Navex Global released its newest survey of third-party risk management on Thursday, a report full of statistics that’s well worth reading if you’re a compliance officer trying to benchmark your own program against what other companies do.
More than anything else, the numbers in the report tell me that companies’ approach to third-party risk is maturing. Perhaps those efforts aren’t perfect, and many compliance officers might feel that they are far from mastery of the problem—but the statistics are moving the right direction. Compliance programs are focused on the right problems, and they are taking steps that make sense.
- Cybersecurity is the top third-party risk for compliance officers this year, up from third place in 2016. That isn’t because cybersecurity is suddenly much worse this year. News flash: it’s been a huge risk for years. But now, at long last, companies are confronting the true level of that risk among their third parties. They get it.
- The percentage of companies that screen all third parties prior to engagement increased from 45 percent last year to 47 percent this year; the percentage who continuously monitor all third parties also rose, from 22 to 28 percent. Is that overkill, you ask? I don’t take it that way. These days, even small third parties can pose great risks. I take these numbers as signs that due diligence programs are getting better at reviewing and monitoring all a company’s third parties.
- Last year, 25 percent of respondents said they believed none of their third parties posed high risk to their organizations; this year, that figure fell to 3 percent. Again, that tells me companies are confronting the gravity of the challenge. They are admitting that, yes, third-party risk is probably worse than they previously believed.
- And most striking: most companies are investing in third-party risk program without any specific regulatory trouble driving them. Sixty-eight percent of companies in the Navex survey said they had no legal or regulatory trouble in the prior three years. That is, most companies are engaging in third-party risk management as preventive medicine. That’s what third-party risk programs are supposed to be.
The report also explores the various maturity levels of companies, and how large companies approach third-party risk compared to smaller ones. Interesting to see that as companies cross the threshold to more than 100 third parties, suddenly management challenges get much more difficult. Also, the more an organization depends on third parties for revenue, the more it worries about finding reliable information on those third parties.
The Other Third-Party Risk Shoe
One statistic I didn’t like: that a majority of companies still assign responsibility for third-party risk to the legal department (58 percent) or the ethics & compliance department (51 percent). Respondents were allowed to select more than one answer to this question.
Other functions with responsibility for third-party risk included audit (31 percent), operations (18 percent), or IT (16 percent). The always popular “other” scored 5 percent.
Those are largely Second Line of Defense functions. So if we all embrace the idea that “the business unit owns the risk!”—well, that’s not what these numbers suggest. These numbers suggest that compliance and legal still own the risk.
We could dismiss my concerns as quirks of the survey; that maybe “who owns the risk” and “who is responsible” are subjective questions open to interpretation. Except, the compliance community saw this same phenomenon last year, in PwC’s 2016 State of Compliance Report. In that survey, PwC identified 17 compliance risks and asked people who “owned” them. Of the 17, the compliance or legal departments owned 11 of them.
The PwC report didn’t name third-party risk specifically, instead focusing on the various risks (anti-bribery, data security, ethical sourcing) third parties can bring. Still, we have two different surveys, from two different groups, raising a similar question. Which makes it harder to dismiss.
Perhaps we could say that third-party risk is at an inflection point. Maybe companies now are starting to understand all those disparate risks identified in the PwC survey as different symptoms of the same underlying problem—and maybe governing that problem should be something that resides within the Second Line of Defense.
If the ethics & compliance function is supposed to counsel business units as they grapple with governing their risks, then that idea fits. Compliance comes up with the practices for evaluating third parties, and the definitions for high, medium, and low risk; and the business units apply those definitions, using whatever tools, procedures, and systems the compliance department establishes.
It’s a good theory. Let’s hope it sticks. At the least, no matter who oversees third-party risk at your organization, for whatever reason, we seem to be getting better at it.
(Disclosure: Navex pays me to write posts on its Ethics & Compliance Matters blog. The company did not pay me to write this one.)