The Consequences of Inadequate Due Diligence
Operating a global business today requires efficiently managing a network of third-party partners that supply product elements, run operations in foreign markets, function call centers, or act as outside consultants or agents.
The great range of capabilities and specialized skill sets of a well-maintained third-party network makes operations easier for both the organization and its customers. But many organizations, from small businesses to multi-national corporations, can rarely provide the time and effort required in-house to manage these often complicate third-party relationships.
Because of this, the risk of unethical business practices, bribery and other business corruption potentially increases if inadequate due diligence is conducted on third-party partners. The ramifications of a scandal related to a third-party partner can easily take down an organization, resulting in such risks as a damaged reputation and brand devaluation, to regulatory violations, legal proceedings and possible fines and jail terms for directors. The only way to fully protect the corporation’s assets, consequently, is by a strong and viable third-party risk management program.
Building a third-party risk management program is not a passive course of action. It requires time and effort on a constant basis, as the risks associated with third-party partnerships regularly evolve.
Consider the events of this past summer, during which the legislators of three separate nations signed new compliance regulations and standards into law. Without a doubt, if your organization’s third-party risk management program is unable to quickly adjust to these new regulations (or is not designed to anticipate future legislative movements) your organization is truly at risk.
Cutting corners: not worth the risk
nevertheless, far too many organizations are willing to entice fate by cutting corners on development and implementation of their third-party risk management program. Certainly, building a strong risk management program requires a meaningful investment of time and resources (both internally and from the outside), but the consequences of not doing it right could be dramatically harsh.
One way organizations attempt to cut corners is by relying on outdated or stagnant tools to monitor, detect and prevent risks. Almost always, hiring outside industry professionals with proven track records of successful due diligence experience is necessary.
Relying too heavily on “desktop” due diligence is another dangerous shortcut. Desktop due diligence is an important initial step of the investigative course of action, involving background checks, lien searches, regulatory filing investigations and environmental reports. And while it is a vital part of any effective due diligence program, it’s not nearly enough to thoroughly estimate a third-party.
Truly understanding a possible partner’s business requires a important amount of time spent confront-to-confront with the outside organization’s leadership, operations management and already current customers. This “boots on the ground” course of action will detect possible risks which are often hidden from a distance, and undetectable via web-based discovery tools.
The “boots on the ground” approach also helps to establish a relational dynamic required for current negotiations and provides clear insight into two of the fastest-growing issues in third-party risk management: bribery and labor management.
Bribery as a compliance issue
Anti-bribery and anti-corruption compliance is a fast-moving target. New anti-bribery laws and regulations are being decreed around the world at a relentless speed. Complicating matters further, many countries may have laws in place but without the ability to adequately enforce them. When this is the case, the responsibility falls to your organization’s due diligence program to ensure detection and protection.
High profile investigations in recent years have contributed to the rapid emergence of bribery and corruption as a societal issue. Never before has such a contrast been drawn so dramatically on a global stage between those that include in bribery and those that suffer as a consequence. Any organization that finds itself mixed up in a scandal involving bribery has more than a legal mess to continue with. It has a long battle to win back the trust of its shareholders, employees, customers and the public.
Conducting sufficient due diligence surrounded by such varying factors is work that must be conducted in person. Gaining insight into a possible partner’s company culture requires a level of immersion with the organization’s leadership, management and staff. When it comes to evaluating bribery risk, some warning signs can only be discovered on-site.
Labor matters and compliance
From overtime issues and under-age workers, to unsafe working conditions and improperly proven accidents, labor compliance represents a major part of any strong third-party risk management program.
Once again, inadequate attention to risks related to labor compliance can bring on important penalties. Understanding which industries, geographic regions and management structures elevate the organization’s risk is meaningful to efficiently operating an effective due diligence program. This understanding is nearly impossible to guarantee via ‘desktop’ due diligence. Spending the necessary time in person is the only way to be sure a possible supplier is properly compensating and managing employees while providing a safe workplace ecosystem.
Make no mistake, already if your agreement with a third-party partner places the responsibility of payroll issues firmly upon the vendor, your organization — as a joint employer — can nevertheless be held accountable in many countries. After all, the labor being conducted at your partner’s facility benefits your organization’s bottom line.
The demands of identifying and measuring third-party risk, monitoring those possible risks on an current basis, and making recommendations based on empirical research is best met by a dedicated team of outside professionals. And while no two organizations are alike in terms of risk profiles, several factors have become consistent in building a strong and effective due diligence program:
Planning. Without a well thought out plan outlining current monitoring efforts with stated roles and responsibilities, efforts to mitigate risk will be haphazard at best, and idle at worst. With a thoroughly established, management-advocated program that identifies specific risk factors for each affiliation, a course of action for addressing red flags, and an established mechanism for constant revision, the organization will keep vigilant in its efforts to protect itself from liability.
Documentation. Due diligence efforts are only as good as the information and data gathered and secured. careful documentation and reporting enables the organization to recognize trends, communicate analyses, and sustain efforts during any future personnel changes. Effective risk management programs characterize established guidelines for capturing data, contracts and research with uniformity.
Culture. An organization where leadership, management and workforce do not take third-party risk seriously will never be adequately protected from risk. Successful organizations in this respect dedicate themselves to building a culture in which every employee feels personally invested in the risk management of the operation. Employees must feel empowered and promoted to report red flags. Passive engagement is simply not enough.
Done correctly, third-party risk management can effectively save the organization from risk, liability and other perils often associated with outside entities wanting to include and transact with your business.