Companies Struggling to Detect, Monitor Third-Party Risks
A majority of companies believe that the current economic climate is encouraging them to take risks in relation to regulations to win new business, according to a new report on third-party risk.
Although compliance regulations have become more stringent, global companies say they are conducting due diligence on just 62 percent of their suppliers, agents and partners. The survey involved more than 1,000 professionals working in compliance, procurement and legal professionals across a range of industries in nine countries. Just a mere 36 percent said they fully monitor their supply chains for “all ongoing risk.”
The fast-paced, highly competitive global business environment is putting businesses under increasing pressure “to do more with less and at greater speed,” the report said. That environment has led to more outsourcing and expansion of operations and supply chains into areas where companies often have trouble gaining full transparency. “Inevitably, this environment is putting more responsibility on third parties operating in remote markets that may have very different operating standards and understanding of risks,” the report said.
Sub-Saharan Africa took the top spot as the riskiest location to do business, according to 54 percent of respondents; however, the report said there “appears to be no safe havens,” as every region contained its share of risks by at least 49 percent of those polled.
Even as efficiency and profitability rise through third-party relationships, so does the risk exposure, driven by an increase in regulation and greater public awareness. Organizations currently lose $200 billion every year due to mismanagement of supply chain risk, the report said, and that figure is trending upward.
Globalization is driving companies into new relationships and territories, all of which raises their exposure to third-party risk. In parallel to increased globalization is the rise of regulations that govern these third-party relationships, the report said, “growing in number but also in severity and complexity.” The report found that less than half of respondents felt they had sufficient knowledge about the risks they face. “Although the percentage is worryingly low, it could also demonstrate a lack of complacency as respondents acknowledge the ever-changing landscape and need to constantly update,” the report said.
“Organizations need to factor into their due diligence processes that there might be a difference in what a third party [is] saying they are doing and what is actually happening in reality,” the report said.
The Foreign Corrupt Practices Act (FCPA) garnered the most attention for many companies, owing to the fact that all 10 of the biggest FCPA settlements revolved around the use of third parties. In the first quarter of 2016, there were eight FCPA enforcement actions that cost companies $500 million in fines, penalties and settlements, the report said. Other major regulations impacting third-party relationships include the UK’s Bribery Act and the Modern Day Slavery Act and section 1502 of the United States’ Dodd-Frank Act, “plus a host of other global regulations [that] provide a further complex regulatory landscape, with mitigating third-party relationships being a key factor,” the report said.
As impactful and important as these laws and regulations are to managing risk in third-party relationships, the report found companies still struggling to understand them in all their complexity. Despite the FCPA being the most well-known of the bunch, 14 percent of respondents said they did not use it to inform their decisions. India and China were at the forefront of using regulation to inform decisions, the report said, with 52 percent and 34 percent, respectively, saying that the FCPA informed all their decisions. Those high numbers could be a matter of regional differences. “Management culture in India and China tends [toward] conformity and being seen as doing the right thing when the reality could be quite different,” said Duncan Jepson, director and founder of Liberty Asia, who was quoted in the report.
Direct knowledge of third parties is crucial; knowing if those third parties are also outsourcing to other suppliers is just as vital, the report said. Only 61 percent of respondents said they were aware of the extent to which this was happening, and further, 62 percent of companies said they carry out due diligence only on tier 1 third-party relationships.
That lack of follow-up on third parties could simply be chalked up as “a risk worth taking,” the report said, with 63 percent of those surveyed admitting that winning new business is a priority, and “as a consequence, they might breach regulations.”
A lack of fear of enforcement may also contribute to a lack of due diligence: 56 percent of respondents agreed that “there is a perception that we’re unlikely to be prosecuted if we did breach regulations.”
A company’s attitude quickly shifts for those hit with an enforcement action: 92 percent increased the amount spent on compliance after such an action, the report said.
“This suggests it’s not that organizations are reluctant to take action on third-party risk, but that they need to understand the impact first,” the report said. “This invisible nature of much third-party risk means that unless actively sought out, companies may only see it when it’s too late.”