Increased globalization has resulted in businesses expanding their footprint across the world. To drive efficiency, most organizations tend to outsource non-core activities to external or third parties. While the growing network of third parties can help organizations sustain in a challenging environment, it has also brought with it risks such as bribery and corruption, Intellectual Property (IP) or data theft, regulatory non-compliance, quality issues and many more. It is observed that potential risks are only assessed when on-boarding a third party – there is little monitoring done later on. Such risks, if not evaluated and addressed at regular intervals can go undetected and possibly snowball into serious issues, with severe repercussions.
Caught on the back foot
EY’s recently released Asia-Pacific Fraud Survey 2017 , Economic uncertainty or Unethical conduct: How should over-burdened compliance functions respond? suggested that most organizations are not well equipped when it comes to monitoring these third parties. The survey highlighted that although a majority of the respondents recognize third party risks as a rising concern, a large number of organizations still have a reactive approach when on-boarding and monitoring their business vendors. Thirty two percent of APAC respondents said their organizations do not conduct any audit reviews of their third parties or are unaware of such activities when managing existing ones. Twenty five percent of APAC respondents did not know if their organizations have been conducting compliance audits in a timely manner, indicating a clear gap in addressing third party risks.
The first step for organizations is to move beyond the current unstructured approach and adopt comprehensive and proactive strategies to bridge the gap between on-boarding and monitoring third parties on a regular basis. A robust and proactive Third Party Risk Management program could help organizations in mitigating threats in its nascent stages.
Building a strong Third Party Risk Management program
A Third Party Risk Management function manages risks associated with third parties to enable smooth functioning of the day-to-day business operations. Additionally, it can also help organizations identify and engage with third parties who can meet their contractual and regulatory requirements. It is a structured approach to manage and deter threats arising from third party relationships to stay ahead of the competition, enhance regulatory compliance, and manage business risks.
Some other advantages of adopting a Third Party Risk Management framework include –
- Managing risks – Regular monitoring of third party risks, leading to early fraud detection as well as deterrence
- Minimizing costs – Cost of monitoring third parties and adequate due diligence can be optimized through frameworks using technology and automation
- Maintaining standardization – Improving quality, accuracy and uniformity by automating collection of all the information on third parties
- Storing information – Preserving all the third party due diligence information with an audit trail, so that the results are not tampered with
- Enhancing transparency – Access of the program to all parties involved in order to drive greater transparency and minimize potential threats
- Offering flexibility – Customizing the program as per the requirements and risk level of third parties
- Driving compliance – Greater regulatory compliance, thereby mitigating the risk of paying heavy penalties
Organizations worldwide are striving to establish processes to maintain the sanctity of third party relationships and mitigate risks. As organizations increase cross border trade and business dealings, the company’s management will be expected to prioritize management of third party risks.