DEFINITIVE GUIDE TO THIRD-PARTY RISK MANAGEMENT
RSDESEVE GU I DE SERNFIITIVE GU I DE SERIETHIRD-PARTYRISK MANAGEMENTHow to successfully mitigate your organization’s third-party riskSDEFINITIVE GUIDE TODESDEE GUIDEIEITITIVIENFIFIIN
OVERVIEWThe Definitive Guide to Third-Party Risk Management is a comprehensive resourcefull of insight, advice and examples to help organizations recognize and addresstheir third-party risk.A strong third-party risk management program will help your organization make smart choices whenit comes to engaging with business partners. It will also protect your organization from the risks thatthird parties can present.This guide is divided into three main sections: PLAN, IMPLEMENT and MEASURE. In these sectionsyou’ll find the information and tools you need to develop a risk-based strategy, define third-partyrisk and a standard due diligence process, implement continuous monitoring of third parties andidentify areas in which you need to improve your program’s effectiveness.
CONTENTSINTRODUCTION 1PLAN 6IMPLEMENT 14MEASURE 22CONCLUSION 24ADDITIONAL RESOURCES 25ABOUT NAVEX GLOBAL’S THIRD-PARTY RISK MANAGEMENT SOLUTIONS 26
INTRODUCTIONWhy Is Third-Party Risk Management Important?These are turbulent times for today’s organizations,Who Are Third Parties?particularly when it comes to managing third-party risk.How does your organization screen and monitor thirdparties? If you don’t have a robust program in place, youcould be putting your organization at significant risk.Consultants: Auditors, lobbyists,management consultantsThere are many important reasons why your organizationshould pay attention to third-party risk now.»» Growing Reliance on Third PartiesContractors: Temporary employees,subcontractorsThe number of vendors, suppliers and otheragents with which organizations engage is growingdramatically—along with the risks they represent.According to a NAVEX Global Benchmark Report,Agents: International intermediaries,domestic agencies, local advertisersand marketers, resellers andsales representatives30 percent of organizations expect an increase inthird-party engagements in 2017.1 More and moreorganizations use third parties for critical operations.Outsourcing to third parties, however, posesregulatory and reputational risk—and managingthis should be a top priority for leadership.Vendors: Data vendors, maintenance,on-demand service providers, offshoreservice providers»» Increased GlobalizationAs markets expand and organizations seek tocompete, increasing globalization is inevitable.For many organizations, competing in newSuppliers: Branded, white-branded orthird-party branded material suppliersand manufacturers, as well as thosesuppliers’ suppliersmarkets means working closely with third parties.Yet, according to the Organisation for EconomicCo-operation and Development's ForeignBribery Report, intermediaries pose the singlegreatest bribery risk for companies, concludingthat 75 percent of foreign bribery schemes areDistributors: Dealers and resellers,foreign distribution firms and theirlocal resellersexecuted through an agent or other third party.2»» Increased EnforcementIn the past few years, the U.S. Department of Justice(DOJ) and the Securities and Exchange CommissionJoint ventures: Partnerships,international joint ventures (factories,manufacturers, dealers), franchisees1(SEC) have made Foreign Corrupt Practices Act
(FCPA) enforcement a top priority. To back it up,they have requested additional staff. In 2016 alonethe SEC requested 93 additional staff members forinvestigation, litigation and intelligence gathering.And as reported in the NAVEX Global 2016 ThirdParty Risk Management Benchmark Report,respondents saw a 50 percent increase in legalregulatory actions in the past three years.1The Risks Are RealAs we see in the news too often, lapses in leadershiparound managing third parties have damagedorganizations by exposing them to massive fines andpenalties. According to the 2016 Benchmark Report,one-third of respondent organizations have faced legalor regulatory issues that involved third parties, with 50percent of these involving average costs per incidentof 10,000 or more.1“Over 70 percent of FCPAinvestigations involve the actions ofthird parties.”Karen BrockmeyerChief of the SEC’s FCPA UnitEven if the financial penalty can be managed, thereputational impact can have far-reaching consequencesfor many years.Third-party risk management is a top concern ofcompliance leaders, but many organizations are stillcoming to terms with how best to manage their thirdparties to limit risk and develop programs based onRegulatory agencies view third parties as a directorganizational risk assessments. The 2016 NAVEX Globalextension of your organization. You are expected tobenchmark report found that many organizations thinksafeguard against risks facing your entire organizationthey could be doing a better job of third-party risk—including the increasingly complex network of yourmanagement. Only 58 percent reported that they do athird parties.good job of complying with laws and regulations, andless than 25 percent rate their overall program as Good.1What Is Third-Party Risk Management& Third-Party Due Diligence?Organizations may be diligent with their ethics andThird-party risk management is the process ofparties represent is a Wild West over which they feelassessing and controlling reputational, financial andlike they have little control.compliance programs, but for many the risk their thirdlegal risks to your organization posed by partiesoutside your organization.Third-party due diligence is the investigative processBenefits of a Strong Third-Party RiskManagement Programby which a third party is reviewed to determine anyManaging third-party risk can make a big difference inpotential concerns involving legal, financial or reputationalhow well your organization can identify, manage andrisks. Due diligence is disciplined activity that includeslimit the liability a third party can represent. Your thirdreviewing, monitoring and managing communicationparty’s risk is your risk. You should have confidenceover the entire vendor engagement life cycle.that your program is minimizing that risk for you andyour organization.1. NAVEX Global (2016). 2016 Ethics & Compliance Third Party Risk Management Benchmark Report.2. Organization for Economic Co-operation and Development (2014). OECD Foreign Bribery Report: An Analysis of the Crime or Bribery of Foreign Public Officials.NAVEX Global The Ethics and Compliance Experts2
Having a strong third-party risk management program—training, policy and hiring decisions but also canincluding continuous screening, monitoring and riskpoint to where immediate action may be neededmitigation of third-party relationships across theand resources should be allocated.enterprise—can help your organization in multiple ways.»» Avoid Fines, Regulatory Enforcement Action»» Promote ContinuityDisruptions in third-party relationships can be& Legal Costsdetrimental to the continuity of business practices.A strong third-party risk management programThird-party failures can result in legal or regulatoryhelps your organization avoid legal action andactions that require significant disruption andfines. But it may also reduce penalties and mitigateresources to resolve. In the worst cases, third-regulatory action. Notably, in 2016 the SEC declinedparty failures can threaten the viability of theto pursue charges against Harris Corporation fororganizations with which they are engaged.FCPA violations related to the actions of a subsidiary»» Protect the Organization’s Reputationparty because of its strong compliance and FCPAAs we see in many high-profile cases, a single third-due diligence program. This result demonstrates thatparty failure can deeply affect the organization’sthe U.S. government may temper regulatory actionstrust and relationship with its clients and customers.against organizations that can show that they investEnsure that your organization will be thriving forin and take self-directed action to aggressively limitmany years to come by ensuring that you aretheir FCPA and third-party risks.working with vetted third parties.»» Promote Your Organization’s CultureThe FCPA advises that organizations mustdemonstrate that they are promoting their culture22%of ethical and responsible behavior both internallyIn 2016 onlyand with their third parties. A clear pathway tomonitored all of their third-party relationships.accomplish this is through requiring your thirdNAVEX Global 2016 Third Party Risk ManagementBenchmark Reportparties to understand and abide by your Codeof U.S. companiesof Conduct, attend your third-party ethics andcompliance training, and attest to your policiesthrough a policy management solution.»» Produce a More Accurate Picture of RiskA comprehensive third-party risk managementprogram—integrated with your ethics andcompliance activities across the enterprise—canprovide holistic data on where the organization ismost exposed to risk and where it is well-protected.This kind of insight not only is helpful in making3One Size Does Not Fit AllMany compliance program leaders worry that they don’tknow where to start on a third-party compliance program.The good news is that organizations do not need legionsof compliance personnel and unlimited budgets to meetthe standards recently outlined in a Resource Guide tothe U.S. Foreign Corrupt Practices Act (FCPA Guidance)provided by the DOJ and the SEC.DEFINITIVE GUIDE: THIRD-PARTY RISK MANAGEMENT
Almost every organization has some elements of anAs reliance on third parties continuesto grow, so does concern about thenumber of headline stories depictingregulatory action and reputational damagearising from third-party actions. These aredriving many organizations to reconsiderhow they approach the identification andmanagement of the risks posed by third-parties.4effective third-party compliance program. In the nextsections, we provide recommendations and templatesfor identifying what you already have, determining whatyou need to develop to best address your gaps, anddeveloping plans and implementing the right strategyfor your organization.Deloitte Third Party Governanceand Risk Management ReportA risk-based approach to third-party risk managementinvolves aligning your third-party risk profile with yourorganizational risk profile and building a program thatoptimizes both.FCPA Guidance makes it clear that a risk-based duediligence process will be considered when assessingthe effectiveness of a company’s compliance program.Fortunately, it says “the degree of appropriate duediligence may vary based on industry, country, size andnature of the [third-party] transaction, and [the] historicalrelationship with the third party.”3 So one size doesn’thave to fit all—that is, your organization can build aprogram commensurate with your level of third-party risk.The obligation is on your organization’s leaders tomake sure that they understand the qualifications andresponsibilities of the third parties your organizationengages. FCPA Guidance states that “the degree ofscrutiny should increase as red flags surface.”33. U.S. Department of Justice (2012). A Resource Guide to the U.S. Foreign Corrupt Practices Act.4. Deloitte (2016). Third Party Governance & Risk Management: Addressing the Challenges of Decentralisation.NAVEX Global The Ethics and Compliance Experts4
5DEFINITIVE GUIDE: THIRD-PARTY RISK MANAGEMENT
PLANDefine Your Goals & Create a StrategyWhether your organization engages with a handful ofabout the third-party program, making clear to everyonelocal consulting firms or thousands of manufacturersin the organization that relationships with third partiesaround the world, those engagements are relevantwill be subject to risk-based due diligence to mitigateto your organization and their failure could affectpotential corruption risks.your organization’s ability to function effectively.The third-party universe is multidimensional, oftenwith complexities that can surprise even the mostsophisticated organizations and leadership.A unified approach. There may be multiple divisionsand locations within the organization that engage withand manage third-party relationships. It is critical thatall key stakeholders, including those on the front lines ofThis section explains how to set up a standardengaging with third parties, are aligned to use the sameprocess for third-party risk management—from initialthird-party relationship management systems, includingidentification of third parties to your due diligencethe risk management solutions you pursue. A siloedprocess and continuous third-party monitoring.approach can greatly increase an organization’s exposureto risk if, for example, your procurement department isCritical Components to Include in PlanningTop-down support. Before, during and after a duediligence program is implemented, it is critical to havethe full support of senior executives and the boardunaware of information uncovered by your compliancedepartment related to a third party. A key componentfor ensuring program consistency is a distributedautomated system.of directors. Your program needs to be structured toAutomated, continuous monitoring. Manual third-work with your managers and executives to help themparty screening and monitoring processes—or anpartner with responsible, professional companies. Yourapproach to monitoring some but not all vendors andorganization’s leadership should regularly communicatethird parties—is no longer a viable approach to effectiveBESTPRACTICE:Use a Standard ProcessIdentify and prioritize. Identify your universe of relationships and prioritizethem by risk.Assess. Conduct due diligence on a risk-adjusted basis to uncover and assess risks.Mitigate. Take steps to mitigate any risk that was uncovered.Monitor. Conduct continuous monitoring to keep third-party information currentand to ensure that policy compliance is in force.NAVEX Global The Ethics and Compliance Experts6
risk mitigation. You will never be able to predict whetherThird-party due diligence vendors can help you makeany particular third party you work with will engage ina compelling business case if you are facing internalunethical behavior. Instead a systematic, holistic andresistance to assigning adequate resources torigorous approach to due diligence must be in place tothis program.ensure that your company is kept informed and the rightinformation is delivered when an issue arises.Appropriate translation and cultural outreach.Many high-risk third parties reside in emerging marketsAdequate resources. Everyone deals with capacity,where English is not the native language. In many casesresources and budget issues. Beyond the time and coststhird parties find the scrutiny of the due diligenceinvolved in the initial screening of third parties, thereprocess to be both high stakes and confusing, especiallyare additional costs to keep in mind as you set up yourwhen the information being communicated is not inprogram. Consider the operational and business coststhe third party’s local language. Providing notifications,related to:instructions and interview questions in the third»» The frequency of ongoing monitoring, which isdetermined by your risk profile and your third-partyrisk profile»» The number of third parties to monitor—and whichones you need to monitor more often than othersand why»» Your contingency plans for when a third party fails—how to disengage and limit repercussions»» To what level you’d need to disengage. Would itrequire full disassociation or partial? Would it havean impact on all business units or only on thosedirectly affected?»» The specific assurances you need to reengage witha failed third party and how long the reengagementprocess would take»» Your expected costs in terms of lost productivity,downtime, open time of the relationship, andrescreening, reengagement or finding a replacementvendor when a failure occurs»» Effective, automated solutions that can save on7party’s local language can make the third party morecomfortable with the process and help answer importantquestions, such as Why is the process important? andHow will our information be used?Third-party training. Organizations should consider,where appropriate, extending organizational compliancetraining (especially on codes of conduct) and policyattestation (available in NAVEX Global’s PolicyTech solution) to their agents, contractors and suppliers.Decisions about when and in what form to offer trainingsupport should reflect the third party’s risk profile andthe degree of corruption risk in the relationship. Atop-tier ethics and compliance training program offerscustomizable training for third parties and can beeasily added to your ongoing compliance training.Identify Your Third PartiesThe landscape of business partners continues to expandin breadth and complexity for most organizations. Asorganizations look to grow, there is an abundance of thirdparties with deep expertise and broad capabilities thatcan extend the organization’s ability to succeed. Whenresources (including full-time employees), increasefaced with a build or outsource decision, trends showproductivity and drive down operational coststhat many organizations opt to work with trusted thirdDEFINITIVE GUIDE: THIRD-PARTY RISK MANAGEMENT
parties to take on processes they lack the resources toand the third party, yet it is increasingly common theseaccomplish on their own. These days many organizationsdays to see your direct third parties engaging on yourare actively expanding their business capabilities throughbehalf with outside specialty consultants, agents andtheir third-party engagements, with or without a risk-contractors with whom your organization has no directbased third-party risk management program in place.relationship. When your third parties have a network ofindirect third parties—sometimes called fourth parties—Your immediate supply chain and distribution channelsrepresent direct relationships between your organizationthey need attention, too.The Landscape of Business PartnersSuppliers’suppliersSuppliersin ntractorsSuppliersContractorsInternationaljoint byistsDealers &resellersForeigndistributorsDatavendorsSource: NAVEX Global8
Your Third-Party Risk ProfileAfter identifying your universe of third parties, it isimportant to be forthright about the implications of yourengagements for your organization’s success. This meansnot only defining the depth and breadth of your thirdparty engagements but also understanding the costsof your program’s success or failure. It means definingmeasures of success and planning for all the possibleprogram limitations.When assessing your position, consider the regulatoryenvironment in which your organization and your thirdparties operate. Some industries are more regulatedthan others, and some types of third-party engagementsdraw more legal and regulatory attention. To best protectyour third-party program and your organization, startby knowing the threats and opportunities present in theenvironment in which you operate.The number of third parties with which your organizationEvaluate your risks by defining the following:»» The regulatory environment and industry in whichyour organization operatesengages is one indicator of your level of risk. It can helpyou define your challenges—much more so than the sizeof your organization in terms of employees or revenue. Infact, the proportion of third parties to your organization»» The number of third parties with which yoursize is a clearer indication of your risk level than totalnumbers. For example, there are global manufacturingorganization engages»» The number of those third parties that are critical toyour businessfirms that facilitate manufacturing t
The Definitive Guide to Third-Party Risk Management is a comprehensive resource full of insight, advice and examples to help organizations recognize and address their third-party risk. A strong third-party risk management program will help your organization make smart choices when it comes to engaging with business partners.
builders, and general contractors of the development. The Toll defendants commenced the third party action by third-party complaint dated July 1, 2009. Thereafter, third-party defendant A.P. Roofing & Siding (hereinafter "A.P.") commenced the second third-party action and third thi
products or services from a third party, the relati onship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of
3. Sets forth the scope of Third Party Inspections and clarifies the documentation and reports that must be completed by each participant in the process, including the owner of the property subject to a building permit, the Third Party Inspection Agency, the Professional- in-Charge, the Third Party Inspector and the Department.
5. www.theiia.org Auditing Third-party Risk Management After reading this guidance, internal auditors will be able to: Understand key roles, responsibilities, and risks related to managing an organization's third- party providers. Appropriately assess third-party risk management activities across the first-line business, oversight, and control functions.
MS-NIE2916- 9.0 » 9.0.7 Supports two third-party trunks (Modbus RTU or TCP, M-Bus, or KNX) and one N2 Bus. The number of supported devices on the third-party trunk depends on the protocol. For the N2 Bus, up to 32 devices are supported. Includes integral display screen. MS-NIE2920- 9.0 only Supports two third-party trunks (Modbus RTU or TCP .
Financial risk Risk that the third party cannot continue to operate as a financially viable entity Regulatory and compliance risk Risk that a third party fails to comply with a required regulation, thus causing the organization to be out of compliance Digital risk Risk that is associated with the third party's digital business processes
3PL's. Lieb et al. (1993), define third party logistics as the external company to carry out the logistics functions that have conventionally been executed within an organization. Third party logistics is becoming more and more common in Europe and USA and now third party logistics is accepted business practice (Laarhoven et al., 2000). Out .
Dictator Adolf Hitler was born in Branau am Inn, Austria, on April 20, 1889, and was the fourth of six children born to Alois Hitler and Klara Polzl. When Hitler was 3 years old, the family moved from Austria to Germany. As a child, Hitler clashed frequently with his father. Following the death of his younger brother, Edmund, in 1900, he became detached and introverted. His father did not .
