Successfully Managing Third Party Risks
By Sarah R. Foley, Compliance Specialist, Orrick, Herrington & Sutcliffe LLP (Former Sr. Manager, Global Ethics & Compliance, The Hershey Company)
A company’s operational landscape is ripe with potential threats all of which may have significant operational interruptions and ones that can often be mitigated with robust controls. Undertaking a proactive approach to the management of and establishing strong relationships with your business partners helps avoid commercial and reputational risks. Further, extending compliance expectations to third parties and a robust third party management approach addresses both U.S. and international regulators’ expectations with respect to how a company identifies, addresses, manages and remediates potential concerns as it relates to the activities performed by entities on behalf of your company.
Regulators enhance their expectations on third party management.
Companies rely heavily on third parties to conduct business, and regulators’ evaluation of the way in which organizations manage their business partners has become all the more focused on the ability to effectively address risks. Therefore, it is important for companies to not only know who is conducting business on behalf of your organization, but also how they are conducting business. The U.S. Department of Justice (DOJ) established meaningful guidelines for establishing and maintaining an effective compliance program, which—in part—includes managing third party risks. This guidance focuses on undertaking a risk-based approach that addresses “red flags” affecting your company’s operating model through the design of strong procedures for engaging, screening and monitoring third parties that help ensure the activities are actually performed and compensated in line with the services engaged.
Similarly, U.K. regulators also articulated expectations for third party risk management and, like U.S. regulators, hold a company accountable for parties or “associated persons” acting on its behalf. In particular, the U.K. Bribery Act, 2010 (UKBA) and U.K. Modern Slavery Act (UKMSA) specifically address potential concerns brought upon a company by its business partners. The UKBA and UKMSA also establish expectations related to third party due diligence for a company to strive to ensure an understanding of the types of partners acting on its behalf. This includes evaluating the type of services provided by the business partner and legal requirements for the jurisdiction within which services are provided, as well as the organizational structure of the business partner itself and background of its principals.
Although both U.S. and U.K. regulators recommend procedures to assist a company in identifying possible challenges with third parties, merely identifying but not addressing risks is insufficient. Companies also must take appropriate actions to mitigate risk to their operations that were identified through due diligence.
A Roadmap to Successfully Managing Third Parties
Understanding regulatory expectations is half the battle. It is equally important for organizations to appreciate compliance risks specific to their industry and operations and implement mitigation efforts that address these risks. Some general principles to consider include:
- Perform a risk assessment. Undergoing a risk assessment helps your company identify the legal, financial, operational and reputational impacts affecting the company’s operations. It also is a vehicle to help allocate resources to mitigate these risks. When undertaking a risk assessment, focus the scope of that work on identifying and managing existing or potential risks of legal or policy (e.g., code of conduct) non-compliance because often these can lead to penalties that affect an organization’s ability to successfully operate.
- Identify your dependencies. Identifying the third parties your organization relies upon coupled with the insights gained from a risk assessment will help establish a due diligence model that prioritizes a review of partners that are the most strategic to the company and could cause the most significant legal and regulatory exposure.
- Evaluate third parties’ performance. Understanding services provided by third parties also helps identify areas where your company is potentially at risk. Utilizing compliance questionnaires gathers information that focuses on key aspects of the third party engagement. Additionally, capturing this information assists in implementing a governance structure for day-to-day management of the third party, as well as identify and respond to gaps in the engagement model.
- Educate both internal and external stakeholders. Discussing compliance expectations with both employees and business partners is critical to striving to ensure missteps are avoided. Frequent training is a vehicle that helps deliver these expectations and establishes clear ownership of risks and drives transparency. Leveraging outputs from a compliance risk assessment and the evaluation of third parties allows employees to better understand existing and emerging risks and helps prioritize remediation activities. Likewise, including compliance language and audit rights in agreements with third parties formalizes the importance of adhering to applicable legal regulations and internal compliance policies and processes.
- Monitoring and auditing third parties helps companies stay ahead of risks. Establishing a sustainable approach to monitoring third parties positions companies to proactively address concerns that could arise. Design an approach that provides real-time information to your organization and captures publicly available information (e.g., adverse and social media, litigation, interactions with government entities). Equally imperative is the ability to audit third parties, which is a critical tool to operationalize compliance programs and capture metrics to help measure behavior occurring on behalf of your company.
Risks are unpredictable. Be proactive when identifying and addressing third party risks.
With an evolving regulatory landscape, reinforcing compliance expectations is important to identifying and remediating potential legal and regulatory risks to your company. Proactively understand how the impact of compliance failures created by third parties could cause significant brand and commercial risk to your organization, and identify resources that could help respond to this risk. This includes looking at your organization’s compliance program framework, making sure compliance activities and processes are not siloed, and the appropriate level of resources are provided to deliver success when addressing regulatory requirements and expectations. A company should undertake compliance efforts that allow it to be able to demonstrate that adequate procedures are in place that addresses specific risks to your organization should its compliance program ever come into question or be challenged. Establishing and maintaining an effective global compliance program will become a commercial differentiator that protects the organization and drives strategic and commercial success for its consumers.
Sarah Foley is a Compliance Specialist with Orrick, Herrington & Sutcliffe LLP. She is an experienced compliance professional with a history of success developing, implementing, leading and setting the strategic direction for global ethics and anti-corruption compliance programs for multinational corporations. Sarah is highly skilled in global investigations, fraud, anti-corruption, and economic sanctions matters. She has significant experience conducting global compliance trainings, investigations and risk assessments. Prior to joining Orrick, Sarah was most recently the Sr. Manager, Global Ethics & Compliance for The Hershey Company, where she was responsible for setting strategy for, overseeing and implementing the company’s global ethics and anti-corruption compliance program. Before Hershey, she worked for Weatherford, a provider of oilfield services and products, and was responsible for managing, developing and implementing its global ethics and compliance program and performing global anti-corruption risk assessments.