Third party relationships span a multitude of goods and services necessary for organizations to operate. Naturally, with these relationships comes a certain amount of risk, as these vendors expand the human capital footprint, technology access, environmental impact of the organization, and more. Increased public, investor, and internal attention to how organizations conduct business brings further scrutiny – not just of the primary business in question, but also the risks posed by its third parties.
Holistic risk management looks at three main categories of risk that third parties can expose their partners to: regulatory, enterprise, and environmental, social and governance (ESG). Here we discuss trends in holistic third-party risk management and considerations that organizations should make to assess and mitigate these risks for 2022 and beyond.
Regulatory Risk Management
The exponential growth of the modern supply chain, coupled with expanding regulatory oversight, means third parties can expose an organization to numerous, far-reaching, and often severe risks. Organizations must understand the risks each third party poses to the business and have a plan in place to effectively manage and mitigate them.
Risk assessments are a fundamental part of third-party risk management programs. They serve as a guide for the initial decision of whether or not to enter into a third-party relationship and are a core element of monitoring the relationship on an ongoing basis once established.
It is a key step in an organization's efforts to comply with applicable laws, regulations, and guidelines and should be part of its overall compliance program to prevent, detect, remedy, and report misconduct.
The manner of due diligence depends on many factors, including:
- The risk profile of the countries at issue
- The industry
- The extent and nature of interaction with governmental or state-owned counterparties
- Whether the third party will retain other third-party agents or representatives in conjunction with its work for the company
Regular supply chain audits are necessary as liability can extend to unknown sourcing from prohibited parties and parties that are not in direct privity. Further, regulatory requirements frequently guide organizations on how to execute their third-party risk management program and what sorts of risks or red flags to look out for when transacting with third parties.
As a prime example, we’ve continued to see a rise in trade sanctions enforcement. Both direct and indirect transactions with sanctioned parties can trigger liability and lead to significant penalties under the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) regulations in connection with the various sanctions programs established by the U.S. government. While many sanctions violations occur because a U.S. person exports a physical item to a sanctioned party, the provision of services to a sanctioned party can also be a violation. For example, it could be a violation of U.S. sanctions for a U.S. person to provide consulting services to the government of a sanctioned country or marketing services to a private business in a sanctioned country.
Any party engaged in or contemplating international business must understand how to navigate the applicable statutes, regulations, lists, and agency directives and guidance so as to ensure compliance with its U.S. sanctions obligations. OFAC specifically maintains a variety of sanctions lists, with the most extensive and restrictive list being the list of Specially Designated Nationals and Blocked Persons (the SDN List), which lists entities and individuals with which U.S. persons are generally prohibited from conducting any business. Common prohibited activities include:
- Importing goods from or exporting goods to a targeted nation
- Providing a loan or other financing to an SDN, or transferring funds to an SDN
- Facilitating any transaction by a non-U.S. person that would be prohibited if performed by the U.S. person or within the United States
In effect, this prohibition bars U.S. persons from taking any action to assist or support trading activity with a prohibited country, entity, or individual, unless specifically authorized. Furthermore, any activity that supports, authorizes, or otherwise assists in the conduct of a transaction by a non-U.S. person, where that transaction would be prohibited if conducted directly by a U.S. person, constitutes prohibited facilitation.
Prior to entering into any international business relationship, a company should conduct appropriate due diligence on the parties involved, including diligence on those parties’ ownership and control. This includes screening international business partners, including distributors, customers, agents, brokers, and other third parties against applicable U.S. prohibited parties lists. The lists that should be consulted will vary depending on the scope and type of international business that a company conducts.
Increasingly, regulators expect U.S. companies to dedicate resources to their compliance functions sufficient to perform appropriate due diligence of all third parties, including intermediaries like resellers and distributors. For example, in March OFAC announced a settlement agreement stemming from an enforcement action with UniControl, Inc (UniControl). The company shipped goods to European trading partners when UniControl knew or should have known that some of its products would ultimately be re-exported to Iran.
It is important to remember that aside from sanctions violations, an organization may be liable for a third party’s corruption, fraud, financial crimes (such as money laundering), unethical practices (including employment and human rights violations), actions causing environmental harm, and cybersecurity lapses or mishandling of sensitive data. This last item is of increasing importance, as third-party providers may access as organization’s IT systems and/or handle personal information relating to the company’s employees, contractors, customers, business partners, and other third parties. This past year, regulatory agencies have held entities responsible for the cybersecurity lapses of third parties that entity does business with, and this will become increasingly important come 2022.
2022 Prediction: Third Party Risk – Regulatory Requirements
In 2022, third-party due diligence will constitute an increasingly important part of a compliance program’s duties – and its budget. Periodic supply chain audits and screening against sanctions and prohibited parties lists will become a requisite for successful third-party risk management.
Enterprise Risk Management
Third parties play an important role in helping a company deliver on its core mission. All organizations rely on third parties for everything from raw materials to distribution, and more. Enterprise-level risks associated with suppliers, service providers, distributors, and vendors are becoming more numerous, with a rising impact on multiple areas of the company on as well. Considering the intangible (and therefore uninsurable) nature of some of these risks, a company could be exposed to crippling losses.
Even if not formally written in stone, every company has a strategic plan that consists of two channels – strategic goals and objectives, covering the next 1-5 years, and the business objectives, which focus on the day-to-day running of the company. And like the strategic plan, there are risks, whether documented or not, around each individual objective.
A third-party can either create additional risk to your company and its strategic plan or they can help reduce risk.
Third parties can create and/or help reduce risk in a variety of areas, including:
- Business resilience
If not properly monitored and managed, these risks could prevent the company from reaching its goals. Additional, more severe consequences include negative media coverage, scrutiny from regulators, steep financial losses, and, in the most extreme cases, company failure. Only 25% of Enterprise Risk Management (ERM) programs conduct proper assessments, monitoring, and management of risks from third parties.
While it is possible to outsource many processes, the risk associated with them cannot be outsourced and ultimately lies with the business.
There may be risks lurking under the surface with a particular vendor that could end up creating more problems for your company, which is why fully understanding and addressing these risks (potential to occur) and issues (occurring now) is so important.
To the average customer, mishaps caused by a third party are the problem of the organization, along with the resulting negative reputational impacts to both the organization and the third party. Therefore, third-party risks are passed on to their clients and demand due diligence to identify and mitigate potential issues. Therefore, understanding risks associated with third-party vendors – and being prepared to monitor and manage them – is as important as risks emanating from within your company.
All organizations should incorporate a vendor risk assessment as part of their vendor selection process. Due diligence should also include the use of established thresholds to prioritize those risks requiring greater monitoring and management.
These vendor assessments and risk thresholds will help organizations both better understand internal and external dependencies required for the third party to deliver its products and/or services, and ensure they are within an acceptable range to the company. If they are not, establish redundancies in the event the third party becomes unavailable.
2022 Prediction: Enterprise Risks and Third Parties
Third-party risks will continue to escalate in both volume and impact as companies further streamline in-house operations and focus on scalability. Growing uncertainty both within industries and in the broader economic landscape will elevate the need for a robust enterprise risk framework for both first- and third-party risks.
ESG Risk Management
Third-party risks are considered Scope 3 risks for ESG practitioners aligned to the Greenhouse Gas Protocol. The Scope 3 standard encompasses all emissions generated throughout the corporate value chain, including all aspects of the business beyond physical assets and people operations (which are defined as Scope 1 and 2 risks).
All ESG risks – including climate-related, social capital, human rights, and governance risks – apply to third parties as Scope 3 risks. From a measurement perspective, Scope 3 often represents over 80% of a company’s greenhouse gas emissions and at least twice its human capital footprint (in terms of people who represent suppliers, distributors, and customers).
It is significantly more expensive and difficult to set and achieve ESG goals in Scope 3, because data related to a third party’s environmental and human footprint is not owned by your company, and funding projects – such as investments in renewable energy or improving wages to a living wage – are not directly affiliated with your company’s balance sheet. Setting mutual goals with your third parties based on a mutual understanding of and desire for longer-term business partnerships can help address these difficulties.
All companies should consider climate-related risks and opportunities when assessing third-party risks. These risks may represent potential supply chain instability if suppliers are located in areas that face increasingly extreme weather events, significant sea level rises, or droughts as a result of climate change. It’s important to understand upstream and downstream commitments and timelines. Where they don’t exist or need to be expedited, work with their third parties to jointly address these risks, or consider doing business elsewhere.
Companies should also assess the human rights and modern slavery risk mitigation efforts of their tier 1 suppliers, as well as those of their contractors and sub-contractors. This is to ensure all employment is being managed legally and a fair and living wage is being paid under acceptable (and ideally better than “acceptable”) working conditions.
From an ESG perspective, it is important to also include social capital when considering human capital. Social capital risks include the impact of third parties on their communities, and how your business with them affects that impact. There may be opportunities to partner with third parties to improve local infrastructure, assist in providing better education and childcare to the community, and mitigate environmental effects. All of these endeavors help secure the supply chain beyond basic compliance and improve communities for future generations.
Governance risks are also relevant to third parties. Explore procurement policies to encourage supplier diversity, codes of conduct to mutually align on ESG and general ethics and compliance goals, data acquisition through surveys or other tools. The latter is especially useful in helping organizations understand a third party’s greenhouse gas emissions, compliance with modern slavery acts requirements, and its overall alignment to your ESG goals.
The recent COP26 summit made it clear countries and corporations around the world are not moving fast enough to mitigate unavoidable climate disaster. Some (but not all) companies are acting on the basis of the Business Roundtable’s conviction to do business not only for shareholder value, but more importantly for stakeholder interest. However, the current pace of change is too slow to avoid climate disaster as calculated by the scientists behind the UN’s Special Report on Climate Change and Health.
In the next 2 years, businesses will have unprecedented supply chain interruptions in areas where they have not confronted third-party climate risk. Businesses that have addressed this will likely pull ahead in terms of revenue due to predictable operations and limited interruption.
2022 Prediction: ESG Third Party Risk
Leading companies in each sector that have already begun addressing Scope 3 emissions through their ESG function will be joined by mid-size companies that have achieved many of their own Scope 1 and 2 ESG targets. We will also see businesses more responsibly partnering with third parties to develop new and alternative financing vehicles or otherwise invest in the infrastructure of third parties. Such investments will include (but are not limited to) physical assets such as PPE and human capital in the form of increased safety, higher wages, greater education, and health benefits in order to produce more business continuity in their total value chain.