Advanced Operating Models
Dec 28, 2020

Managing risk in an expanding third-party ecosystem

How to overcome challenges to operationalizing a third-party due diligence program

Though untapped overseas markets seem like promising hubs of labor and resources, there are significant potential risks, too. As a result, companies recognize the need for a robust third-party due diligence (TPDD) program to vet existing or potential suppliers, agents, and others.

Several factors exponentially increase your third-party risk exposure, leaving your business vulnerable to operational, financial, legal, regulatory, and reputational risks. For instance, the many companies your business relies on to maintain business as usual, improve agility, lower costs, and expand; the limited visibility you have beyond the first tier of suppliers; and the staggering volumes of data that come from different geographies and spend categories, are all sources of risk.

You don't have to look far to find examples of the consequences: a leading chocolate company was found to have been using child labor; a major consumer electronics outfit became tainted by its suppliers' abysmal labor practices; and high-end fashion houses have had to scramble to avoid being associated with sweatshops in emerging economies.

Why TPDD programs aren't delivering the oversight businesses need

Regulators have responded to increased risk exposures by trying to rein in errant companies through stricter regulations such as UK's Modern Slavery Act, France's Sapin II law, the California Consumer Privacy Act, and EU's General Data Protection Regulation. For example, the US Department of Justice (DOJ) issued a notification requiring companies to monitor supplier risks over the lifecycle of a contract and covering all suppliers.

Despite these changes, many organizations lack a structured approach to managing third-party due diligence. They continue to apply knee-jerk quick fixes to simply placate regulators.

Here, we explore the key barriers preventing companies from implementing a third-party due diligence program that complies with regulatory mandates.

1. Limited use of digital technologies to sift through voluminous data
Large organizations generally have deep-rooted, extended networks of third parties around the world. This means companies must tackle large volumes of complex third-party data and invest significant manual effort in analyzing the red flags that could call out potential issues such as doing business with a sanctioned entity. Evaluating this data requires specialized processing capabilities with a structured risk-based approach and the efficiencies digital technologies bring. But many businesses have limited exposure or access to due diligence technologies and risk-management platforms.

2. Siloed processes, disparate systems
Even large organizations with some form of third-party due diligence program may struggle to gain value if they lack a unified approach across the business. As a result, third parties often slip through the cracks and remain on vendor rolls even if assessments have identified issues. This happens when third-party risk is managed in silos with functions such as procurement, compliance, IT, and finance running their own programs. This can also lead to increased lead times for the assessments, a delayed supplier onboarding process, duplication of effort, surging costs, and no overarching oversight.

3. Insufficient risk and compliance expertise
Though technology advances have enabled high-volume vendor screening, it can result in a number of false positives from compliance databases. Identifying true hits requires skilled judgment and knowledge of risk areas such as bribery and corruption, information security, labor rights, financial risk and environment, health, and safety norms. But companies often don't have the risk and compliance expertise required to support these areas.

4. Limited visibility of risk exposure from a third party's associations
Compliance teams typically don't have the bandwidth to fully cover the key principals and shareholders reviewed through the third-party due diligence program and identify links. For example, they may miss red flags associated with ultimate beneficiaries, shareholders, and key principals. This leaves companies susceptible to risk. For example, in 2019, one of the world's leading consumer electronics firms settled a legal case at approximately $0.5 million. Authorities charged the firm for doing business with a firm whose majority owner appeared on the US Office of Foreign Asset Control's Specially Designated Nationals and Blocked Persons List for allegedly being part of an international steroid trafficking network.

5. High cost of deploying a TPDD program
Even though organizations realize the importance of adopting a consistent TPDD program across functions, channeling adequate resources to support it can prove a challenge. From hiring specialized risk-management experts to implementing digital solutions and expanding coverage across a large cross-section of the supplier base, the costs associated with establishing a robust program can quickly become exorbitant.

6. No comprehensive enterprise-level dashboard
Not having an enterprise-level view of TPDD data and performance, let alone real-time actionable insights, can lead to complexities. With customized dashboards, executives can manage risk proactively using near-real-time updates, end-to-end process visibility, and in-depth third-party risk reports and remediation actions.

Strengthening third-party due diligence

External partners present businesses with risks, so companies must commit to conducting thorough due diligence. If they fail to do so, they risk loss of reputation and fines as regulators increasingly hold them accountable for the actions of their contractors.

About the author

Subhashis Nath

Subhashis Nath

Enterprise Risk and Compliance Leader

Follow Subhashis Nath on Linkedin