Successfully Managing Third Party Risks

14 November 2018 - 12:00 am UTC

Successfully Managing Third Party Risks

By Sarah R. Foley, Compliance Specialist, Orrick, Herrington & Sutcliffe LLP (Former Sr. Manager, Global Ethics & Compliance, The Hershey Company)

A company’s operational landscape is ripe with potential threats all of which may have significant operational interruptions and ones that can often be mitigated with robust controls. Undertaking a proactive approach to the management of and establishing strong relationships with your business partners helps avoid commercial and reputational risks. Further, extending compliance expectations to third parties and a robust third party management approach addresses both U.S. and international regulators’ expectations with respect to how a company identifies, addresses, manages and remediates potential concerns as it relates to the activities performed by entities on behalf of your company.

Regulators enhance their expectations on third party management.

Companies rely heavily on third parties to conduct business, and regulators’ evaluation of the way in which organizations manage their business partners has become all the more focused on the ability to effectively address risks. Therefore, it is important for companies to not only know who is conducting business on behalf of your organization, but also how they are conducting business. The U.S. Department of Justice (DOJ) established meaningful guidelines for establishing and maintaining an effective compliance program, which—in part—includes managing third party risks. This guidance focuses on undertaking a risk-based approach that addresses “red flags” affecting your company’s operating model through the design of strong procedures for engaging, screening and monitoring third parties that help ensure the activities are actually performed and compensated in line with the services engaged.

Similarly, U.K. regulators also articulated expectations for third party risk management and, like U.S. regulators, hold a company accountable for parties or “associated persons” acting on its behalf. In particular, the U.K. Bribery Act, 2010 (UKBA) and U.K. Modern Slavery Act (UKMSA) specifically address potential concerns brought upon a company by its business partners. The UKBA and UKMSA also establish expectations related to third party due diligence for a company to strive to ensure an understanding of the types of partners acting on its behalf. This includes evaluating the type of services provided by the business partner and legal requirements for the jurisdiction within which services are provided, as well as the organizational structure of the business partner itself and background of its principals.

Although both U.S. and U.K. regulators recommend procedures to assist a company in identifying possible challenges with third parties, merely identifying but not addressing risks is insufficient. Companies also must take appropriate actions to mitigate risk to their operations that were identified through due diligence.

A Roadmap to Successfully Managing Third Parties

Understanding regulatory expectations is half the battle. It is equally important for organizations to appreciate compliance risks specific to their industry and operations and implement mitigation efforts that address these risks. Some general principles to consider include:

Perform a risk assessment. Undergoing a risk assessment helps your company identify the legal, financial, operational and reputational impacts affecting the company’s operations. It also is a vehicle to help allocate resources to mitigate these risks. When undertaking a risk assessment, focus the scope of that work on identifying and managing existing or potential risks of legal or policy (e.g., code of conduct) non-compliance because often these can lead to penalties that affect an organization’s ability to successfully operate.
Identify your dependencies. Identifying the third parties your organization relies upon coupled with the insights gained from a risk assessment will help establish a due diligence model that prioritizes a review of partners that are the most strategic to the company and could cause the most significant legal and regulatory exposure.
Evaluate third parties’ performance. Understanding services provided by third parties also helps identify areas where your company is potentially at risk. Utilizing compliance questionnaires gathers information that focuses on key aspects of the third party engagement. Additionally, capturing this information assists in implementing a governance structure for day-to-day management of the third party, as well as identify and respond to gaps in the engagement model.
Educate both internal and external stakeholders. Discussing compliance expectations with both employees and business partners is critical to striving to ensure missteps are avoided. Frequent training is a vehicle that helps deliver these expectations and establishes clear ownership of risks and drives transparency. Leveraging outputs from a compliance risk assessment and the evaluation of third parties allows employees to better understand existing and emerging risks and helps prioritize remediation activities. Likewise, including compliance language and audit rights in agreements with third parties formalizes the importance of adhering to applicable legal regulations and internal compliance policies and processes.
Monitoring and auditing third parties helps companies stay ahead of risks. Establishing a sustainable approach to monitoring third parties positions companies to proactively address concerns that could arise. Design an approach that provides real-time information to your organization and captures publicly available information (e.g., adverse and social media, litigation, interactions with government entities). Equally imperative is the ability to audit third parties, which is a critical tool to operationalize compliance programs and capture metrics to help measure behavior occurring on behalf of your company.

Risks are unpredictable. Be proactive when identifying and addressing third party risks.

With an evolving regulatory landscape, reinforcing compliance expectations is important to identifying and remediating potential legal and regulatory risks to your company. Proactively understand how the impact of compliance failures created by third parties could cause significant brand and commercial risk to your organization, and identify resources that could help respond to this risk. This includes looking at your organization’s compliance program framework, making sure compliance activities and processes are not siloed, and the appropriate level of resources are provided to deliver success when addressing regulatory requirements and expectations. A company should undertake compliance efforts that allow it to be able to demonstrate that adequate procedures are in place that addresses specific risks to your organization should its compliance program ever come into question or be challenged. Establishing and maintaining an effective global compliance program will become a commercial differentiator that protects the organization and drives strategic and commercial success for its consumers.

Sarah Foley is a Compliance Specialist with Orrick, Herrington & Sutcliffe LLP. She is an experienced compliance professional with a history of success developing, implementing, leading and setting the strategic direction for global ethics and anti-corruption compliance programs for multinational corporations. Sarah is highly skilled in global investigations, fraud, anti-corruption, and economic sanctions matters. She has significant experience conducting global compliance trainings, investigations and risk assessments. Prior to joining Orrick, Sarah was most recently the Sr. Manager, Global Ethics & Compliance for The Hershey Company, where she was responsible for setting strategy for, overseeing and implementing the company’s global ethics and anti-corruption compliance program. Before Hershey, she worked for Weatherford, a provider of oilfield services and products, and was responsible for managing, developing and implementing its global ethics and compliance program and performing global anti-corruption risk assessments.

Cookie	Duration	Description
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
crumb	session	Squarespace sets this cookie to prevent cross-site request forgery (CSRF).
has_js	session	This cookie is set by Drupal Core, to indicate whether the user's browser has enabled JavaScript.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
player	1 year	Vimeo uses this cookie to save the user's preferences when playing embedded videos from Vimeo.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_5N0BNQWREV	2 years	This cookie is installed by Google Analytics.
_gat_UA-138412639-6	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
undefined	never	Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
country	1 month	No description available.
loglevel	never	No description available.
test	never	No description available.

Products & Services

News & Press Releases

Knowledge Base

About Acuris Risk Intelligence

Successfully Managing Third Party Risks

Successfully Managing Third Party Risks