Why TPDD programs aren't delivering the oversight businesses need
Regulators have responded to increased risk exposures by trying to rein in errant companies through stricter regulations such as UK's Modern Slavery Act, France's Sapin II law, the California Consumer Privacy Act, and EU's General Data Protection Regulation. For example, the US Department of Justice (DOJ) issued a notification requiring companies to monitor supplier risks over the lifecycle of a contract and covering all suppliers.
Despite these changes, many organizations lack a structured approach to managing third-party due diligence. They continue to apply knee-jerk quick fixes to simply placate regulators.
Here, we explore the key barriers preventing companies from implementing a third-party due diligence program that complies with regulatory mandates.
1. Limited use of digital technologies to sift through voluminous data
Large organizations generally have deep-rooted, extended networks of third parties around the world. This means companies must tackle large volumes of complex third-party data and invest significant manual effort in analyzing the red flags that could call out potential issues such as doing business with a sanctioned entity. Evaluating this data requires specialized processing capabilities with a structured risk-based approach and the efficiencies digital technologies bring. But many businesses have limited exposure or access to due diligence technologies and risk-management platforms.
2. Siloed processes, disparate systems
Even large organizations with some form of third-party due diligence program may struggle to gain value if they lack a unified approach across the business. As a result, third parties often slip through the cracks and remain on vendor rolls even if assessments have identified issues. This happens when third-party risk is managed in silos with functions such as procurement, compliance, IT, and finance running their own programs. This can also lead to increased lead times for the assessments, a delayed supplier onboarding process, duplication of effort, surging costs, and no overarching oversight.
3. Insufficient risk and compliance expertise
Though technology advances have enabled high-volume vendor screening, it can result in a number of false positives from compliance databases. Identifying true hits requires skilled judgment and knowledge of risk areas such as bribery and corruption, information security, labor rights, financial risk and environment, health, and safety norms. But companies often don't have the risk and compliance expertise required to support these areas.
4. Limited visibility of risk exposure from a third party's associations
Compliance teams typically don't have the bandwidth to fully cover the key principals and shareholders reviewed through the third-party due diligence program and identify links. For example, they may miss red flags associated with ultimate beneficiaries, shareholders, and key principals. This leaves companies susceptible to risk. For example, in 2019, one of the world's leading consumer electronics firms settled a legal case at approximately $0.5 million. Authorities charged the firm for doing business with a firm whose majority owner appeared on the US Office of Foreign Asset Control's Specially Designated Nationals and Blocked Persons List for allegedly being part of an international steroid trafficking network.
5. High cost of deploying a TPDD program
Even though organizations realize the importance of adopting a consistent TPDD program across functions, channeling adequate resources to support it can prove a challenge. From hiring specialized risk-management experts to implementing digital solutions and expanding coverage across a large cross-section of the supplier base, the costs associated with establishing a robust program can quickly become exorbitant.
6. No comprehensive enterprise-level dashboard
Not having an enterprise-level view of TPDD data and performance, let alone real-time actionable insights, can lead to complexities. With customized dashboards, executives can manage risk proactively using near-real-time updates, end-to-end process visibility, and in-depth third-party risk reports and remediation actions.