Conflicts of interest top the list of companies' third-party risk management concerns, surpassing bribery/corruption and fraud, according to a new study. The study presents and analyzes the findings of a survey of senior business professionals about their third-party risk management and due-diligence practices.
The 2016 Ethics & Compliance Third-Party Risk Management Benchmark Report was released at the end of October by Navex Global, an ethics and compliance software and services company headquartered near Portland, Ore. The results of the survey of 394 respondents found that 43 percent listed conflict of interest as their top ethics and compliance concern (up from 18 percent in 2015), with bribery and corruption second at 40 percent and fraud fourth at 33 percent (increased from 39 percent and 23 percent, respectively). Cybersecurity, a new category entering the survey at 39 percent, was the third greatest concern.
Report author Randy Stephens, J.D., Navex vice president of advisory services, is not too surprised that conflict of interest has overtaken bribery and corruption as the top concern. "Perhaps this indicates compliance leaders are beginning to get their arms around bribery and corruption, and are now discovering conflicts [of interest] an increasingly salient issue," he said. "But it could also be an early sign that there is a new problem in the global business ecosystem."
[SHRM members-only toolkit: Managing International Assignments]
Managing Third-Party Risks
The report defines third parties as consultants, contractors (including temporary employees and subcontractors), vendors and suppliers, agents (such as advertisers, marketing agents and international intermediaries), and distributors, as well as joint venture partners of all types.
Although many organizations may be diligent with their own internal ethics and compliance programs, the report says, they fear that the risk represented by their third parties is a "Wild West" over which they have little control.
And with good cause. The survey data show that, from 2015 to 2016, respondents reported a 34 percent increase in legal or external regulatory actions in the previous three-year period "where a third party came under review as part of the action or defense."
To manage the third-party risks, companies engage in activities such as risk ranking, screening, data collection, documentation and ongoing monitoring of their third-party partners. They also exercise due diligence by studying and assessing third parties and their principals both before and after engagement. This is important, because their third party's risk becomes the company's risk.
The report found that fewer than half of organizations conduct due diligence on all their third parties and screen them before engagement, despite being aware of the risk. Furthermore, only 25 percent continuously monitor all their third parties or conduct audits on more than half of them. In addition, the survey found that one-third of organizations have faced legal or regulatory penalties that involved third parties, with 50 percent of those costing an average of $10,000 or more per incident.
The top concerns for respondents regarding implementation of their risk management program were the complexity of due diligence (41 percent), training third parties and information management (36 percent each) and the number of third parties managed (35 percent).
On the other hand, the greatest internal factors undermining the success of such programs, according to the survey, are lack of resources to adequately screen and monitor third parties (42 percent), lack of processes and protocols for managing third parties (41 percent), an inability to screen all third parties (37 percent) and no clear ownership for the program (32 percent). Despite these challenges, 59 percent of respondents reported that they intend to expand their engagement with their current third-party relationships.
Automation
These factors make a strong argument for the merits of automation, the report states. It found that companies using automated risk management systems are twice as likely to report success in their programs. In addition, a large percentage of respondents (60 percent) that use automated systems reported that they are more likely to screen all third parties.
Stephens points out that automation doesn't take the place of employees. Automation is a tool for handling lots of data efficiently, he said. "Then use your people to address the issues and focus on things that only a full-time person can do best and requires company knowledge, like risk tolerance and understanding the company culture," he explained.
Using Another Third Party to Conduct Due Diligence
Interestingly, the study found that one of the best third-party risk management strategies is to use another third party to monitor and conduct due diligence of a company's third parties. In 11 out of 16 areas of due diligence, a third-party provider discovered more "red flags" than organizations not outsourcing the task. Red flags include things such as third-party executives or managers being implicated in misconduct, individuals appearing on government watch lists or under government investigation, adverse media reports and financial instability.
Despite how convoluted it may sound, Stephens said, such arrangements make sense. The third-party provider has the resources and often automation to focus on monitoring, as well as better familiarity with the issues. However, he cautioned that companies still have to monitor and manage the third-party due-diligence provider. "If they screw something up, you still have to clean up the mess," he said.
Robert Teachout, SHRM-SCP, is a writer in Washington, D.C., who covers employment law and HR issues.
Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.
An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.