Third-Party Risks in Decentralized Organizations

Not long ago I came across a study of third-party risk management that Deloitte published earlier this summer. I wish I had found it sooner, because it’s crammed with useful insights. So let’s get into it.

The report’s big reveal is right in its title, Third-Party Governance & Risk Management: Addressing Challenges of Decentralization. Deloitte surveyed 170 senior executives at large businesses worldwide, and 75.5 percent of them said their companies are moving more toward a decentralized structure. That’s not surprising; pop business psychology these days is larded with talk about empowering employees, and ultra-low interest rates make growth by acquisition an easy strategy to try.

Let’s dissect the implications for third-party risks and how companies can manage them on a practical basis.

The idea of decentralization—of assigning P&L responsibility and decision-making power to local business executives—has its merits. Large corporations can act with more agility, and local units contracting with other local third-parties can (theoretically) get business done at lower cost. Plus if you are a highly acquisitive organization with business units all over the place, they can keep rolling along while you in central command integrate all those operations at more deliberate pace.

That all sounds great, but the truth for compliance officers is this: decentralization challenges the notion of a strong corporate culture and governance. One corporate culture and one system of governance imply that decision-making happens in a uniform way. When you delegate more autonomy to local operations, by definition you’re increasing the likelihood that decisions will be made in multiple ways.

That’s why we obsess over policy management, training, and monitoring; they are the tools compliance officers use to instill a uniform method of making decisions across multiple business units. Otherwise local business units will make decisions that bring them the most growth with the least amount of “getting fired risk.” That’s what happens when you decentralize operations and assign P&L responsibility to executives hither and yon.

Back to the Deloitte report and third-party risks specifically. The report wisely notes that the nature of third-party risks to the enterprise has changed. Where the company previously worried more about operational risks, now your company also faces regulatory and compliance risks, as well as reputational risks. At an enterprise-wide level, the chief compliance officer (and your fellow C-level executives there in headquarters) needs to assemble all those risks into one picture of “third-party risk” as a single thing.

The problem is that while compliance officers might assemble the picture of third-party risk, they should not own third-party risk. As we all like to say when talking about best practices in compliance, “the business should own the risk.” But in a decentralized organization, exactly who is that person? How do you create accountability for third-party risk at the group level?

After all, in a decentralized organization, local executives will naturally worry more about operational risks posed by third parties (or anyone else, really) rather than regulatory or reputational risks. Operational risks cause headaches for the local executive. Regulatory and reputational risks cause headaches for you in central command. That’s the way life works.

This is usually where people start talking about the need to embed compliance, including third-party risks, right into the business processes at those local business units. OK, but we’re still back to the same question—how, exactly?

You can implement something closer to a shared-services model, where local business units lean on a centralized procurement function that can pay better attention to ethical sourcing and other third party risks. But the centralized, shared services model gets away from the local control and agility we allegedly love so much. Plus you need better, more consistent procedures to implement that closer oversight, including more consistent data analytics. Imposing that on a global scale is possible, but no easy feat.

You can also try a more humanized route, winning over those local business executives to the cause of greater compliance and third-party risk management. That’s a good idea, but we have a long way to go: in Deloitte’s 2015 Compliance Trends Report, 44 percent of respondents did not have CCOs in local units. Of the 43 percent who did, half reported to the enterprise CCO and 40 percent to local leaders. Meanwhile, 45 percent also said compliance was not an element considered in senior managers’ compensation reviews; only 40 percent said it was.

So if the idea is to incentivize local business executives to care more about regulatory and reputational risks of third parties, as well as operational risks—well, I’m not sure who is actually doing that at lots of these global enterprises, when they have no local compliance officer to assist and managers’ compensation schemes don’t address the issue. (If your company is succeeding at this, let me know. I’d love to hear how and get your story out there.)

One last, sometimes overlooked element to all this. If a global enterprise wants its local executives to support its vision of a strong culture (rather than bog down operations with highly centralized oversight), then you’re tying the organization’s fate to those people in a deep way. You are putting forces in motion that could result in a smart, weak general followed by many smart, strong lieutenants.

Can that strategy work? Yes, if your senior leaders truly do have a great vision and a great culture that cares about all these empowered employees. Just remember what you’re getting into, because plenty of senior leaders are a flop at that task.