A New Role for Compliance in Managing Third-Party Risks
Written by Ronnie Kann
Small staff. Finite resources. Limited line of sight. Increasing risks. Do these characterize the compliance challenges of managing third parties or the challenges of parenting a teenager? The answer is likely both.
What, if anything, can we learn about managing third-party risks from thousands of years of human history raising children? After hours on the Internet and browsing the self-help aisle at my local library, I discovered common guidance across doctors, philosophers, and humorists alike: do not try to control teenage behaviors (you cannot); instead, engage early and provide guidance and conditions to help the relationship succeed.
Now, before you ask what this has to do with compliance and ethics, just bear with me. These lessons are profound and directly in line with CEB’s latest research on successfully managing third-party compliance risks.
In a survey of more than 300 chief compliance and ethics officers, we found that compliance professionals are sharply focused on the challenge of third parties. Nearly half of the companies surveyed identify third parties as a top risk, and monitoring third-party controls is the top program priority in 2015.
And for good reason. Compliance and ethics executives are often held accountable for the behavior of the company’s third parties, yet have little actual control over them, if any. As we dig deeper into our survey findings, we identify several drivers:
The number of third parties is overwhelming and will only continue to grow. Of the 60 percent of companies that report working with over 1,000 third parties, up to 250 are designated as high risk. In fact, the median compliance and ethics program already works with 5,426 third parties. Now, consider that nearly 20 percent of companies are uncertain about how many third parties they work with.
Initial due diligence is not a security blanket. Sure, your initial certification efforts are comprehensive (73 percent of compliance and ethics programs control due diligence activities). But companies perform less document collection after the first year and fall short in correcting for inevitable changes in third-party risk levels over time.
A mandate for third-party oversight does not come with unlimited information access. Compliance is limited in its ability to draw real-time insights on third parties’ changing risk profiles. Specifically, CEB found that only 35 percent of companies have access to third-party audit findings and only 22 percent access third-party databases.
In response, most compliance programs use a legal approach (such as contractual standards, training and policy certifications, and site audits) to influence the way third parties conduct business on their organization’s behalf. This approach is, however, very costly for compliance, functional partners, and the business generally. The median compliance program spends 10 percent of its budget and 15 percent of total program time on third-party risk management.
More importantly, this conventional approach fails to fully appreciate the inherent limits of compliance’s influence over third-party behavior, and the way in which third-party risk is created in the first place. This can be seen in common assumptions compliance professionals make on a regular basis:
• Assuming that third-party volume is the challenge and that we must reduce the number of third parties through risk-based segmentation;
• Assuming that visibility into third-party behavior and operations is the best way to understand risk exposure; and,
• Assuming that we can best influence third parties by setting and enforcing standards for behavior.
These assumptions lead most compliance and ethics programs to act as third-party Enforcers, literally trying to manage third-party behavior through contractual safeguards, enhanced due diligence, certification requirements, and the like. In a recent survey, 75 to 80 percent of compliance officers self-identify as Enforcers.
CEB research suggests, however, that Enforcers think about third-party risk management from the wrong starting point. Right now, Enforcers spend time and resources assessing individual third-party partners after the relationship has already been established (see Figure 1). They miss the opportunity to work with their internal partners early on to assess the decisions that drive third-party risk creation in the first place.
Figure 1:
Those leading compliance and ethics officers who take advantage of opportunities to get involved earlier are the Business Enablers. They create an environment inside their company that fosters efficient third-party risk management. In particular, Enablers arm internal decision-makers with the guidance, information, and incentives that support cost-efficient risk reduction.
The most effective Enablers concentrate on three things:
Focus on Risk Creation: Enablers help the business price compliance risk early in the selection process and identify the specific activities that drive risk creation. They ask, “How can we best integrate compliance into business strategy? When should we use third parties?” Enablers reduce more risk by focusing on the decisions and processes that create it in the first place.
Make Compliance Easy: Enablers provide clear rules and ensure actionable and easy-to-follow procedures. They ask, “How can we design easy-to-follow, third-party procedures that support flow of information and make internal role expectations clear?” Enablers recognize that internal partners’ current inability to manage third parties is a major driver of the organization’s risk exposure.
Build Network Capabilities: Enablers recognize that while direct influence on individual third-party behavior is limited, they can address the drivers of risk creation by aligning incentives and long-term interests. They ask, “How do we identify the critical relationships that need, and will accept, our support?”
The tangible benefits of taking an Enabler approach are substantial:
• Top-Quartile Enablers are more than twice as likely as Bottom-Quartile Enablers to strongly agree that their third-party programs reduce third-party risk.
• Top-Quartile Enablers take only 42 percent as long as Bottom-Quartile Enablers to approve the use of new third parties.
• Top-Quartile Enablers spend 24 percent less time reviewing third parties than Bottom-Quartile Enforcers, for no additional compliance risk.
So, as is true for developing a healthy relationship with teens, getting involved as early as possible and shifting the mindset from Enforcer to Enabler will pay dividends in managing third-party risks.
AUTHOR BIOGRAPHY:
Ronnie Kann is a Principal Executive Advisor at CEB in the company’s Legal, Risk & Compliance practice. In this role, he works with chief compliance officers at Fortune 500 companies and other multinationals on issues such as corporate culture, employee misconduct, compliance costs, and everyday operations, as well as training and measurement. He believes corporate culture is an ongoing project, not a one-and-done process, and must be fine-tuned according to ever-changing and complex market and workplace environments.
