Update on Third-Party Risk Programs
Navex Global gave a sneak peek this week of its latest report on third-party risk. The headline: too many compliance departments still rely on paper-based systems to track third parties, and therefore too many probably underestimate the risks their third parties truly pose.
The 2018 Navex Global Third-Party Risk Management Benchmark Report, which surveyed 1,200 executives from various industries, found that the largest group of respondents (35 percent) still use paper-based or stitched-together software programs to manage their third-party risks. That’s not good.
“Every paper system has gaps,” Michael Volkov, CEO of the Volkov Law Group, said during a webinar on Tuesday discussing the survey results. “There are third parties who have fallen through the cracks. You may be only aware of 90 percent of your third parties in a paper program. I was shocked to say the least that 35 percent of people are still using paper.”
Volkov stressed the wisdom of automation software for third-party due diligence. Not only does such technology identify high-risk third parties that need more onboarding attention and monitoring; it can also will identify a slew of third parties you don’t need to worry that much about.
“Once you start down that road, it liberates you because you know for a fact that you’re focusing first on your high-risk third parties, you’re addressing that risk with more resources, and you’re making an efficient use of whatever resources you have,” Volkov said.
We pause here for two disclosures. First, Navex Global sells due diligence software to the compliance market. Second, Radical Compliance editor Matt Kelly is a paid columnist for Navex on its Ethics & Compliance Matters blog. That said, the third-party benchmarking report still has valid and useful insights, regardless of Navex’s commercial interest in the subject. And Navex didn’t even know Radical Compliance would be writing this post, much less pay us to write it.
More Third-Party Findings
Thirty-seven percent of respondents said they use a risk-based approach to due diligence, as just about every best practice in the universe recommends. Another 27 percent, however, said they use the same approach for all third parties, regardless of risk. (See Figure 1, right.)
“That by definition is not an effective strategy,” Volkov said of the 27 percent. “It doesn’t meet legal requirements. It doesn’t meet best practice requirements, and it’s not a way to manage your reputation and your culture because it just doesn’t make sense.”
A large number of survey respondents also pegged their portion of high-risk third parties on the low side: 55 percent of respondents said their high-risk parties were less than 10 percent of total third parties. Volkov didn’t quite buy that; in his experience, he said, the actual portion of high-risk third parties is closer to 20 or 30 percent of the total.
Volkov also stressed that third-party risk not only means the risk of a regulatory enforcement action, such as an FCPA sanction for bribes some overseas intermediary paid on your company’s behalf. The realm of risk is much larger.
“What I’m talking about is just a third party that goes south on us and we’ve got to clean up a mess or deal with terminations, deal with contractual disputes, [or] deal with reputational interests,” Volkov said.
To that point, respondents in manufacturing, transportation, and healthcare said their companies have suffered actual damage from third parties from 7 to 13 percent of the time. Well, if CCOs estimate that 10 percent of their third parties are high-risk, that would mean just about every high-risk third party they have has already failed.
Stephen Gooding, Navex’s director of its Risk Rate product, said it’s much more likely compliance officers are underestimating the number of high-risk third parties they have.
Moving in a Better Direction
Volkov said he sees as a disconnect in the market; companies know that third parties pose a significant risk, yet they haven’t made it a priority to invest in technology that can reduce the risk.
On the other hand, 41 percent view their third-party risk programs as maturing. Volkov welcomed that statistic. (See Figure 2, below.) He said it suggests people know what the best practices for a third-party risk program are, and what to do to achieve them, he said.
“We’re on the right track in terms of maturing,” he said, “but we’ve got to get our track a little bit more focused on the right issues and the right strategies for resolving these issues.”
When trying to convince management on the wisdom of investing in third-party risk management, Volkov said, don’t focus on avoiding enforcement actions. Instead, he advised, focus on protecting the company’s reputation and promoting a culture of integrity.
“Every CEO and top manager is going to talk about culture, and knows the value of culture,” Volkov said. “Your third parties protect your culture. To the extent you manage your third parties and reduce your risk, you’re promoting and protecting your culture.”
Volkov noted that only 8 percent of respondents said they had excellent third-party risk management programs, and another 36 percent described their programs as good. But that also means the other 56 percent described their programs as average or worse.
“It’s good to be aware of it. It’s good to be addressing it,” Volkov said. “But now the question is how are you addressing it… and what technologies are you using to leverage your resources.”
The full Navex webinar and third-party benchmarking report — which have a lot more information than we address here — should be available for the public next week. We’ll be sure to tweet that out when it does. Addicts who cannot wait can see how these numbers compare to the 2017 report, too.