Germany is the 3rd largest country in the world in terms of its international trade. The country exports an impressive 46,9% of its GDP. To achieve this, German companies have developed a complex supply chain integrated by thousands of third parties, subsidiaries and agents worldwide. As the strategic importance – and Compliance risks - of third parties increases, companies have to mitigate business risks while building trust in their partners.
Business risks raised by third parties
Traditionally, companies have mitigated internal risks by applying Enterprise Risk Management (ERM) systems. As the enterprise´s activity expanded throughout outsourcing and offshoring strategies, a long list of external risks emerged. At this point, companies realised two things: first, they could not outsource their legal responsibilities; second, they needed to put in place systems to mitigate business risks raised by third parties.
It has become clear that suppliers, distributors, licensees, franchisees, joint ventures partners and other third parties can threaten business continuity. Actually, there are other significant threats beyond the classic risk of supply chain disruption: business risks come also in the form of data breaches, operational failure, reputational damage, commercial losses, Compliance and ethics violations and large financial penalties.
The risk of prosecution due to the behaviour of a third party is high. Some laws and regulations with extraterritorial application, such as the U.S. Foreign Corrupt Practices Act (FCPA) and the UK Anti-Bribery Act (UKBA), include third party business conduct as a source of criminal liability for organisations and individuals including directors, managers and employees.
This reality has led to an increasing concern in the market about such risks. According to a survey conducted by CEB (a best practice insight and technology company) in the first quarter of 2016 among108 senior executives in Risk, Audit, Finance, and Compliance at leading companies, “vendor relationship management” ranks 3rd in the top ten of emerging risks.
What are the major business risks raised by third parties? In a global survey conducted by Deloitte in 2016, members of senior management across industries identified several top areas of third party risk. Among them, we also found some areas related to integrity and Compliance:
- Disruption in customer service due to third parties.
- Breach of regulation or law through third party action.
- Reputational damage arising from third party behaviour.
- Breakdown of supply chain due to failure of third parties.
- Financial fraud or exposure created by third party behaviour.
- Failure of financial viability of third party impacting delivery.
Third party risk multipliers: subsidiaries and agents
Subsidiaries, agents and other entities under operational control of the company are risk multipliers. Actually, the risk assumed by subsidiaries while doing business with local third parties can impact the parent company as a consequence of ownership and control. Also, under the principle of agency, the conduct risk of third parties’ agents could be transferred to your own company.
This risk goes through the roof when multipliers are located in emerging markets or transitioning economies. The understanding of this threat is critical for German companies: Germany is one of the largest foreign direct investors into China, which, according to International Transparency, is high for perceptions of corruption.
The misperception that companies must tolerate unethical behaviour by third parties to obtain businesses in emerging markets is coming to an end. For example, along with international enforcement, it is well known that an aggressive anti-corruption campaign is ongoing in China. Other emerging regions in the world, such as Latin America, are also experiencing a “Compliance Awakening”.
Clear judgement is necessary to set your appropriate third party risk tolerance, both to take advantage of the business opportunities and, at the same time, to clearly mark your red line in this grey zone.
How to mitigate business risks raised by third parties
A comprehensive system for third party risk management is necessary. This system could face critical challenges. First, third party behavior is usually out of the control of the company. Second, it is difficult to assess third parties´ governance, internal controls, financial accuracy and commitment to Compliance and ethics. Finally, the risk (inherent and residual) could change throughout the business relationship in a rapid changing environment.
There are several automated or manual tools available, but the system should include the following elements:
- A list of all third parties.
- A comprehensive understanding of the specific risk posed by the third party.
- A risk-based segmentation of the third party ecosystem.
- Rule-based due diligence testing.
- A disciplined governance and escalation framework.
- Auditing, including in-house auditing and visits to third party facilities.
- On-going monitoring and continuous improvement.
- A specific integrity and Compliance program, including the extension of hotlines to third parties.
- Risk and crisis management protocols.
- The integration of IT applications across the business and the use of data science and analytics.
It is true that companies have different levels of risk exposure depending on industry and geographic locations. But in addition to the business risks listed above, the following Compliance and ethics areas should be addressed by companies´ third party risk management systems:
- Data Privacy breaches
- Code of Conduct and integrity violations
- Quality issues
- Health and Safety standards
- Modern Slavery
- Human Rights
- Conflict Minerals
- Bribery and Corruption
- Trade Compliance and Sanctions
- Money Laundering and Terrorism Financing
The presence of a well-defined third party risk management system helps to mitigate compliance risks. However, of itself this is not enough: companies need confidence in their partners to create value.
How to trust in third parties
The business case for engaging with third parties has evolved from the reduction of operational costs to the creation of value. This strategic shift has implied a change in ownership of third party risk management: from operational staff (such as procurement) to corporate leadership. For instance, according to the German Corporate Governance Code, the Management Board has the following tasks and responsibilities regarding creation of value, strategy, Compliance and risk management:
- “The Management Board is responsible for independently managing the enterprise in the interest of the enterprise, thus taking into account the interests of the shareholders, its employees and other stakeholders, with the objective of sustainable creation of value.
- The Management Board develops the enterprise's strategy, coordinates it with the Supervisory Board and ensures its implementation.
- The Management Board ensures that all provisions of law and the enterprise’s internal policies are abided by and works to achieve their compliance by group companies (compliance).
- The Management Board ensures appropriate risk management and risk controlling in the enterprise.”
I believe that the creation of value requires trusting relationships with third parties. To build trust, companies need not only systematically to mitigate Compliance and ethics risks. They need to choose the right partner from the scratch, embedding integrity and Compliance into their business analysis. This strategic move will require more transparency in the third party relationship. More transparency leads to more trust, engagement and creation of value.
In many cases we see that Compliance teams only takes action (eg due diligence) when the business relationship is almost established. This means that Compliance and integrity insights tend not to be systematically included in the strategic decision of selecting business partners.
By combining all tasks and responsibilities listed above, German managers have the opportunity to integrate Compliance, integrity and risks insights into the on-boarding decision-making process. This would enrich the strategy on third parties in order to create value for the enterprise, shareholders and stakeholders.
According to research conducted by CEB in 2015, companies can improve risk mitigation and reduce associated Compliance costs by applying a value lens to the strategic decision of on-boarding new business partners.
We believe that integrity enhances competitiveness and performance. This approach offers a clear opportunity for German companies to improve confidence and long-term profitability across their large and risky international third party ecosystem.
 To see an example of Germany´s supply chains: German-Central European Supply Chain
 See Q1 Emerging Risks Report https://www.cebglobal.com/risk-audit/risk-management/emerging-risks.html
 See Third Party Governance and Risk Management: The treat is real. Global Survey 2016. https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/audit/deloitte-uk-third-party-gov-risk-management-2016.pdf
 See German investors in China http://www.pwc.de/de/internationale-maerkte/german-business-groups/assets/german-investors-in-china.pdf
 See China country profile of Transparency International http://www.transparency.org/country#CHN
 See Corruption in Latin America is skyrocketing. Here's why that’s good news
 See more information about elements 1 to 6 here: Managing when vendor and supplier risk becomes your own. http://www.mckinsey.com/business-functions/risk/our-insights/managing-when-vendor-and-supplier-risk-becomes-your-own
 See articles 4.1.4 and 4.1.5 of the German Corporate Governance Code http://www.dcgk.de/en/code.html
See Reducing the Costs of Third Party Compliance https://www.cebglobal.com/blogs/corporate-compliance-two-ways-to-manage-the-risk-of-third-party-vendors/