The Importance of a High-Risk Due Diligence Committee
Believe it or not, but companies are still struggling with third-party risk management systems. I know this sounds hyper-critical but many companies continue to hang onto paper due diligence systems (sometimes with or without a SharePoint platform to store third-party due diligence documentation). An even smaller percentage of companies are automating their due diligence programs, a basic requirement for all companies with a minimum number of third parties.
It is disturbing that in the face of government focus on third parties, companies have not yet buttoned-up their third-party risk management systems. A failure to act in this situation cannot be justified. The investment in an automated platform is relatively insignificant, especially when you consider relevant risks.
Assuming that your company is one of the lucky ones and has implemented an automated third-party risk program, a company should target its high-risk third parties. Companies regularly conduct business with the assistance of high-risk third parties. The estimated percentage of a company’s third-party high-risk partners usually falls somewhere between 10 and 20 percent of its entire third-party population.
To supplement an automated system, companies should consider creating a high-risk due diligence committee with responsibility for oversight of the onboarding, monitoring and auditing processes for high-risk third parties. By centralizing this function, a high-risk due diligence committee can create a management tool that would enforce consistent standards and application of risk management tools.
As an initial step, a company has to develop criteria to determine its universe of high-risk candidates. Most companies focus on the following factors:
- Country of operation and relevant corruption measures;
- Industry corruption measures in a relevant country;
- Financial relation based on annual revenues;
- Length of relationship;
- Nature and extent of government interactions;
- Type of relationship: representational (e.g. agent, distributor, lobbyist, consultant or vendor/supplier); and
- Past misconduct.
A third-party due diligence committee would consist of representatives from compliance, legal, internal audit, each business region, procurement/supply chain, a member of senior executive team. Its responsibilities would include review and approval of:
- New third party relationships;
- The specific contract with the third party;
- A program to monitor third-party activities;
- A training program for the specific third party;
- A determination of the comparability of a third-party ethics and compliance program; and
- A plan to audit the company’s high-risk third parties through sampling and scheduling of audit program.
In light of a company’s high-risk third parties, companies have to intervene and set up a specific control to mitigate such risks. While I am reluctant to advocate a new bureaucratic mechanism, it is clear that additional measures are needed.
Companies have to take greater responsibility for their third-party risks. If they cannot adopt modest requirements such as an automated platform, companies have to implement additional controls based on risk-ranking and allocation of resources.