The term third party risk management (“TPRM”) broadly refers to the process by which an organization identifies, evaluates, screens, selects, and manages its relationships with the vendors, suppliers, service providers, intermediaries and other agents it utilizes in the course of conducting commercial operations.
Effective TPRM is the cornerstone of a company’s overall compliance commitments and an integral component of mitigating the full panoply of risks that a contemporary organization increasingly faces from its engagement with external parties. These risks commonly include, but are not limited to, operational, financial, legal, regulatory, and reputational risks that are endemic to all manner of commercial relationships.
The TPRM process establishes a framework by which the organization both validates new third party relationships and reviews existing relationships in an ongoing effort to understand where its greatest vulnerabilities lie. In so doing, TPRM allows the compliance function of the organization to more effectively mobilize limited resources to triage the highest risk third parties with a comprehensive risk mitigation strategy.
Why is Third Party Risk Management important?
TPRM is important due to the unique universe of risks that contemporary organizations face in an increasingly complex global business climate, including most notably, legal and regulatory risks that frequently arise when transacting business in particular economic sectors and jurisdictions.
Key global regulators and enforcement authorities—among them, the U.S. Department of Justice (“DOJ”)—have repeatedly emphasized the need for businesses to conduct risk-based due diligence on all third party partners, in an effort to mitigate the potential for corporate criminal activity. Likewise, emerging regulatory schemes that target human rights abuses in global supply chains now all but require entities engaged in international commerce to carefully scrutinize the activities of both direct and indirect suppliers and vendors.
In the United States, one prominent example of this trend is the Uyghur Forced Labor Prevention Act (“UFLPA”)—which prohibits the importation of commodities produced using forced labor in the Xinjiang Uyghur Autonomous Region of the People’s Republic of China. The UFLPA has forced organizations that depend on Chinese imports to be more vigilant in selecting their business partners.
Beyond simply meeting regulatory requirements, effective TPRM also enables organizations to proactively identify core operational vulnerabilities that, when exploited, could temporarily disrupt (or in extreme cases, permanently impede) commercial activity, thereby threatening the long-term financial viability of the organization itself.
For instance, an organization that relies heavily on imports from foreign countries to manufacture its own products can utilize TPRM to prioritize the risks posed by its suppliers from a criticality standpoint. Suppliers located in a region known for its dependence on forced labor should be targeted for aggressive TPRM activities (measures such as routine audits, on-site inspections, and the execution of appropriate fair labor attestations) to minimize the risk that such imports will be held up in customs.
What are the pillars of third party risk management?
While TPRM is comprised of a number of important components, perhaps the most critical is due diligence. This entails the collection and analysis of information concerning a prospective third party partner by the organization’s compliance function.
During the due diligence phase of TPRM, organizations gather vital information from potential business partners, covering ownership structure, legal and regulatory background, financial health, government connections, and operational details. This data forms a comprehensive profile used by compliance teams to evaluate whether forming a partnership is suitable. It also guides decisions on terms and conditions to manage risks effectively. For instance, if dealing with a partner from a corruption-prone jurisdiction, the compliance team may suggest strict monitoring or limitations on interactions with government entities. They may also require regular inspections of financial records to detect any irregularities if such interactions are necessary.
At a minimum, the initial due diligence required of an organization mandates the use of a restricted and denied party screening database. Both the United States and its international counterparts increasingly rely on list-based designations of specific entities and individuals with whom organizations are either: (1) restricted from doing business; or (2) banned from engaging altogether. Violations of sanctions regulations—particularly those administered by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”)—can carry a host of repercussions for would-be violators, including exposure to civil—and potentially even criminal—liability.
Even non-US firms could be exposed to secondary sanctions risk by transacting business with a designated person if similar conduct by a U.S. Person would itself be illegal. Additionally, organizations must be cognizant of OFAC’s “Fifty Percent Rule,” pursuant to which any entity owned fifty percent or more in the aggregate by a blocked person (or persons) is itself considered blocked for purposes of sanctions regulations. This is especially significant when dealing with entities and individuals contained on OFAC’s List of Specially Designated Nationals and Blocked Persons (“SDNs”). Careful screening of third parties—and where applicable, their immediate and ultimate beneficial owners—is thus imperative for companies as part of the due diligence process.
Global third-party risk management regulations
Due diligence—and by extension, TPRM—is also increasingly mandated by global governments in an effort to deter organizations from perpetuating human rights abuses and adverse environmental outcomes. As a consequence, initiatives like the EU Corporate Sustainability Due Diligence Directive (“CS3D”) oblige certain entities conducting business in the EU to undertake a host of obligations associated with minimizing their overall societal impacts.
Chief among these obligations is the requirement that covered entities establish and document due diligence processes that are sufficient to identify and end, or substantially mitigate, a myriad of adverse social and environmental outcomes. In Germany, the German Supply Chain Act (“LkSG”) similarly obliges covered entities conducting business in that country to undertake due diligence efforts with respect to both direct and indirect suppliers in a parallel effort to combat the tragedies of environmental degradation and human exploitation.
While no single regulatory framework in the United States obliges organizations to conduct due diligence, regulatory guidance released by a host of government agencies—including the DOJ—consistently point to the need for effective TPRM practices as an overall risk mitigation strategy in relation to compliance with anti-bribery, sanctions, and export control regulations (among others).
Who is responsible for third party risk management?
While ultimate responsibility for the administration of a company’s TPRM program typically lies with the organization’s compliance function, the TPRM process requires the active participation of a variety of key stakeholders—chief among them, an entity’s supply chain or procurement function, which normally interfaces with prospective business partners on an initial basis.
In most commercial settings, the supply chain or procurement team will ask the prospective partner to complete a due diligence questionnaire (eliciting the details mentioned above) and to submit supporting documentation consisting of financial statements, banking information, organizational details, and business licenses. This information is passed on to the compliance function, which analyzes the furnished materials for the purposes of evaluating what risk the prospective partner poses to the organization if formally engaged as a contractual counterparty.
Management also plays an invaluable role in reinforcing the importance of adhering to the organization’s established TPRM protocols. Where such support is lacking, the organization’s entire TPRM strategy is bound to be undermined, exposing the company to a host of unmitigated risk factors.
What challenges do compliance teams face when running a Third Party Risk Management program?
The principal challenge faced by compliance teams in administering an effective TPRM strategy is the creation and maintenance of discrete risk categories into which an organization’s third party partners are ultimately placed. This is because most organizations have a tendency to create highly complex TPRM structures that do little to facilitate actual mitigation efforts.
The most effective TPRM strategies rely on a tiered approach that allows the organization to segregate third parties into high, medium, and low risk categories based on a composite score that accounts for myriad unique risk assessment factors. These categories should resemble a pyramid, in that the majority of the organization’s third party partners will be classified as low to medium risk (appearing at the base of the pyramid), with comparatively fewer medium risk entities in the middle, and only a small number classified as high risk (appearing at the top of the pyramid). This approach allows the organization to efficiently allocate scarce compliance resources to proactively manage a smaller overall number of demonstrably higher risk relationships.
In addition to risk tiering, compliance teams must also ensure that third party due diligence remains updated, and that its business partners are screened regularly against international sanctions and watch lists. This is particularly important for those entities classified as higher risk and operating in more comprehensively regulated/selectively sanctioned jurisdictions affected by frequent changes to government regulations (e.g., the Russian Federation and China).
Lastly, regulatory guidance from a multitude of government agencies worldwide has repeatedly emphasized that due diligence is a dynamic process. As such, organizations must keep abreast of changing circumstances, both with respect to their partner organizations and the state of the law.
What are the benefits of third party risk management software?
To put it simply, TPRM software is a must have for organizations that rely on a large number of third party relationships to carry out their commercial activities.
Relying on antiquated, manual management of third party relationships is grossly ineffective, unlikely to comply with existing regulatory expectations, and all but guaranteed to fall short of emerging regulator expectations. The trend is clear: regulators around the world increasingly emphasize the need for more sophisticated means of carrying out the due diligence functions that lie at the heart of effective TPRM.
TPRM software allows the organization to visualize the totality of their supplier and vendor relationships, streamline the initial and recurring due diligence processes, centralize the storage of relevant records, and automatically screen third party partners against the latest changes to global sanctions and watch lists.
What makes a successful third party risk management program?
An effective—and successful—TPRM program is predicated on a core set of compliance processes and procedures that the organization consistently utilizes to assess and reassess the various risks posed by its third party partners.
These processes are backed by the power of a TPRM platform that automates routine workflows and permits compliance personnel to focus on evaluating and mitigating the largest third party risks facing the company. A successful TPRM program is also nimble, and prepared to change along with changing internal and external circumstances. As the company expands its geographic footprint, for instance, the TPRM program should be capable of scaling with the company in an organic manner such that the same TPRM practices will apply to the activities of the organization irrespective of location.
Finally, an effective TPRM program is one that recognizes its own limitations and harnesses the power of continuous improvement—rather than the unachievable desire for perfection—as a key motivating factor guiding programmatic adjustments.
Michael Volkov specializes in ethics and compliance, white collar defense, government investigations and internal investigations. Michael devotes a significant portion of his practice to anti-corruption compliance and defense. He regularly assists clients on FCPA, UK Bribery Act, AML, OFAC, Export-Import, Securities Fraud, and other issues. Prior to launching his own law firm, Mr. Volkov was a partner at LeClairRyan (2012-2013); Mayer Brown (2010-2012), Dickinson Wright (2008-2010); Deputy Assistant Attorney General in the Department of Justice (2008); Chief Counsel, Subcommittee on Crime, Terrorism and Homeland Security, House Judiciary Committee (2005-2008); and Counsel, Senate Judiciary Committee (2003-2005); Assistant US Attorney, United States Attorney's Office for the District of Columbia (1989-2005); and a Trial Attorney, Antitrust Division, United States Department of Justice (1985-1989).