third-party risk management professionals about program objectives correspond with overall ethics and compliance professionals – 69 percent indicated commitment to a culture of ethics, integrity and respect; 65 percent selected implementing preventative measures and practices to avoid future issues; and 49 percent selected complying with laws and regulations across jurisdictions as top program objectives.
- Organizations with annual revenues of $1 billion or more are more likely to focus on navigating and complying with laws and regulations across jurisdictions than organizations with less than $50 million in revenue (56% vs 42%).
This perspective has now evolved. This year both ethics and compliance and third-party risk management professionals indicated that their top objective was their organization’s ethical culture.
The results reflect an important trend in ethics and compliance programs and third-party risk management – organizations are recognizing the importance of promoting their ethical culture. This year’s results reflect an important transformation in ethics and compliance program objectives. In past years, the top objective of ethics and compliance professionals was to avoid legal and regulatory enforcement matters. This perspective has now evolved. This year both ethics and compliance and third-party risk management professionals indicated that their top objective was their organization’s ethical culture. It is clear that ethics and compliance professionals understand the importance of an ethical culture to a company’s overall financial performance and sustainability. Third-party risk management plays a critical role in promoting and protecting a company’s ethical culture from third-party misconduct.
We continue to see the rise in the importance of third-party risk managers in ethics and compliance programs. As these professionals take on greater responsibilities, they usually have a dedicated budget for their function and exercise increased decision-making authority.
The increase in and consolidation of third-party risk management responsibilities into ethics and compliance programs is a natural development as regulations and enforcement agencies expect organizations to expand their ethics and compliance programs to manage and mitigate their third-party risks. As part of this overall responsibility, ethics and compliance programs share their company’s code of conduct, implement ethics training and other program elements with their third parties, and often require attestation to policies and behavioral expectations before agreements can be completed.
These are just two of the many finding that will be included in the 2018 Third-Party Risk Management Benchmark Report. You can join me for a deep dive into the data by joining the webinar, “State of Third-Party Risk Management in 2018” on Thursday, October 16.