Adjusting Your Perspective — Identifying Your Real Third-Party Risks (Part II of V)
Compliance professionals are always looking for ways to collaborate and support internal business partners. Through the years, compliance professionals have devoted significant energy to building partnerships with the business. Compliance has and should continue to build a strong relationship with business as a meaningful value-add.
This process has been accelerated by the Covid and Ukraine crises and increasing cyber risks stemming from data breaches and ransomware attacks. The Covid and Ukraine crises immediately highlighted the importance of crisis response and the disruptive impact of events outside an organization’s control. Companies that responded nimbly, adjusted to the Covid impact to the global economy, and built a supply chain with appropriate redundancies and risk-based alternatives, achieved what I label as organizational resilience — the ability to respond to risks and build new systems that adapt to a changing economy.
Companies now face a new and significant challenge — like Covid and the Ukraine war — stemming from climate change. Depending on the business profile, climate change can have a real and significant impact on a company that is exposed to climate change factors. It is important for companies to identify risks that can have such a devastating impact on their operations, particularly those susceptible to weather events.
As part of this equation, a company has to identify the specific real world implications of its third-party population. To the extent that third parties provide operational resiliency and protection against devastating impact, third-party relationships have to be managed in a holistic manner — more than just legal and compliance risks (e.g. FCPA, sanctions, money laundering and cyber risks), holistic risk management means operational concerns that may threaten the company’s ability to produce goods and/or provide services.
The Ukraine crisis in particular demonstrated just how important this holistic perspective is to an organization’s resiliency. Within a short time period, global companies were losing access to important business partners who may have been connected to Russia. In just hours, after a particular entity was designated as a prohibited party or types of transactions were restricted, companies were scrambling to identify alternatives. The Ukraine crisis quickly exposed weaknesses in a company’s supply chain.
Companies that depended on a Russian company for an essential input suddenly had to find an alternative — that was not easy for some companies and they suffered risk exposure, meaning a potential threat to its ability to secure essential supplies of goods and services needed to provide its own customers with goods and/or services.
This is where legal and compliance comes in. CCOs are natural partners for the business to identify these potential risks, manage them, and maintain data connected to these essential third parties. To do so, CCOs should be closely aligned with procurement managers to support their planning and day-to-day operations by providing current information on legal status, identifying alternatives, and quickly providing due diligence, relevant information and analysis for developing a resilient supply chain.
Many businesses went through a similar process in response to the Covid pandemic when existing third parties were forced to shut down or even discontinue operations because of the impact of Covid. Again, companies scrambled to identify alternative sources of goods and services and nimbly adapted legal and compliance controls to new third parties needed to maintain operations.
CCOs should build on these experiences to gain credibility and support from the business managers. Aside from operational concerns described herein, CCOs already know the importance of reputational risks. Company executives and managers know the importance of reputational risks. CCOs can help to identify, risk rank and navigate these risks, especially in responding to the Ukraine war and maintaining operations in Russia.
The last two years have underscored the important role that the compliance function plays in overall management of third-party risks. Given the impact of these crises, CCOs have greater influence in an organization. CCOs should leverage this new found role by addressing increasing cyber risks. CCOs need to ensure they have a seat at the table given their obvious capabilities to incorporate cyber risks in their overall risk management system. We all know that third parties present serious cyber risks that could devastate an organization’s reputation and operations. The infamous Target data breach involving credit card data was the result of a cyber intrusion through a third-party. This catastrophe was a stark reminder of just how a third party can impact an organization.