Frédéric Bastiat in the 19th century could have been talking (see quote above) about the complexity of managing risk and compliance across business in the 21st century. So often organizations look at the surface of a relationship and fail to see the significance and exposure that can cascade across the organizations causing severe damage to reputation and exposure to legal and operational risks.
A chain is only as strong as its weakest link . . . in the case of business relationships this could be an organization’s supply-“chain” or other business relationship such as vendors, outsourcers, and service providers that bring increased risk and exposure to the organization.
Today’s organization is a complex diversity of processes and business relationships that span the globe. Organizations struggle to identify, manage, and control Governance, Risk Management, and Corporate Compliance (GRC) across extended business relationships. Whether it is called 3rd party, vendor, or supply-chain – risk and compliance challenges do not stop at the traditional boundaries of the organization. Adding to this is the growth and focus of Corporate Social Responsibility (CSR) initiatives that are forcing organizations to determine if their business partners hold the same values and ethics that the organization communicates to its stakeholders and customers. Further, there are specific pressures within vertical industries to formally manage 3rd party risk (i.e., the FDIC released guidance this past summer requiring banks to manage 3rd party risk).
The issues organizations face in managing risk and compliance across business relationships include:
- Code of conduct. Communicating and validating that the business partner and its employees share the same values and ethics as the organization.
- Labor standards. Managing adherence to a complex array of international laws while validating that the business partner has proper controls to ensure compliance to policies on working hours, forced labor, child labor, wage, discrimination/harassment, and benefits.
- Corporate social responsibility. Ensuring that the business partner is communicating and reporting similar corporate values on social, environmental, and financial practices (e.g., global reporting initiative).
- Anti-corruption. Conveying policies and training while validating compliance to anti-corruption and bribery statutes and standards (e.g., Foreign Corrupt Practices Act, OECD Anti-Bribery Convention).
- Operational risks. Identification, assessment, management, and monitoring of operational risks across business relationships and their impact on the organization.
- Supply-chain risks. The management and monitoring of specific risks within supply-chains and their impact on the organization and its products.
- Environmental. Ongoing monitoring of business partners commitment to environmental standards as well as compliance with laws and regulations that impact environmental responsibility.
- Health and safety. Ensuring that business partners are committed to safe working environments free from hazards.
- Security. Validating that business partners are meeting obligations to protect the physical and information technology environments.
- Privacy. Enforcing privacy requirements on personal information as well as sensitive corporate information across business partner relationships.
- Quality. Providing for ongoing monitoring to ensure that quality and/or service level agreements are met in adherence to contract and expectations of the business relationship.
The ultimate platform to manage risk and compliance across 3rd party relationships has the abilities of:
- Definition and modeling of relationship, risks, compliance issues, and controls across extended business relationships;
- Communication and attestation of policies, procedures, and code of conduct;
- Delivery of training on code of conduct, compliance, policies, and procedures;
- Integration of risk and compliance intelligence that alerts the organization to new developments and issues that could impact specific relationships and/or geographies;
- Self-assessment by each business partner of the risk and compliance requirements within that particular business relationships;
- Providing for independent audits to validate controls, risk, and compliance to laws and contractual requirements; and,
- Scoring of risk based on the business relationship and status of assessment and audit findings.
Large organizations around the world struggle and are actively looking for solutions and service offerings to answer these 3rd party risk and compliance obligations. Just in the past few months Corporate Integrity has interacted with over two dozen of the Fortune 500 looking for solutions and professional services to assist them in their 3rd party risk and compliance strategies. Within one organization, I have sat on a social accountability advisory board aimed at managing international labor standards, workplace safety, and code of conduct across 5000+ vendors in a global supply chain.
This is a particular golden opportunity for technology providers that provide a Software as a Service (SaaS) offering allowing organizations to have a software platform hosted on the Internet and not open up internal networks to hundreds or thousands of business relationships.
Specific solutions in the 3rd party risk and compliance space include:
- Outsourced GRC process management. Organizations such as Intertek are providing a full-service offering to outsource management and monitoring of 3rd party/supply-chain risk and compliance. This includes a software platform hosted in a SaaS model to communicate policies, deliver training, and assess risk while also providing for independent validation through onsite audits.
- Code of conduct and policy communication. Communication, attestation, and training on code of conduct and specific policies is critical to managing compliance across business relationships. Axentis offers the strongest platform for
the ongoing communication and training of policies and procedures. Integrity Interactive is another vendor offering a subscription platform
- Compliance & risk assessment. To manage risk, organizations need a platform that allows it to push self-assessments on risks, controls, and compliance to business partners. This is further enhanced by allowing independent auditors also use the platform to assess business relationships. Archer Technologies, Axentis, and Compliance 360 have focused solutions to manage a full risk and compliance process across 3rd party relationships.
Third party risk and compliance issues are significant, overwhelming, growing, getting more complex, and not going away. Corporate Integrity sees 3rd party risk and compliance management as one of the most challenging GRC issues facing organizations across industries over the next 18 months.