Corporate Resilience: Managing Third-Party Risks
Zafar Anjum MSc MS LLM CFE
Experienced Anti-Corruption, Compliance, and Risk Management Professional with a Proven Track Record
It goes without saying that forging strong relationships with outside service providers, manufacturers, and supply-chain and distribution partners will strengthen a company's ability to broaden its markets, expand its product and service offerings, respond more aggressively to ever-changing market demands, and potentially boost bottom-line performance.
From utilising call centres in Mumbai and granting retail franchises in Seoul, to outsourcing circuit boards to manufacturers in Shenzhen, fulfilling orders from massive distribution centres in California, and partnering with investment banks in Dubai, successful businesses rely on a frequently complex web of alliances with third-party providers to reduce operational and labour costs, enhance capabilities, and boost the bottom line.
But when any number of factors impairs the ability of a third-party affiliate to fulfil its contractual obligations adequately, a business can suddenly become exposed to myriad crises that could ultimately lead to revenue loss, international litigation, reputation damage and regulatory action, all while potentially affecting the organisation's ability to attract new business or service existing customer relationships.
The most effective third-party partnerships involve a multi-tiered risk management process that begins at the company level well before any outside provider ever enters into the organisation's business model, and ensures that the organisation itself can be sufficiently resilient in the face of crisis emanating from a third-party catastrophe.
The Risk of Third-Party Partnerships
It's highly probable that, at some point, organisations that affiliate with outside providers will eventually have to deal with an operational interruption resulting from a third-party related issue. The risks involved in partnering with outsiders hasn't changed over the centuries. It's the potential liability that's been ratcheted up several notches. International borders have been ripped down. Technology has improved the way businesses communicate. Easy access to data and information enables the media to report on business news before a business can adequately respond. And the markets are quick to form opinions based on a 24/7 on-demand news cycle.
The result of this increased liability is problematic. Business litigation has skyrocketed. Corporate reputations are continually being assaulted. Business strategies are forever shifting. Board members are becoming increasingly subjected to intense scrutiny from outside critics. And a highly educated market responds immediately with their pocketbooks.
A simple poll of any large or small business will show that a vast majority of those organisations have suffered some type of harm from the actions (or inactions) of a third-party affiliate. The harm includes:
- Experiencing financial loss when a third-party provider failed;
- Losing customers because of poor-quality service from a third;
- Exposing breaches to data systems because of poor security practices by a third-party;
- Experiencing supply chain issues due to inadequate disaster recovery procedures by the third-party; and
- Being exposed to litigation because of relationships with an outside provider that significantly violated contractual terms, potentially resulting in regulatory exposure.
The most successful organisations around the globe are the ones that can rise above the scrutiny and demonstrate an aversion to risk and resilience to crisis. These are the organisations that go to great lengths to establish robust risk management systems designed to:
- Identify and weed out unqualified or unscrupulous third-party providers in the pre-contract bidding phase;
- Ensure that the provider is adhering to every provision of the contract while it is in effect; and
- Provide viable outlets in the event that a third-party provider falters.
A robust risk management program helps companies effectively identify and mitigate risks posed by third-party providers in critical risk areas such as information security, service delivery, supply chain processing, financial processing, reputation management and regulatory compliance.
The Fundamentals of a Third-Party Risk Management Program
By taking a proactive approach to addressing the risks involved in working with third-party providers, an organisation can significantly decrease its susceptibility to liability, business interruption and brand damage.
This planned approach incorporates several phases and demands buy-in that starts at the top of the organisation and trickles right down to the staff members to ensure that the mechanics of the plan are strictly followed. Implementation of ISO 37001 Anti-Bribery Management System to selection criteria of the third-parties and intermediaries can be an effective approach for effective Third-Party Risk Management Program.
PHASE 1: Identify Vulnerabilities through Risk Assessment
Third-Party Risk Assessments are used to ascertain whether an organisation has the proper policies and procedures in place to address all potential risks at the management, operations and financial levels, and takes into account the likelihood of those risks actually occurring.
Certain aspects of a risk assessment may include a review of internal auditing procedures, compliance guidelines, performance criteria, internal controls, reporting processes and contractual requirements that are vital to foster a long-term positive return with the third-party provider when looking at the relationship from a cost-benefit standpoint.
Specific areas addressed in a third-party risk assessment could include:
- Audit and supervision functions that assign clearly defined responsibilities throughout the organisation.
- Business continuity plans that take into account natural disasters and third-party business closures.
- Supply-chain alternatives that respond to every possible scenario, from regional events to currency fluctuations.
- Jurisdictional considerations and affiliations with potential partners located in regions that may be prohibited by law.
- Data and Intellectual Property protection which includes customer privacy and information security considerations.
- Anti-Corruption and Whistle-blower policies that start at the staff education level and extend to safe internal and external reporting mechanisms which are easily accessible to management and staff.
Such assessments ensure that there are tight controls in place to mitigate key risks and assign specific responsibility for maintaining the control to designated management and staff members. Any gaps that are detected in these internal controls are also addressed during the assessment phase.
Further, a third-party risk assessment plan will also help determine whether the proposed third-party relationship is consistent with the company's stated strategic plan and overall business strategy.
PHASE 2: Contracting Requirements
Contract requirements related to third-party business relationships essentially begin in the pre-bid phase, with the use of standard integrity language in bidding documents to alert bidders that documents submitted in support of organisation's original bid proposals are subject to independent verification by an outside source in order to authenticate the qualifications and claims made by the bidder.
Once selected, the organisation's legal department is charged with drafting written contracts which outline specific duties, obligations and responsibilities of both parties involved in the contract.
Third-party contracts address such fundamental factors as quality, price, reliability and financial viability when assessing potential partners. They should also stipulate security of information and information systems as a factor in the contracting process.
Here are other provisions to consider, depending on the breadth and scope of the relationship, and the resulting contract:
- Responsibilities of each party
- Reporting procedures and availability
- Performance standards
- Scope of work
- Compliance with laws, regulations, safety, labor laws, etc.
- Permissibility to subcontract
- Confidentiality clauses, including customer lists and information security
- Data ownership
- Service level agreements
- Response time
- Productivity benchmarks
- Customer service
- Business continuity plans
- Anti-Corruption and Anti-Bribery Management System
- Disaster recovery plans
Properly written third-party contracts ensure that the organisation's compliance management system is adapted to effectively address the third-party relationship and appropriately respond to any issues or compliance deficiencies.
Any significant contract with a third-party should guard against assignment, transfer or subcontracting by the third-party of its obligations to another outside entity, unless the organisation determines that such an action would be consistent with the scope of work or the goals of the organisation.
PHASE 3: Conducting Adequate Due Diligence
Due diligence on potential third-party providers is critical to confirm legitimacy and reduce the risks associated with such business relationships. The due diligence process provides management with the information needed in making the determination that working with a potential third-party would ultimately help achieve the organisation's strategic and financial goals.
A comprehensive due diligence investigation involves a review of all available information about a potential third-party, focusing on the provider's specific relevant experience, its financial condition, knowledge of applicable laws and regulations, reputation, and the scope and effectiveness of its operations and controls. The evaluation of a third-party may include the following items:
- A thorough investigation of the provider's business and operations
- A comprehensive review of the provider's financial condition and reputation
- Evaluation of the provider's experience in implementing and delivering on the proposed scope of services
- Analysis of the provider's culture, vision and business style to ensure cohesiveness with that of the organisation's
- Reference checks, including peer businesses and industry groups
- Review of local and regional government records to identify any past or present litigation involving the provider
- Background checks of the provider's key principals
- Reviewing the provider's internal controls, information systems, security, confidentiality and contingency planning documents
- Review any existing working relationships to gauge the reliance on subcontractors
- Ensure adequacy of insurance coverage
- Review of marketing and customer service practices
- Review of certifications, quality controls and continuous improvement initiatives
In general, due diligence will lead the organisation's management to consider some basic questions prior to dealing with a third-party provider. Pending a review of the provider's operations, reputation and financial position, those questions include:
- Would our organisation offer products or services to the provider on credit?
- Is the provider accessible and approachable?
- Does the provider clearly understand the organisation's business goals?
- What are our options for terminating the contract with the provider (if needed) and how will this affect the organisation's operations?
NOTE: Not only should due diligence be conducted prior to selecting a third-party provider, it should also be performed periodically during the course of the relationship, particularly when considering a renewal of a contract.
PHASE 4: Management Oversight
Successful organisations that effectively engage in third-party business relationships rank the areas of "culture and leadership" on the same level of importance as "policies and procedures" when it comes to being resilient. Therefore, management oversight is critical to the third-party risk management process.
An organisation's senior management is ultimately responsible for managing activities conducted through third-party relationships and identifying and controlling the risks arising from such relationships, to the same extent as if the scope of services were being provided from within the organisation. Therefore, senior management is charged with ensuring that the business relationships with third-party sources remain strong, productive and free of risk.
To accomplish this, management should adopt a "Manage, Monitor, Maintain" posture that clearly defines the key elements of a successful business relationship:
- Manage – Bid Proposals, Contracts, Licensing, Registrations, Certifications, Training Levels; Review third-party contract provisions at least annually.
- Monitor – Production Standards, Output Benchmarks, Quality and Compliance. While it is vital to ensure these standards are in line with the provisions of the contract, management should also strive for and demand continuous improvement in these areas.
- Maintain – Regular contact with third-party providers, including open communications and regular site visits to review operations and ensure compliance with the provisions of the contract.
The organisation should be vigilant at maintaining an updated database of debarred and questionable third-party providers, which will simplify the due diligence process before contracts are awarded and prevent contracts from inadvertently being awarded to such providers in the future.
While partnerships with third-party providers can be beneficial to the organisation on so many levels, such alliances can expose the organisation to many unknowns, and those unknowns will undoubtedly increase the level of risk. The key, then, is properly managing the infrastructure, systems, staff and outside support to adequately manage that risk.