A little over a year ago the Rana Plaza factory collapsed and 1,100 garment workers died. This human disaster resulting from questionable construction practices and workplace safety issues focused the eyes of the world on the working conditions of those who supply major retailers. Products manufactured for multinational, brand giants, such as H&M and Kmart, JC Penney and Benetton were found amongst the rubble of the building, which local officials had warned was unsafe.
Some in the media and human rights groups quickly accused these retailers (and others using third parties in developing countries) of callously exploiting poorly paid workers and ignoring their safety. In the aftermath, some companies scrambled to offer compensation and sign safety accords, but the damage was done—and the damage to these companies’ reputational currency continues to be felt.
Companies Waking Up to Massive Third Party Risk Exposure
The boards, senior management, investment analysts and others at many organizations had recognized the risk, but Rana Plaza was a wakeup call for many others who are just beginning to realize that their relationships with third parties amount to one of their greatest risks and need to be dealt with before issues arise. Companies need to do complete, appropriate third party risk assessments and make sure that they identify and manage—among others—the following critical issues:
- Engagement risk and due diligence;
- Reputational damage;
- Bribery and corruption; and
- Policy management and training.
“A Resource Guide to the U.S. Foreign Corrupt Practices Act”, published by the U.S. DOJ and SEC in November 2012, addresses effective corporate compliance programs. With respect to third parties, the most critical element is the existence of risk-based due diligence. The following factors are highlighted as guiding principles of third party program effectiveness:
- Understand the qualifications and associations of the third party;
- Have a business rationale for including the third party in the transaction;
- Ongoing monitoring of the third party; and
- Informing third parties of your compliance program and commitment to ethical practices.
These factors need to be addressed prior to engagement of any third party and a system should be in place to document the selection process, due diligence and mitigation of any “red flags.” Automation and document management makes this process even more seamless, defensible and cost effective.
2) Reputational Damage
Disasters such as the Rana Plaza factory collapse serve as a stark reminder that reliance on third parties exposes organizations to increased reputational vulnerability.
Reputation is continuously cited as one of a company’s most valuable and protected assets. And in times of highly publicized disasters—as was the case with Rana—it’s easy to see how dramatically reputation can be affected. The reputational risk impacts not only the factory owners but also the companies who contracted with these factories.
Our own research of ethics and compliance professionals shows that reputation has skyrocketed to the second overall driver for compliance spend; it wasn’t even on the list five years ago. Social media and the internet age have led to a dramatic increase in the ways—and speed at which—a company’s reputation can be damaged.
Customers and stakeholders alike are increasingly demanding company practices that not only comply with legal and regulatory requirements, but that also align with social and moral standards. This a tall order for organizations who do business in far flung multiple and vastly different jurisdictions.
3) Bribery and Corruption Risks
Companies’ use of third parties as agents, distributors or intermediaries, increases the potential that third parties who have not been vetted by reasonable due diligence and mitigation of red flags, could use unscrupulous means to attempt to secure favors, contracts or to bypass local laws. This is particularly true because, by their nature, third parties are not under the complete control of the contracting company and are often engaged to serve needs in faraway locations or provide specialized services that the contracting party does not possess. Third parties with unexamined pasts and little or no oversight could use bribes to achieve theses ends. When third parties use bribes, the contracting party may also have liability for the actions of these third parties.
4) Policy Management and Training
Additionally, to help reduce the risk that third parties would engage in bribery, corruption or other compliance failures, the engaging company should have a clearly stated corporate compliance policy on the use of third parties which should clearly communicate the limits of what is expected pursuant to the company policies.
The third party should demonstrate or certify that is has its own internal policy prohibiting actions that violate the law or might be perceived as using bribery or corruption to gain an unfair business advantage.
While clearly drafted policies are important, they are only the first step. Like other compliance risks, the third party risk should be supplemented with training. The training should involve the employees of the contracting company so that they understand what to look for when they are dealing with third parties. For instance, they should be trained to spot and report red flags such as excessive gifts and entertainment, or vaguely characterized payments not supported by receipts or backup.
Many third parties may not have the internal resources to provide training. An additional step many leading companies are now taking is to provide third parties access to their own training or create a third party training program which those organizations must complete prior to engagement. Any steps which are geared toward increasing awareness and reporting of unacceptable or unethical actions helps reduce the risk of third party compliance failures.
The New Normal
The growing use of third parties as representatives of U.S.-based companies and to support the global supply chain is often a competitive advantage, providing access to larger product markets, inexpensive labor, raw materials and local or specialized expertise, etc. However, these benefits also bring risks that must be carefully assessed.
NAVEX Global's most recent "Third Party Risk in a Global Environment" survey found that fewer than three in 10 US companies carefully monitor their third party vendors, suppliers and agents to prevent corruption, fraud and other compliance risks.
The survey explored how and whether they have implemented policies to mitigate the risks of doing business with third parties overseas. While respondents largely acknowledged the risk, some 71 percent admitted they do not track information on some or all of their third party relationships, exposing themselves to significant ethics and compliance risks.
While it may seem an onerous task—just as implementing global compliance and ethics policies once was considered—organizations must:
- Conduct a third party risk assessment;
- Ensure appropriate, pre-engagement due diligence;
- Understand the qualifications and business purpose for third parties;
- Monitor and audit the third party relationships; and
- Have clear, communicated third party policies and training.
This may seem like a lot of work for most companies, but the new normal does not allow for opting out of this process. Seek out partners like NAVEX Global who can assist in developing and implementing all steps in this process and who also can provide an automated solution to your due diligence, training and recordkeeping needs.
Remember: Luck is not a strategy.