Every January I try to offer suggestions for what compliance officers should resolve to do in the coming year, and one compliance resolution strikes me as particularly clear. Compliance officers should resolve to help their companies build better systems of third party risk management in 2020.
I know, I know; compliance officers have already been working on third party risks around anti-corruption issues for years. If the last few years have demonstrated anything, however, it’s that third parties now pose many more risks to the enterprise—and companies struggle to manage those risks in a disciplined, cohesive way.
So if compliance officers are going to tackle one compliance resolution over the next year (and beyond), focus on better third party risk management.
Third Party Risk Management Is Critical
Take cybersecurity as one example. Today, companies rely on vendors to perform mission-critical business processes like email or billing management, so the security of those vendors is a paramount concern. Too many companies, however, still establish the vendor relationship first and perform the security risk assessment later.
Any ethics and compliance officer can see that approach as backward. The company should assess security risks first and then decide whether to use the vendor—and then keep monitoring that vendor, to see if its relationship with your company somehow changes, and brings new security risk.
That’s the ideal situation and compliance officers can understand why because that’s what you’ve been laboring to do with anti-corruption risk and third parties for 10 years.
Now companies need to expand those third party governance procedures beyond anti-corruption, into a system of comprehensive third party governance. Compliance officers can play a crucial role in getting that done.
So what would that evolution to better third party risk management look like?
Loop in the Appropriate Parties
First, think about the people who should be involved. I used the cybersecurity example above because that issue clearly belongs to the CISO rather than the CCO — so if you want your third party risk management system to address security, the CISO must be involved.
That’s the first step: understanding who should be in the room as you ponder your third party risk management systems.
Most likely, this group would be the same people who serve on any in-house risk or compliance committee your company might already have, such as legal, finance, security, HR, internal audit, and compliance. You might also want to include executives from important operating functions such as sales or R&D, depending on your business.
Build a Third Party Risk Library
Second, establish a consensus on the third party risks your company has. After all, that list can be endless: anti-corruption, security, privacy, human trafficking, environmental damage, sanctions, business continuity, and many more. Not every company will face all those risks, but every company will face many. You cannot build an effective system to oversee them if you don’t know which ones apply to you.
A Chief Risk Officer I know told me that he performs an annual exercise where his in-house risk committee lists all the third party risks the company has. That number quickly climbs to several dozen, and then the CRO forces the committee to slim everything down to a Top 10 list.
It’s a rigorous process with extensive debate, and the final result is a thoughtful, prioritized list of third party risks. The CRO uses that to explain his thinking to the board and investors (“Why do we want to invest more in sustainable sourcing? Well, ethical sourcing risk ranked No. 2 on our list and here’s why…”), and the list informs the risk mitigation steps the company should take.
Define Your Risk Assessment Process
Third, and to that end, design risk assessment policies and procedures. Compliance officers already do this for anti-corruption risk among your third parties, with due diligence, training, certifications, and the like. So what similar steps would your company perform to assess the other risks third parties pose to you?
This is why an in-house risk committee is so important. The input of other executives helps you craft policies that employees and third parties will actually follow, and procedures that will actually work.
For example, CISOs and internal audit teams can develop procedures to audit the security of service providers (reams of literature exist on the subject) but they first need to know how your business will actually use the vendor, so they can design policies and procedures fit for the risk at hand.
The same holds true for any other risk third parties might pose to your business. Assessing and mitigating the risk depends on knowing how your company will use the vendor as much as it depends on knowing how to assess risk.
Don’t Forget About Reporting
Fourth, think about the reporting capability you’ll need. This issue gets into questions about key risk metrics, dashboards, and escalation procedures that we can’t cover in this post. Ultimately, however, you’ll want to answer the question: what are the thresholds of third party risk that your company won’t want a third party to exceed?
For example, you might want a reporting system that can identify all third parties at high risk for corruption, or for security, or for human trafficking. You would also want a reporting system that can show you those three risks for any single third party, even if some of those risks are zero.
But third party risk management is all about identifying potentially troublesome risks before they strike, and then steering the company to a safer course. You will need to define what “troublesome” is to make that work—and a wise company will do that in advance, by consensus, long before a specific third party poses a specific risk here and now.