In today’s global economy, third-party relationships exist because businesses realize that they may not have the core competency or capacity to do everything themselves. By summoning a third party, organizations can get the much-needed help to push their products or services to market better, faster and/or more cost-effectively. However, when they invite a third party into the four figurative walls of their company, there is always inherent risk because they lose some control of their products or processes. They are liable not only for their actions, but also the actions of their third parties. Therefore, it behooves businesses to determine and continuously monitor their third parties’ risk.
According to Greg Dickinson, the CEO of Hiperos, “All third parties are outside of the four walls of your company, yet you depend on those third parties to help bring your product or services to market. There’s some research that suggests, depending on your industry, anywhere from 40 to 60 percent of your revenue is dependent upon the execution of these third parties.” Before sending that formal invitation out to their prospective third party, organizations must first ensure that the third party’s contribution outweighs its risks. Any third party that a company collaborates with can have the unintended consequence of impacting its reputation, regulatory responsibility and revenue—what Dickinson calls the three Rs.
Familiarizing Your Business with Risk Factors
“We always say that bad things can happen to good companies,” says Dickinson. While those bad things aren’t necessarily or directly an organization’s fault (geopolitical turmoil, natural disaster, etc.), they can be due to risk factors that perhaps were never considered or could be minimized. Companies are saying that so many problems happened over the last few years that they’re “outside the bounds of that notion of where their risks are,” so now they are getting into the habit of keeping tabs on all of their third parties—vendors, suppliers, affiliates, resellers, distributors, outsourcers, and the list goes on.
Regarding a recent supply chain issue, Dickinson laments, “Chipotle can no longer put pork in 600 of its restaurants because one of its third parties, a pork supplier, was not following the sustainability guidelines for animal wellness. From a financial impact, it’ll be interesting to see what the ramifications are. Nobody is going to remember or care whom that third party is. Some may look at Chipotle and say it did a poor job of managing its third party, and therefore, it is painted with the same brush—cruelty to animals. That all could have been prevented with understanding the third party, better management, and signoffs and auditability around what that third-party supplier was doing.”
First and foremost, organizations must understand that they can’t fix anything that they don’t know is broken. Information is key and there are many questions to be answered, such as:
- Who are my third parties?
- What are they doing for me?
- What level of risk can they subject my organization to?
- Who in the organization is interfacing with them?
- Are they given access to customer data? (If so, it is the company’s reputation that suffers most if a data breach occurs.)
- Are they following a corporate sustainability index, supplier policy, and your code of conduct or way of doing business?
- What types of due diligence, controls, audits and/or inspections were instituted?
- Were the principals of the third party vetted?
- Are they on any anti-business sanction lists published by the U.S. government?
- Are they subjecting the organization to bribery or corruption risks? Are they based in a location known for high amounts of cybercrime or bribery?
Of course, nobody can prevent bad people from doing bad things, but if a business apologizes and can list the 18 or 20 steps that it went through to prevent something catastrophic from happening, its reputation is harmed less because the best effort was made as opposed to the company covering its eyes, or worse, never opening them in the first place. In that case, Dickinson says, “Then you really are to blame and you’re just as bad as the perpetrator.”
Effective and Efficient Management of Your Third Parties
Hiperos is involved in all aspects of third-party management. Frequently, organizations prefer to begin with understanding the idea of the risk of the project, such as bringing on a new supply chain third party. Then, if the prospects look good, a third-party management company can help the organization progress through the vetting and onboarding process, and then continually perform a lifecycle of managing that third party, which could entail risk and compliance on an annual reporting basis. Regardless, Dickinson advises, “If you’re going to manage something, it’s much better to manage the full lifecycle as opposed to picking and choosing what aspects of that third-party relationship you want to manage.”
To start, an organization needs a database or repository to store all of its third-party relationships, records, contracts and statements of work (SOWs), so that the right people can have the proper access to information when it’s an immediate necessity. Once that infrastructure is in place, then a third-party management solution, like Hiperos 3PM™, can help the business automatically manage the aspects that are important to it, whether that be the risk appetite of the company or understanding third-party segmentation, but most importantly, which kind of risks is the organization most worried about, whether it be financial liability, business continuity and disaster recovery, or geopolitical, operational or transactional risks.
Once those kinds of risk levels are identified, third-party management software can help automatically establish a series of controls or due diligence processes to manage those third parties in an effective and efficient manner. Businesses shouldn’t think of third-party management software as just a database or platform, but also a book of record that can aid in limiting liability.
Some third parties reside only in an organization’s procurement, supply chain, accounts payable, intellectual property (IP) governance, regulatory compliance or even perhaps information technology (IT) vendor management system. By integrating all of them into one platform, a business is already eliminating an enormous gap in knowledge. Furthermore, when a company compiles its third parties into one database, it can then segment them quickly to quantify specific risks.
For example, “out of the 50,000 that we have, which third parties could subject us to regulatory concern? Let’s pretend that it’s only 20 percent, so out of that number, what level of concern should we have? And once that is figured out, then you can put the proper due diligence, controls or vetting in place dependent upon the level of regulatory concern,” according to Dickinson. “If you treated all third parties with the same level of management, you’d go broke and never get it done. By being able to subset and segment and tier, you don’t need to do the same level of due diligence for those that are high as opposed to the low. That’s how we help our customers to get their arms around all third parties when we say put the right information in front of the right person at the right time.”
Another benefit to implementing a third-party management system is to avoid paperwork. Dickinson mentions that Hiperos has a third-party network (TPN) that allows organizations to leverage information that was already collected about their third parties, so they don’t need to do it themselves if 50 other companies already did. That way, information is at their fingertips in days as opposed to months by eradicating the requirements of reaching out to that third party, collecting the information, manually entering it, etc. When businesses were using paper-based methods, statistics show that it wasn’t unusual to take 90 days or longer just from the onboarding process.