Compliance professionals face a daunting task when it comes to managing their third parties. Particularly for global companies, the challenges of mitigating these risks without suffering legal, financial or reputational harm has become increasingly difficult.
The report, released this week, identified cyber security as the top concern of nearly half of this year’s respondents.
Amid this quickly evolving business landscape, the top third-party concerns – as identified by compliance professionals – have stayed consistent over the past few years. However, according to NAVEX Global’s 2017 Ethics & Compliance Third-Party Risk Management Report, the order of the highest perceived risks continues to fluctuate.
The report, released this week, identified cyber security as the top concern of nearly half of this year’s respondents. Recent high-profile data breaches are a reminder of the struggle to contain and minimize financial and reputation damage resulting from cyber security hacks and personal data breaches. For compliance professionals, effectively dealing with third parties and business associates who may increase cyber security and personal data breach risks is extremely challenging.
Other (Big) Risks Remain
Second on compliance professionals’ minds this year was bribery and corruption, which 42 percent of respondents named as their top concern.
Second on compliance professionals’ minds this year was bribery and corruption, which 42 percent of respondents named as their top concern. This has been a high priority for respondents in NAVEX Global’s recent surveys, and this is not surprising given the aggressive enforcement environment created by the U.S. Department of Justice and the Securities and Exchange Commission, along with the increase in global enforcement and coordination efforts by prosecutors in the United Kingdom, China, Brazil, Netherlands, Sweden, Canada, Germany, and elsewhere. The recent Telia enforcement action – which totaled $965 million in penalties, forfeiture, and disgorgement and was coordinated by American, Dutch and Swedish prosecutors – is an important reminder that global anti-corruption enforcement is here to stay. The failure to identify, manage, and resolve third-party risks continues to be a root cause of many of these corporate bribery prosecutions.
Corporate risk managers also noted concerns regarding conflicts of interest (34 percent of respondents to NAVEX Global’s survey), where employees and business associates engage in business transactions without disclosing family and related party connections. Conflicts of interest often contain the seeds for more significant misconduct, such as bribery, export/sanctions, and money laundering risks, which are only discovered after initially identifying the conflict of interest in a business transaction.
Why This Matters
Each of these chief concerns underscores the importance of designing and implementing effective third-party risk management programs. Compliance professionals understand this but often struggle when seeking resources, automated solutions, and access to reliable data to make informed decisions. Although compliance professionals responded that third parties and business associates are their highest concern, only about one-quarter of respondents have a dedicated budget to manage third-party risks, and most (60 percent) have suffered cuts or merely maintain their existing budgets to manage third-party risk.
The Justice Department and SEC enforcement focus in FCPA actions underscores the importance of conducting due diligence of potential third parties and business associates, as well as ongoing monitoring of such third parties. The emphasis in these enforcement actions has also extended to a company’s review of the quality of the information collected on third parties and the analysis of due diligence data and third party activities. This is a clear message that as compliance programs mature, the government expects due diligence and third-party risk management practices to improve as well.
Download Report: 2017 Ethics & Compliance Third-Party Risk Management Report
What to Do About It
This message has been received (or, at least, it should have been) by the business community, yet compliance professionals in NAVEX Global’s survey said finding reliable information concerning potential third parties and business associates is their top challenge. Over half of the respondents specifically identified this issue, which highlights the importance of conducting high-quality, reliable due diligence screening, analysis and monitoring activities.
Compliance professionals who have implemented automated systems regularly note improved performance and fewer resources needed for third-party risk management.
Compliance professionals who have implemented automated systems regularly note improved performance and fewer resources needed for third-party risk management. In other words, automation frees corporate risk managers to devote time to other tasks while improving overall performance. As such, it’s confounding that only about one-third of compliance professionals surveyed have automated their third-party risk management program.
As corporate risk managers continue to face new and evolving strategies, the NAVEX Global research confirms what we intuitively know – cyber security and personal data breaches are a significant risk, global bribery remains a persistent risk, and conflicts of interest risks are a gateway to potentially worse misconduct.
As a result, compliance professionals continue to push internally for a dedicated budget, increased resources, and automated solutions not just as niceties, but as basic requirements to address these significant and persistent third-party management risks.