The Evolution of Third-Party Risk Management
Third-party risk management is a favorite topic for compliance professionals. And for good reason. Third parties create significant risks. To state the obvious, companies have less control over third parties than employees. But for many reasons companies engage third parties as a more effective solution than hiring employees. In this situation, risk multiplies exponentially.
The third-party risk issue, however, has multiplied exponentially for a number of important reasons. Years ago (as a long-time attorney in this field, the landscape has definitely changed and is continuing to evolve) the focus of third-party risk management was limited to anti-corruption, sanctions and reputational risks. This was a focus that made sense at the time.
Third-party risk, however, like life has evolved. And this evolution has been rapid. Compliance has to be nimble and even more so in this ever-changing marketplace.
Do not get me wrong – anti-corruption, sanctions, anti-money laundering and reputational risks are significant and should be a continuing priority. But the landscape has been altered in two significant ways.
COVID-19 Pandemic: The impact of the pandemic on all businesses cannot be underestimated. The pandemic and the economic impact revealed the importance of crisis management, business continuity planning and supply chain economics and operational risks. Companies experienced an “awakening” of business risks that has resulted in a hyper-focus on risk management issues. Companies do not like to be “blind-sided” by events outside their control and the pandemic exposed significant deficiencies in risk planning, supply chain operations and ultimately third-party risk management.
The pandemic revealed the importance of third-party risk management and the importance of understanding operational risks. Many companies had to scramble when certain third parties were unable to supply needed goods and supplies or were unable to distribute products for the company. Under this economic pressure, companies had to identify and assess alternative third parties – compliance was tested to work closely with the business to conduct appropriate onboard of critical third parties. Risk management, due diligence and other procedures had to be done quickly and efficiently under the pressure of significant business needs.
In the aftermath, companies realized that third-party risks management has to encompass a broader focus beyond reputational issues but to business continuity issues that could impact the company in the event of a serious pandemic, act of God or other comparable issues.
ESG (Environment, Social and Governance) Principles: Companies have experienced a tidal wave of interest from investors and stakeholders focused on the importance of ESG issues. As a result, companies have to broaden their focus to include ESG issues – these can be significant. For example, for some companies, environmental compliance can be a significant risk that requires scrutiny of third parties on environmental compliance issue.
The broad ESG focus translates into a broad risk analysis for third parties. Reputational risks have to be viewed as broader than prior analyses of this issue, especially given the range of social issues that are of concern to the consumers and communities. A third party with risky reputational concerns, potential labor issues for example, while cost-effective, would be too risky for certain companies that promote a culture of ethics, sustainability and social justice.
The combination of the COVID-19 pandemic and ESG issues is overwhelming at first glance. It is difficult to address these risks and the impact they could have on a company’s third-party risk profile. A company has to identify these risks, assess the risks and develop practical approaches to managing these risks. It is easy to get lost in an infinite analysis of risk. With focus, however, companies should apply practical approaches and strategies.