Over the past several decades, quality, health and safety, and environmental issues have topped the list of supply chain concerns. However, increasingly two issues are rising to the fore of the agenda for multinationals working with third parties across the globe. According to the PwC 2015 State of Compliance Survey, data security topped the list of compliance-related risks in the coming five years, with bribery and corruption not far behind.
Information breaches and corruption by third parties can make companies vulnerable to reputational, legal, and financial harm. Suppliers with access to corporate networks and valuable trade secrets can be the “weak link” for threat actors to gain access to company assets. Sales agents, customs brokers, distributors, and other business partners pose corruption risks as well.
In both instances, the question for multinationals is, how do you gain transparency into and improve practices among third parties?
The answer lies in taking a management systems approach – just as companies have done to address traditional global supply chain issues. In short, business partners need to know what is required and have business processes in place to support compliance.
As a starting point, pre-transaction or pre-relationship due diligence should be predicated on a thorough risk assessment to gain a comprehensive understanding of potential exposures. A risk assessment creates awareness around business risks that can then be managed or avoided through strengthened internal controls.
For companies that have hundreds, if not thousands, of business partners, third-party due diligence can be time consuming and expensive unless the process is handled in a thoughtful, risk-based manner. One of the key first steps is making sure the process has an owner and the scope of the process is well-defined. Equally important is gaining an understanding why the third party is necessary to the company in the first place – i.e., its business purpose.
Most companies provide third parties with their policies and require them to comply with those or similar policies of their own. Those in the lead also provide training to ensure that their third parties fully understand and appreciate what is required and their role in preventing wrongdoing and mitigating risks.
The ‘human’ element is central to an effective program that integrates “people, processes and technology.” On this front, communications and training will make or break a program. Do third party employees understand their role in compliance?
Another important aspect of effective compliance is monitoring your own program and your partners’ compliance as well. Yet monitoring is one of the least mature areas for companies. Multinationals tend to rely on contracts with representations and warranties, but often without a full understanding of whether the partner has the understanding and capacity to live up to those requirements. To gain insight into the third party’s program, many companies are finding it helpful to integrate monitoring of specific issues into ongoing audits. When issues do arise, companies should perform a root-cause analysis and then incorporate preventive measures into corrective actions.
Another vulnerability with third parties lies with their own suppliers, vendors, and extended business partners. How does the third party manage their business networks? Many suppliers work for competing companies. Are there systems in place to ensure that confidential information isn’t passed among client companies? Are second-tier partners trained in anti-corruption compliance and understand policies to avoid bribery?
By engaging with key suppliers and other business partners to implement business processes that support compliance, multinationals can not only mitigate risks but also foster a stronger and more ethical business climate.
