Risk management isn’t solely about managing threats and opportunities within your company.
Just like it would be impossible for us to grow food, provide clothing, shelter, and other necessities all on our own, the same fact is true for a company. It would be impossible to provide every raw material or handle every service in-house. All organizations rely on a third-party to provide materials, products, and/or services the organization is unable or unwilling to do on its own.
Whether from a supply chain breakdown or some type of scandal, it seems companies everywhere are struggling with third-party risks these days.
Developing a holistic approach to managing these ever-increasing risks is the subject of a session I had the pleasure co-presenting at the 2021 Navex Next Risk & Compliance Conference.
You don’t have to watch the entire session to understand the following…
Third-party risks consist of way more than just supply chain issues.
It’s easy to think that third-party risks are another way of saying supply chain issues, especially in this current period where it seems just about everyone has been reeling from shortages ranging from simple ketchup packets to advanced semiconductors for autos, medical devices, and consumer electronics.
Appropriately titled Holistic Third-Party Risk Management, our session discussed three facets or avenues by which issues around suppliers and other vendors can impact an organization. These include:
Enterprise Risks and Third Parties
In the first section, I outline what exactly is a third-party and how they consist of both upstream (e.g., suppliers) and downstream (e.g., distributors) activities. These activities can create a host of risks ranging from operational and resilience to reputation impacts, cybersecurity issues, and more.
These potential threats to not just an organization’s goals but its very survival in some cases is why robust oversight of third-party risks is so important. Doing so helps protect the organization from reputational harm and legal scrutiny but also helps ensure third parties are a good fit to the organization.
To properly understand third-party risks, their impact, and what should be done about them, there must both be active collaboration with relevant business units and a solid grasp of any suppliers and vendors (4th and 5th parties) of your direct supplier. Adjusting procurement policies, setting clear expectations with the third party regarding performance and conduct, and independently verifying information are a few steps companies can take as part of their due diligence.
ESG Issues and Third Parties
This part of the conference session delivered by Susanna Cagle of NAVEX Global dives into the nuances of Environmental, Social, and Governance (ESG) criteria and how third parties can both positively and negatively impact those criteria.
ESG-related risks can include legal, technology, and reputation, while opportunities for companies who embrace ESG standards include increased resilience, improved efficiencies, and new markets.
In the U.S., the Securities and Exchange Commission currently requires ESG disclosures around human capital, while climate disclosures are expected to be another requirement by the end of 2021. Susanna explains that directives announced by the EU earlier in 2021 are just as, if not more significant, than the GDPR data and privacy rules.
To get ahead of third-party risks and reporting requirements of ESG, there needs to be a clear differentiation between external ESG issues and a company’s financial results. Develop priorities based on regulatory and compliance requirements, unique issues to your brand, and actions competitors are taking.
Third Parties and Anti-Corruption Risks
In this section, Michael Volkov, CEO of Volkov Law Group, outlines different anti-corruption third-party risks. Examples can include bribery, fraud, money laundering, sanctions, and cyber/data. Four minimal steps for minimizing risks consist of information collection, analysis and investigation, red flags and resolutions, and residual risk mitigation.
When evaluating third parties, your organization should determine if they have effective risk assessment processes and clear risk criteria they periodically update.
Due diligence requirements related to anti-corruption will vary between industry, country, and the amount of business your company is conducting with the firm. Michael also stresses the importance of carefully examining any third parties that may fall under the scrutiny of the Office of Foreign Assets and Control, which is an agency of the U.S. Government that develops and enforces international sanctions against individuals and governments around the world.
In the final section of the session, Michael, Susanna, and I dive into steps for developing a holistic approach to managing third-party risks. These steps can include clearly understanding and prioritizing what risks your company should be considering, integrating ESG into your procurement processes, integrating and breaking down silos, increasing transparency, and more.
To learn more, I highly recommend watching the entire 45-minute session when the recording becomes available. You can register for free by visiting the NAVEX Next Virtual Conference page.
I want to extend a big thank you to NAVEX Global for inviting me to participate in this event and that I look forward to presenting in another conference session soon!
Is your company evaluating and managing third-party risks based on these 3 criteria or standards?
Supply chain and third-party risks impact everyone and every organization around the globe and will continue to have more uncertainty in the years ahead. To share your experience or insights, please don’t hesitate to leave a comment below or join the conversation on LinkedIn.
And if your company is struggling to get a handle on its third-party risks and feel like things are slowly spinning out of control, please don’t hesitate schedule a meeting to discuss your specific situation today!