Extended enterprise risk, or third-party risk, is a significant concern at most large organizations. One compliance executive recently said that according to his organization’s regular internal surveys, third parties pose at least double the risk of any other risks they measure. Yet this is a variety of risk over which organizations tend to have less control. What practices can help manage it?
That conversation was part of the recent Cross-Industry Compliance Leadership Summit that Deloitte hosted at Deloitte University. At the event, which gathered risk and compliance leaders from industries like health care, entertainment, financial services, consumer products, and retail, I moderated a discussion about the challenge of managing third-party risk. Because companies in different industries use and relate to vendors in different ways, there were a variety of stories. But a few common leading practices stood out.
Starting at the top is only the start. There isn’t any business initiative that doesn’t benefit from C-suite buy-in; but when it comes to third-party risk, the people lower on the org chart are usually the ones in direct contact with the third parties in question. They are the first ones who will detect a problem, and they’re the first who will have a chance to do something about it.
“We want business units to own this risk,” one executive said. But that imperative can sometimes conflict with the drive to make or save money. So creating an atmosphere in which mid-level decision-makers make the right decisions on their own is a matter of culture, not just rules. “We ding people for doing things wrong, but we reward the right behavior,” another participant said. “Their ability to make that decision is a measure of courage.”
Not all third parties are equal. And neither is all third-party risk. Depending on the sector, a company might have hundreds or thousands of vendors and other contracted relationships. “Trying to manage even a majority of them to the highest level would be impossible,” one executive said.
One possible solution? Categorize third parties by the amount of risk their relationships present, and treat each category accordingly. One of our Summit attendees said their organization treats its highest-tier vendors like employees–they must go through compliance training and adhere to a code of conduct. With the lowest tier, the organization relies on the force of vendor agreements.
That tiered approach doesn’t mean internal managers can loosen the reins at the bottom end, though. “We have hundreds of sites, and any one of them can write a purchase order,” an executive said. “A location might think hiring a landscaping service isn’t a big deal, until you find out who owns the landscaping company.”
There is no substitute for a hands-on approach. From informal purchase orders to complex partnership agreements, third-party risk management often starts on paper. But it can fail on paper as well. As one of our participants noted, “People will sign anything, especially if there’s a check on the other end. Putting your eyes on a vendor’s operation is a sure test of the risk measures everyone has agreed upon.”
Sometimes, getting those eyes on the target poses a significant cost. But consider the cost of letting a problem remain undetected on the other side of the world. One executive at the summit said a site visit once revealed that a vendor didn’t have the on-site engineers it claimed to have. Another wanted to visit India to check the working conditions at a factory, only to receive push-back about the cost of the trip. “What’s your backup plan?” they asked.
Over the course of our exchange, I appreciated hearing our clients’ real-world approaches to mitigate extended enterprise risk. My hope is that our summit participants enjoyed the chance to learn from each other. As globalization puts us into business relationships with more third parties farther and farther away, the art of managing the associated risk will only become more important. “Third-party risk can’t be an add-on.”, one leader concluded. “It has to be a deliberate and intentional part of your compliance program.”