Waking Up to Massive Third Party Risk Exposure: Critical Issues To Address

by NAVEX Global

A little over a year ago the Rana Plaza factory collapsed and 1,100 garment workers died. This human disaster resulting from questionable construction practices and workplace safety issues focused the eyes of the world on the working conditions of those who supply major retailers. Products manufactured for multinational, brand giants, such as H&M and Kmart, JC Penney and Benetton were found amongst the rubble of the building, which local officials had warned was unsafe.

Some in the media and human rights groups quickly accused these retailers (and others using third parties in developing countries) of callously exploiting poorly paid workers and ignoring their safety. In the aftermath, some companies scrambled to offer compensation and sign safety accords, but the damage was done—and the damage to these companies’ reputational currency continues to be felt.

Companies Waking Up to Massive Third Party Risk Exposure

The boards, senior management, investment analysts and others at many organizations had recognized the risk, but Rana Plaza was a wakeup call for many others who are just beginning to realize that their relationships with third parties amount to one of their greatest risks and need to be dealt with before issues arise. Companies need to do complete, appropriate third party risk assessments and make sure that they identify and manage—among others—the following critical issues:

  1. Engagement risk and due diligence;
  2. Reputational damage;
  3. Bribery and corruption; and
  4. Policy management and training.

1) Engagement Risk

“A Resource Guide to the U.S. Foreign Corrupt Practices Act”, published by the U.S. DOJ and SEC in November 2012, addresses effective corporate compliance programs. With respect to third parties, the most critical element is the existence of risk-based due diligence. The following factors are highlighted as guiding principles of third party program effectiveness:

  1. Understand the qualifications and associations of the third party;
  2. Have a business rationale for including the third party in the transaction;
  3. Ongoing monitoring of the third party; and
  4. Informing third parties of your compliance program and commitment to ethical practices.

These factors need to be addressed prior to engagement of any third party and a system should be in place to document the selection process, due diligence and mitigation of any “red flags.”  Automation and document management makes this process even more seamless, defensible and cost effective.

Learn more from industry expert Michael Volkov, Owner & CEO of Volkov Law Group in our free webcast, “Practical Strategies for Implementing Effective Due Diligence Systems.

2) Reputational Damage

Disasters such as the Rana Plaza factory collapse serve as a stark reminder that reliance on third parties exposes organizations to increased reputational vulnerability.

Reputation is continuously cited as one of a company’s most valuable and protected assets.  And in times of highly publicized disasters—as was the case with Rana—it’s easy to see how dramatically reputation can be affected. The reputational risk impacts not only the factory owners but also the companies who contracted with these factories.  

Our own research of ethics and compliance professionals shows that reputation has skyrocketed to the second overall driver for compliance spend; it wasn’t even on the list five years ago. Social media and the internet age have led to a dramatic increase in the ways—and speed at which—a company’s reputation can be damaged.

Customers and stakeholders alike are increasingly demanding company practices that not only comply with legal and regulatory requirements, but that also align with social and moral standards. This a tall order for organizations who do business in far flung multiple and vastly different jurisdictions.

[For insights on addressing your organization’s third party risk, read the NAVEX Global white paper, “A Prescriptive Guide to Third Party Risk Management.”]

3) Bribery and corruption risks

Companies’ use of third parties as agents, distributors or intermediaries, increases the potential that third parties who have not been vetted by reasonable due diligence and mitigation of red flags, could use unscrupulous means to attempt to secure favors, contracts or to bypass local laws. This is particularly true because, by their nature, third parties are not under the complete control of the contracting company and are often engaged to serve needs in faraway locations or provide specialized services that the contracting party does not possess. Third parties with unexamined pasts and little or no oversight could use bribes to achieve theses ends. When third parties use bribes, the contracting party may also have liability for the actions of these third parties.   

4) Policy Management and Training

Additionally, to help reduce the risk that third parties would engage in bribery, corruption or other compliance failures, the engaging company should have a clearly stated corporate compliance policy on the use of third parties which should clearly communicate the limits of what is expected pursuant to the company policies.

The third party should demonstrate or certify that is has its own internal policy prohibiting actions that violate the law or might be perceived as using bribery or corruption to gain an unfair business advantage.

While clearly drafted policies are important, they are only the first step. Like other compliance risks, the third party risk should be supplemented with training. The training should involve the employees of the contracting company so that they understand what to look for when they are dealing with third parties. For instance, they should be trained to spot and report red flags such as excessive gifts and entertainment, or vaguely characterized payments not supported by receipts or backup.

Many third parties may not have the internal resources to provide training. An additional step many leading companies are now taking is to provide third parties access to their own training or create a third party training program which those organizations must complete prior to engagement. Any steps which are geared toward increasing awareness and reporting of unacceptable or unethical actions helps reduce the risk of third party compliance failures.

The New Normal

The growing use of third parties as representatives of U.S.-based companies and to support the global supply chain is often a competitive advantage, providing access to larger product markets, inexpensive labor, raw materials and local or specialized expertise, etc. However, these benefits also bring risks that must be carefully assessed.

NAVEX Global's most recent "Third Party Risk in a Global Environment" survey found that fewer than three in 10 US companies carefully monitor their third party vendors, suppliers and agents to prevent corruption, fraud and other compliance risks.

The survey explored how and whether they have implemented policies to mitigate the risks of doing business with third parties overseas. While respondents largely acknowledged the risk, some 71 percent admitted they do not track information on some or all of their third party relationships, exposing themselves to significant ethics and compliance risks.

While it may seem an onerous task—just as implementing global compliance and ethics policies once was considered—organizations must:

  •          Conduct a third party risk assessment;
  •          Ensure appropriate, pre-engagement due diligence;
  •          Understand the qualifications and business purpose for third parties;
  •          Monitor and audit the third party relationships; and
  •          Have clear, communicated third party policies and training.

This may seem like a lot of work for most companies, but the new normal does not allow for opting out of this process.

Remember: Luck is not a strategy.


Written by:

NAVEX Global

NAVEX Global on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.