Today we honor one of the greatest diplomatic initiatives that occurred in my lifetime, Nixon’s trip to China; where he arrived on this date in 1972. Like most Americans I was caught completely unaware that Nixon was planning to go and create a diplomatic relationship with a country, which since 1949, had been the United States’ mortal enemy. While there are innumerable lessons to be drawn for the entire affair, the one that has resonated with me all these years is that only Nixon could go to China. Due to his hardline credentials in his prior dealings with the Chinese, when they were known in the US as Red China, Nixon had the political cache to make the political opening. While Nixon certainly had his missteps, his China opening was not one of them.
I thought about Nixon’s political acumen, at least in the arena of foreign affairs, when I read an article in this month’s issue of Compliance Week by noted GRC Pundit, Michael Rasmussen, entitled “Business Agility Across the Extended Enterprise”. In his piece, Rasmussen discusses business organization complexity and diversity and the lack of enterprise wide oversight into risk and compliance in the area of third party risk management. Rasmussen says that “The challenge is: “Can you attest that risk and compliance are managed across extended business relationships?” An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak oversight.”
He believes that these deficiencies are found because companies are focusing too much attention at the front end of business relationships and are failing to not only anticipate the issues which might later “cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship.” Rasmussen contends that there are two common mistakes made by businesses along these lines.
The first is that risk is only considered during the onboarding process. This leads to a failure to consider new and additional risks that can arise during the course of the relationship. The second revolves around analytics, as Rasmussen asserts that “Often, metrics are focused on vendor delivery of products and services but do not include monitoring risks such as compliance and ethical considerations.” I often remark that in any process, which your company might use regarding third parties, the real work begins after the contract is signed and you must manage the relationship. Rasmussen’s approach bears this out.
To overcome these deficiencies, Rasmussen lays out a five-step approach, which he articulates will bring “an integrated approach to third-party management that brings together people, process, and technology to deliver not only efficiency and effectiveness but also agility.” Trying to accomplish this through the use of spreadsheets and “document-centric” processes will overwhelm any compliance practitioner or indeed an entire organization, so automation is a key component for success.
1. Define Your Program. Rasmussen writes that the first step that the compliance professional needs to perform is to define the third party management program. Correctly noting that an individual needs to lead the third party management program, different parts of the organization work with this role. By defining your third party management program you will articulate “understanding board oversight and reporting for third party risk and compliance and a cross-functional team to ensure that the operational, reputational, and compliance risks in business relationships are appropriately addressed. This team needs to work with the relationship owners to ensure a collaborative and efficient oversight process is in place.”
2. Establish Frameworks. The third party management framework should be utilized to to manage and monitor the constantly evolving relationships, risks, and regulatory environments in any long-term or extended business relationships. Rasmussen notes that the “framework starts with developing a list of third party relationships cross-referenced to risks and regulations affecting those relationships. A framework is an organized set of controls used to measure compliance against multiple risks, regulations, standards, and best practices.”
3. Onboarding. While this is something that most companies are at least aware of, the evaluation of risk and compliance needs to be integrated with the process of procurement and the full range of third party relationships. This includes vendors, suppliers, and all other business partner relations. Rasmussen inscribes, “A business relationship is to be evaluated against defined criteria to determine if the relationship should be established or avoided. When there is a high degree of inherent risk, but the relationship still is necessary, manage the risk within tolerance level by establishing compensating controls and monitoring requirements.”
4. Ongoing Monitoring. There are certain many factors that can affect the success or failure of any given business relationship. Rasmussen lists some of these as “the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. The potential risks relevant to each business partner should be taken into consideration to monitor the health and success of business relationships on an individual and aggregate level.” But with this identified wide variety of factors, comes the requisite monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships.
5. Resolve Issues. Rasmussen “believes that even the most successful business relationships encounter issues. These may arise from quality, health and safety, regulatory, environmental, business continuity, economic, fraud, or legal and regulatory mishaps. The fallout from incidents is exacerbated when everyone scrambles because nobody developed defined action and resolution plans ahead of time. Management of risk across extended business relationships should account for issues and plan for containment, mitigation, and resolution.” Or as Paul McNulty might say in McNulty Maxim No. 3, “What did you do when you found out about it?”
Rasmussen concludes his article by noting, “Third-party management is enabled at an enterprise level through implementation of an integrated third-party management platform. This offers the adaptability needed as a result of the dynamic nature and geographic dispersion of the modern enterprise. The right third-party management platform enables the organization to effectively manage risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans.” The agility that he advocates is something that I believe we saw in Nixon’s rapprochement with China. But the good news for the compliance practitioner is that unlike the maxim I discerned from Nixon’s achievement; that only Nixon could go to China, you can employ the strategy delineated by Rasmussen for a more complete review, analysis and management of your company’s third party risk.