Wendy Chang, Associate Director at Deloitte Risk Advisory looks at ways to effectively monitor third-party risks
Today, companies rarely go to market alone. Corporate success is increasingly supported by complex supply chains, outsourcing and other third-party relationships, forming what we term the “extended enterprise.” Products and services are now, more than ever, created, marketed and delivered through a network of strategic alliances and joint development arrangements. Greater reliance is being placed on business partners in opening up new markets, building brand value and growing revenues.
Yet the same third-party relationships that help bring value also carry substantial risk. Organizations’ increased reliance on their extended enterprises effectively reduces their overall visibility over their critical operations. This is because the legal separation from their third parties affords lower transparency than with internal business functions. As can be seen with recent high-profile corporate scandals, which often have third-party issues as their root causes, organizations are highly susceptible to reputational damage based on the failings of their third parties. Essentially, the full spectrum of the risks of the third party have become the risks of the organization as well.
Furthermore, many regulatory regimes, especially in relation to anti-bribery and corruption, make companies responsible for the actions of their third parties, including in a cross-border context, where visibility and transparency is even lower.
These issues add to the difficulties in ensuring proper contractual performance by third parties, in terms of service delivery and quality, correct charging of costs and receipt of revenue streams, and can strain business relations in the extended enterprise, especially when economic conditions are tough.
Organizations therefore need to identify, prioritize, manage and monitor third-party risk as they would their own. Failure to do so adversely affects company performance and could potentially lead to total business failure. Effective management of third-party risk provides opportunities to create value.
With this in mind, organizations should consider the following key concepts:
Review your third-party relationships
A thorough review to identify all third parties, and the contracts that exist with them, helps an organization to understand its third-party landscape and contractual obligations. Such a review can help identify and address gaps in an organization’s knowledge of its third parties and areas of duplication, and can also create opportunities to improve management of third parties or negotiate better contract terms.
Define the objectives for your third-party relationships
It is vital to ask what you want to achieve from your third-party relationships. Effective risk management programs of all types usually begin with the articulation of objectives which, in turn, helps determine the risks that could prevent those objectives from being achieved and that therefore need to be managed. This ensures the management of third-party relationships remains practical and relevant.
Assess your third-party risks
Unique risks lurk in all third-party relationships and so an effective risk assessment is required to identify and prioritize them. Some third parties will pose greater risk than others, depending on such factors as the extent of the dependence on third parties and the degree to which the operations of the two parties are interconnected, as well as the financial scale of the relationship. Risk assessment is critical in ensuring that scarce resources are properly applied to the selection and ongoing monitoring of the highest risk third parties.
Establish a compliance programme
After signing a contract, many executives assume that the third party will perform as required and that relationships are properly managed. Some even assume that their contracts transfer risks to the third party when, in fact, it generates new risks for their own organizations. This demonstrates the critical need for setting up risk-based comprehensive programmes to review third parties’ compliance with their contracts and to address performance issues, whether service- related or financial.
Seek to make ongoing improvements
Reviews of third parties conducted under compliance programmes also provide opportunities for both parties to improve reporting processes, communication, controls, contractual terms and hence the overall relationship between them. In summary, third-party relationships depend on trust that is earned over time through ongoing dependability, fairness and sharing of accurate information, but tempered with an appropriate level of objectivity – the old adage, “Trust, but verify,” comes to mind.