A new NAVEX Global survey found that more than a third of organizations still use paper-based records or disparate office productivity software to administer their third-party risk assessment and management programs.
How best-in-class organizations address third-party risks
“There’s a growing realization that third-party risk management should operate within an organization’s larger ethics and compliance program,” said Michael Volkov, CEO of The Volkov Law Group. “Enforcement agencies expect companies to use the same level of automation to manage third-party risk as they do for other parts of their compliance program, and regulators can levy large financial penalties for third-party compliance failures. The ability to demonstrate good-faith efforts to manage third-party risk through use of available technologies can result in lesser penalties, including declination to prosecute.”
The 2018 third-party report is based on results from 1,200 survey respondents who influence or manage their organization’s ethics and compliance programs, of which more than 500 answered additional questions specific to third-party risk. Among this group, fully 35 percent said they used paper or desktop software to track and manage third-party risks.
“Given the rapid, global expansion of supply chains along with agent and partner relationships, it’s never been more important to be strategic about mitigating exposure to third-party risk,” said Bob Conlin, President & Chief Executive Officer, NAVEX Global. “Smart companies recognize third parties as an extension of their own organizations, and therefore manage third-party compliance as rigorously as internal compliance.”
Despite the evident need for more rigor, the report shows that fully 31 percent of third-party programs were deemed basic or reactive; 41 percent were maturing. Only 17 percent were rated as advanced. To ensure that these maturity assessments aligned with actual program design and performance, respondents did not self-evaluate. Instead, they were asked individual questions on program elements – including risk-management practices, technologies and methodology used – from which program’s effectiveness was determined.
Other key findings in this year’s report include:
- Too many organizations underestimate their risks related to third parties. While many assess that risk as low, it is in fact higher than anticipated.
- Organizations often apply FCPA and similar anti-bribery legislation as third-party risk program parameters. But respondents also indicated that the value of using purpose-built technology to monitor and assess risk goes beyond avoiding regulatory failures. These systems offer visibility and management reporting benefits that improve overall vendor management.
- Respondents rated the following challenges as their top concerns: monitoring third parties (53 percent), lack of internal resources (45 percent), training third parties and getting attestation on policies (36 percent).
- More than half of respondents (58 percent) engage more than 100 third parties, and nearly one third (29 percent) engage more than 1,000.
Finding a consistent approach to monitoring third parties is the top challenge for organizations
While 35 percent of organizations used paper or disparate office productivity software, the problems were most pronounced in healthcare and social assistance (52 percent) followed by transportation, distribution, logistics and warehousing (43 percent). Additional survey findings about broader compliance program challenges beyond third-party risk include: concerns about implementing an effective code of conduct (46 percent), responding to cyber security events (44 percent), procedure management/quality control (28 percent), conflicts of interest (25 percent) and anti-bribery (21 percent).