Discover more about our courses.
ICA is the trusted partner for you and your organisation.
Written by Guillermo Iribarren on Thursday August 25, 2016
Germany is the 3rd largest country in the world in terms of its international trade. The country exports an impressive 46,9% of its GDP. To achieve this, German companies have developed a complex supply chain integrated by thousands of third parties, subsidiaries and agents worldwide. As the strategic importance – and Compliance risks - of third parties increases, companies have to mitigate business risks while building trust in their partners.
Business risks raised by third parties
Traditionally, companies have mitigated internal risks by applying Enterprise Risk Management (ERM) systems. As the enterprise´s activity expanded throughout outsourcing and offshoring strategies, a long list of external risks emerged. At this point, companies realised two things: first, they could not outsource their legal responsibilities; second, they needed to put in place systems to mitigate business risks raised by third parties.
It has become clear that suppliers, distributors, licensees, franchisees, joint ventures partners and other third parties can threaten business continuity. Actually, there are other significant threats beyond the classic risk of supply chain disruption: business risks come also in the form of data breaches, operational failure, reputational damage, commercial losses, Compliance and ethics violations and large financial penalties.
The risk of prosecution due to the behaviour of a third party is high. Some laws and regulations with extraterritorial application, such as the U.S. Foreign Corrupt Practices Act (FCPA) and the UK Anti-Bribery Act (UKBA), include third party business conduct as a source of criminal liability for organisations and individuals including directors, managers and employees.
This reality has led to an increasing concern in the market about such risks. According to a survey conducted by CEB (a best practice insight and technology company) in the first quarter of 2016 among108 senior executives in Risk, Audit, Finance, and Compliance at leading companies, “vendor relationship management” ranks 3rd in the top ten of emerging risks.
What are the major business risks raised by third parties? In a global survey conducted by Deloitte in 2016, members of senior management across industries identified several top areas of third party risk. Among them, we also found some areas related to integrity and Compliance:
Third party risk multipliers: subsidiaries and agents
Subsidiaries, agents and other entities under operational control of the company are risk multipliers. Actually, the risk assumed by subsidiaries while doing business with local third parties can impact the parent company as a consequence of ownership and control. Also, under the principle of agency, the conduct risk of third parties’ agents could be transferred to your own company.
This risk goes through the roof when multipliers are located in emerging markets or transitioning economies. The understanding of this threat is critical for German companies: Germany is one of the largest foreign direct investors into China, which, according to International Transparency, is high for perceptions of corruption.
The misperception that companies must tolerate unethical behaviour by third parties to obtain businesses in emerging markets is coming to an end. For example, along with international enforcement, it is well known that an aggressive anti-corruption campaign is ongoing in China. Other emerging regions in the world, such as Latin America, are also experiencing a “Compliance Awakening”.
Clear judgement is necessary to set your appropriate third party risk tolerance, both to take advantage of the business opportunities and, at the same time, to clearly mark your red line in this grey zone.
How to mitigate business risks raised by third parties
A comprehensive system for third party risk management is necessary. This system could face critical challenges. First, third party behavior is usually out of the control of the company. Second, it is difficult to assess third parties´ governance, internal controls, financial accuracy and commitment to Compliance and ethics. Finally, the risk (inherent and residual) could change throughout the business relationship in a rapid changing environment.
There are several automated or manual tools available, but the system should include the following elements:
It is true that companies have different levels of risk exposure depending on industry and geographic locations. But in addition to the business risks listed above, the following Compliance and ethics areas should be addressed by companies´ third party risk management systems:
The presence of a well-defined third party risk management system helps to mitigate compliance risks. However, of itself this is not enough: companies need confidence in their partners to create value.
How to trust in third parties
The business case for engaging with third parties has evolved from the reduction of operational costs to the creation of value. This strategic shift has implied a change in ownership of third party risk management: from operational staff (such as procurement) to corporate leadership. For instance, according to the German Corporate Governance Code, the Management Board has the following tasks and responsibilities regarding creation of value, strategy, Compliance and risk management:
I believe that the creation of value requires trusting relationships with third parties. To build trust, companies need not only systematically to mitigate Compliance and ethics risks. They need to choose the right partner from the scratch, embedding integrity and Compliance into their business analysis. This strategic move will require more transparency in the third party relationship. More transparency leads to more trust, engagement and creation of value.
In many cases we see that Compliance teams only takes action (eg due diligence) when the business relationship is almost established. This means that Compliance and integrity insights tend not to be systematically included in the strategic decision of selecting business partners.
By combining all tasks and responsibilities listed above, German managers have the opportunity to integrate Compliance, integrity and risks insights into the on-boarding decision-making process. This would enrich the strategy on third parties in order to create value for the enterprise, shareholders and stakeholders.
According to research conducted by CEB in 2015, companies can improve risk mitigation and reduce associated Compliance costs by applying a value lens to the strategic decision of on-boarding new business partners.
We believe that integrity enhances competitiveness and performance. This approach offers a clear opportunity for German companies to improve confidence and long-term profitability across their large and risky international third party ecosystem.
 To see an example of Germany´s supply chains: German-Central European Supply Chain
 See Q1 Emerging Risks Report https://www.cebglobal.com/risk-audit/risk-management/emerging-risks.html
 See Third Party Governance and Risk Management: The treat is real. Global Survey 2016. https://www2.deloitte.com/content/dam/Deloitte/uk/Documents/audit/deloitte-uk-third-party-gov-risk-management-2016.pdf
 See German investors in China http://www.pwc.de/de/internationale-maerkte/german-business-groups/assets/german-investors-in-china.pdf
 See China country profile of Transparency International http://www.transparency.org/country#CHN
 See Corruption in Latin America is skyrocketing. Here's why that’s good news
 See more information about elements 1 to 6 here: Managing when vendor and supplier risk becomes your own. http://www.mckinsey.com/business-functions/risk/our-insights/managing-when-vendor-and-supplier-risk-becomes-your-own
 See articles 4.1.4 and 4.1.5 of the German Corporate Governance Code http://www.dcgk.de/en/code.html
See Reducing the Costs of Third Party Compliance https://www.cebglobal.com/blogs/corporate-compliance-two-ways-to-manage-the-risk-of-third-party-vendors/
Thank you. Your comment is awaiting moderation and should appear on the site shortly.
Required fields are not completed, please ensure all required fields (*) have been filled in properly.
You can leave the name empty should you wish to remain Anonymous.