, Corporate Governance
, Risk Management
Germany is the third largest country in the world in terms of its international trade. The country exports an impressive 46.9% of its GDP. To achieve this, German companies have developed a complex supply chain, integrating thousands of third parties, subsidiaries and agents worldwide. As the strategic importance – and compliance risks – of third parties increases, companies have to mitigate business risks while building trust in their partners.
Business risks raised by third parties
Traditionally, companies have mitigated internal risks by applying enterprise risk management (ERM) systems. As enterprises’ activity expanded throughout outsourcing and offshoring strategies, a long list of external risks emerged. At this point, companies realised two things: first, they could not outsource their legal responsibilities; second, they needed to put in place systems to mitigate business risks raised by third parties.
It has become clear that suppliers, distributors, licensees, franchisees, joint ventures partners and other third parties can threaten business continuity. Actually, there are other significant threats beyond the classic risk of supply chain disruption: business risks come also in the form of data breaches, operational failure, reputational damage, commercial losses, compliance and ethics violations and large financial penalties.
The risk of prosecution due to the behaviour of a third party is high. Some laws and regulations with extraterritorial application, such as the US Foreign Corrupt Practices Act and the UK Anti-Bribery Act, include third party business conduct as a source of criminal liability for organisations and individuals, including directors, managers and employees.
This reality has led to an increasing concern in the market about such risks. According to a survey conducted by CEB (a best practice insight and technology company) in the first quarter of 2016 among108 senior executives in risk, audit, finance, and compliance at leading companies, vendor relationship management ranks third in the top ten of emerging risks.
What are the major business risks raised by third parties? In a global survey conducted by Deloitte in 2016, members of senior management across industries identified several top areas of third party risk. Among these, we also found some areas related to integrity and compliance.
- Disruption in customer service due to third parties
- Breach of regulation or law through third party action
- Reputational damage arising from third party behaviour
- Breakdown of supply chain due to failure of third parties.
- Financial fraud or exposure created by third party behaviour
- Failure of financial viability of a third party, impacting delivery
Third party risk multipliers: subsidiaries and agents
Subsidiaries, agents and other entities under operational control of the company are risk multipliers. Actually, the risk assumed by subsidiaries while doing business with local third parties can impact the parent company as a consequence of ownership and control. Also, under the principle of agency, the conduct risk of third parties’ agents could be transferred to your own company.
This risk goes through the roof when multipliers are located in emerging markets or transitioning economies. The understanding of this threat is critical for German companies: for example, Germany is one of the largest foreign direct investors into China, which, according to Transparency International, scores low on perceptions of corruption.
The misperception that companies must tolerate unethical behaviour by third parties to obtain businesses in emerging markets is coming to an end. For example, along with international enforcement, it is well known that an aggressive anti-corruption campaign is ongoing in China. Other emerging regions in the world, such as Latin America, are also experiencing a ‘compliance awakening’.
Clear judgement is necessary to set your appropriate third party risk tolerance, both to take advantage of the business opportunities and, at the same time, to clearly mark your red line in this grey zone.
How to mitigate business risks raised by third parties
A comprehensive system for third party risk management is necessary. This system could face critical challenges. First, the behavior of third parties is usually out of the control of the company. Second, it is difficult to assess third parties´ governance, internal controls, financial accuracy and commitment to compliance and ethics. Finally, the risk (inherent and residual) could change throughout the business relationship in a rapidly changing environment.
There are several automated or manual tools available, but the system should include the following elements.
- A list of all third parties
- A comprehensive understanding of the specific risk posed by the third party
- A risk-based segmentation of the third party ecosystem
- Rule-based due diligence testing
- A disciplined governance and escalation framework (more information on these issues is available here)
- Auditing, including in-house auditing and visits to third parties’ facilities
- Ongoing monitoring and continuous improvement
- A specific integrity and compliance programme, including the extension of hotlines to third parties
- Risk and crisis management protocols
- The integration of IT applications across the business and the use of data science and analytics
It is true that companies have different levels of risk exposure, depending on industry and geographic locations. But in addition to the business risks listed above, the following compliance and ethics areas should be addressed by companies´ third party risk management systems.
- Data privacy breaches
- Code of conduct and integrity violations
- Quality issues
- Health and safety standards
- Modern slavery
- Human rights
- Conflict minerals
- Bribery and corruption
- Trade compliance and sanctions
- Money laundering and terrorism financing
The presence of a well-defined third party risk management system helps to mitigate compliance risks. However, of itself this is not enough: companies need confidence in their partners to create value.
How to trust in third parties
The business case for engaging with third parties has evolved from the reduction of operational costs to the creation of value. This strategic shift has implied a change in ownership of third party risk management: from operational staff (such as procurement) to corporate leadership. For instance, according to articles 4.1.4 and 4.1.5 of the German Corporate Governance Code, the management board has the following tasks and responsibilities regarding creation of value, strategy, compliance and risk management.
- ‘The Management Board is responsible for independently managing the enterprise in the interest of the enterprise, thus taking into account the interests of the shareholders, its employees and other stakeholders, with the objective of sustainable creation of value.
- The Management Board develops the enterprise's strategy, coordinates it with the Supervisory Board and ensures its implementation.
- The Management Board ensures that all provisions of law and the enterprise’s internal policies are abided by and works to achieve their compliance by group companies (compliance).
- The Management Board ensures appropriate risk management and risk controlling in the enterprise.’
I believe that the creation of value requires trusting relationships with third parties. To build trust, companies need not only systematically to mitigate compliance and ethics risks. They need to choose the right partner from the outset, embedding integrity and compliance into their business analysis. This strategic move will require more transparency in the third party relationship. More transparency leads to more trust, engagement and creation of value.
In many cases we see that compliance teams only takes action (e.g. due diligence) when the business relationship is almost established. This means that compliance and integrity insights tend not to be systematically included in the strategic decision of selecting business partners.
By combining all tasks and responsibilities listed above, German managers have the opportunity to integrate compliance, integrity and risks insights into the on-boarding decision-making process. This would enrich the strategy on third parties in order to create value for the enterprise, shareholders and stakeholders.
According to research conducted by CEB in 2015, companies can improve risk mitigation and reduce associated compliance costs by applying a value lens to the strategic decision of on-boarding new business partners.
We believe that integrity enhances competitiveness and performance. This approach offers a clear opportunity for German companies to improve confidence and long-term profitability across their large and risky international third party ecosystem.
The ICA Specialist Certificate in Corporate Governance provides you with an opportunity to understand corporate governance requirements and benefits by demystifying a subject often misunderstood.
Learn more about this course here
If you would like to find out more about ICA qualifications, we’re running a series of free information sessions at locations around the world in 2016, so why not book your place to find out how studying with the ICA could help enhance your career?
To stay updated on the latest developments in governance, risk and compliance, anti money laundering and financial crime prevention, please follow us on LinkedIn, Facebook, and Twitter, where you are guaranteed to be notified when our next blog post goes live.
For more information on the full range of ICA qualifications, please visit our qualifications page