In the ordinary course of business, companies develop and manage hundreds of third-party relationships to carry out its operations. These organizations maintain a web of suppliers, distributors, sales personnel, and service providers. While this is what ultimately drives the “value chain” the company has worked so hard to develop, it also opens doors for potential risks through the behaviors of the third-party providers. PricewaterhouseCoopers’ Audit Committee Excellence Series (ACES) authored “Oversight of third-party risks” in order to provide insight and perspectives about what audit committees can do to protect and create value for their organizations.
Understanding Third-Party Risks
Almost every company interacts with a third-party on a daily basis, whether it is a business partner, service provider, or contractor. If the party has access to a company’s intellectual property or network, provides services, or is a participant in the value chain in anyway, a risk is imposed that needs to be recognized and managed in some way.
The increased integration of companies and their suppliers causes customers to often perceive all contributors to a value chain as a single entity. In the event of a malfunction, defect, or a security breach, customers may not distinguish between the value chain providers and those who were actually at fault. This increased integration can unknowingly bring the possibility of increased reputational damage and increased liability.
Perhaps more importantly, a company can also suffer from regulatory and compliance risks in dealings with third-party providers. Laws related to labor, health and safety and the environment provide the areas of most concern. In fact, in 2012 every bribery case brought forth to the Department of Justice involved a third party. In assessing specific cases, regulators will look to a company’s actual knowledge or willful blindness to the situation. If the company keeps itself intentionally oblivious, regulators will still hold the company liable for not developing the necessary internal controls to monitor its relationships with third parties.
Suppliers, distributors, and vendors may conduct their own operations in various countries where the laws, customs, and business ethics may vary. This creates what are called second-tier third parties; essentially, even the third parties have third parties who can pose a risk to the company. Generally, a company’s current internal control process is not equipped to take on the risks associated. It is up to the company’s audit committee and management to develop the appropriate awareness and responses to prevent a crippling event from taking place.
Assessing Third-Party Risks
Often, audit committees are placed in charge of risk oversight because of its involvement with financial reporting compliance and the related internal control structures. The audit committee oversees internal audit, which is the ideal place to address oversight of third party risks and develop the appropriate responses. Luckily for the audit committee, the controls to manage third parties are generally ubiquitous, regardless of whether the third-party is a supplier, a service provider or a distributor. A comprehensive control system can be developed to cover all of the significant third-party relationships.
As the audit committee attempts to oversee these risks, it is important to make the general counsel’s presence known. These relationships are all governed by the contracts which bind the parties and set forth the obligations, rights and duties of those involved. Thus, in an effort to dissect and understand the risks, it would be ideal to involve the general legal counsel as an integral part of the process.
However, before a company can begin to manage their risks, it is important to keep an inventory of all the third party relationships. Once this inventory is made, the risks can be prioritized, assigned a risk rating based on importance, and mapped to the management responsible for overseeing the risk. Developing a tool to understand the types of third-party risks will help narrow down where the focus needs to be placed. Essentially, the risks related to the third-party should be embedded in the company’s overall risk management program.
Identifying Procedures to Address Third-Party Risks
There are a variety of procedures that the audit committee can perform in order to manage third-party risks and increase oversight. The risks can be separated into procedures prior to the contract being signed, and the procedures following the contract being signed.
- Perform due diligence on the third-parties capabilities and reputation. Conduct research to understand more about with whom the company interacts and how the company is perceived. The level of research should correspond to the perceived level of risk created for the company.
- Identify distinct and appropriate reporting lines from a risk oversight standpoint. Understanding who owns each risk category will allow the company to ensure that appropriate resources, authority and access to the audit committee has been provided.
- Ensure contract terms allow for the right to terminate for certain violations. The contract should outline the appropriate instances in which cancelling the contract is necessary. For example, if any instances of labor or human rights violations occur, the parties should reserve the right to dissolve the contract.
- Make employee hotlines available to key third parties. Allowing third parties to provide insight about cultural weakness will allow the company to proactively manage a risk or identify a need for a compliance audit or site visit.
- Audit and monitor high-risk parties. High-risk can be in terms of dollar value of the relationship or the nature of the company’s access to intellectual property. Ensure high-risk areas are continually monitored to ensure risks are kept up to date.
- Obtain representations of compliance. This information can be obtained from a recent compliance audit or the internal audit function of the third-party. A warranty from the third party can be obtained to ensure that no violations or corruption of intellectual property has occurred.
- Assert the right to audit with a documented process. If the contractual agreement asserts for the right to audit a third party, it should be taken advantage of in order to should the third party how important compliance with the contract terms are.
- Develop monitoring metrics and reporting standards. Meaningful metrics should be gathered and reported back to the company on a continual, and timely basis.
While these procedures can be very helpful for new or upcoming relationships, companies with long-term relationships with suppliers, vendors and distributors find it difficult to challenge existing contracts and terms in order to meet the current expectations. However, going forward, it would be best to implement a program that address both new and existing relationships on a threats or safeguards perspective. The procedures, as previously indicated, should be tailored to the risk assumed by engaging with the third party.
As technology improves, so does the risk of inappropriate access to sensitive information available online. Thus, now more than ever, it is necessary to keep a continual eye for potential risks. Companies should establish, monitor, and revise their assessments of a third party as often as possible in order to ensure the risks are effectively mitigated or managed. Analyzing third-party risk is an ongoing process and should be integrated with an enterprise risk management perspective.