Companies interact with thousands of third parties. Even small companies have connections outside their walls with vendors, joint venture partners, customers, licensed distributors, royalty owners, supply chain intermediaries and even competitors that can impact their achievement of objectives.
“The number of third parties can be astounding and those relationships carry risk. So, a risk-based approach is needed ensure the most critical risks are considered,” says Jody Allred, partner in Risk Advisory Services at Weaver.
Smart Business spoke with Allred about how organizations can get started on assessing and managing third-party risks.
Why is this becoming more important?
As globalization and outsourcing have expanded so that companies can stay competitive, it’s become more evident that companies can be responsible for the actions of the third parties they work with. Companies need to take ownership even in an outsourced environment, especially consumer products companies and retailers concerned about reputation management.
There is also the issue of higher corporate visibility due to new regulatory requirements. One example of this is the SEC’s conflict minerals disclosure rule that requires companies to disclose the origin of certain metals from Central Africa.
What can happen if these risks aren’t managed?
Several incidents in the news highlight the need for third-party risk management. For example, Apple has faced significant concerns over the labor practices of its primary supplier of iPhone and iPad assembly in China. While this issue came to light in 2011, it continued in the news throughout 2013 and still lingers today.
In another instance, an HVAC contractor had access to Target’s internal network for billing and project communication. In 2012, the contractor’s account was leveraged to gain access to the network and plant malware that resulted in 40 million stolen credit cards, a 46 percent drop in fourth quarter profit in 2013 and the removal of the company’s CEO.
Do companies typically take the time to manage third-party risk?
The largest, first-class organizations and those in highly regulated industries like banking and insurance may have third-party risk management programs, but the average manufacturer or oil and gas company likely has not fully dealt with this issue.
How can organizations get started?
The biggest hurdle is obtaining the information needed to evaluate third-party risk because most companies don’t capture and collect the necessary data to build risk profiles. In order to properly evaluate their vendors and other external relationships, organizations must consider:
- Financial stability.
- Control environment.
- Technology environment.
- Access to information and intellectual property.
- Items critical in the supply chain.
- Regional risk.
- Operational characteristics.
- Regulatory and compliance interaction.
If you don’t have this information on-hand, you can build processes to capture the data over time. You have to start somewhere. So, consider what information you do have, and rate your third parties based on the financial, regulatory, operational and reputational risks. You cannot tackle thousands of vendors at once, but you can focus on those that present the most risk using your initial risk-based scoping.
Once you establish more formal protocols, you can build an evolving third-party risk management function to identify and respond to all risks on an ongoing basis. This may include auditing a vendor, implementing a compliance program, establishing corporate guidelines and/or better communicating your expectations.
Do you have any other recommendations?
Third-party risk management requires communication and collaboration across the organization — business units, senior management, operations and administration. It cannot be a siloed responsibility of a compliance group. Organizations that spend time to identify, understand, manage and navigate risk benefit from insights into risk influences that are strategic to business success.
Insights Accounting is brought to you by Weaver