It is an initially daunting task — identify all of your third-party partners with whom your company conducts business. For large global companies, this is no easy issue. Some companies do not have readily available a list nor an understanding of the size and scope of their third-party population. That can be an initial hurdle unto itself.
The first step usually involves some kind of list of third parties — many times on an excel spreadsheet. Good luck, this is another challenge.
With this list, I am interested in several ways to slice and dice the population.
First, I would suggest carving out those third parties involved in the sales side, and with whom the sales side typically interacts on a regular basis.
Second, I usually categorize the supplier/vendor side into categories.
Most companies initially divide their vendor/supplier side into two broad categories: direct and indirect vendor/suppliers.
Direct vendors are those who provide raw materials and other inputs needed to manufacture specific goods. Indirect vendors are those that provide other categories of services, including professional services, customs or export logistics, administrative services, consulting, and other relevant indirect categories.
The definition of each category takes time and has to be coordinated with the business so that the categories are familiar and understandable to the business. To build a defined classification system, legal and compliance has to understand exactly how the business operates — on the sales and the procurement & manufacturing side. Most CCOs find the process of understanding and classifying the third-party population to be educational and informative.
Once the categories are defined and assigned, it is important to identify potential risks: operational, legal, cyber and other specific factors. From an operational view, third parties have to be graded for their overall importance to the supply or distribution chain. An exclusive distributor in a country or region will carry significant weight in a risk score, as will a vendor responsible for delivery of an essential input. As part of this overall analysis, sales and procurement managers need to coordinate and support compliance or provide access to relevant information on these issues.
Aside from the operational risk factor, the compliance team has to examine and identify legal risks — anti-corruption, money laundering, antitrust, sanctions and export controls, and cyber risks. As part of this inquiry, it is important to collaborate in defining and assessing these risks, including trade compliance, procurement, sales channels managers, and information technology. This partnership brings together legal and compliance experts to assess the importance of specific risk factors and strategies for uncovering these risks.
We know all the usual issues for examination — the business justification for engaging a third party; the specific role of the third party and need for the third party; the beneficial owners of the third party; the reputation of the proposed third party; the proposed compensation, billing and payment arrangements; the nature of the legal relationship between the company and third party (i.e. whether the third party is representing the company with government officials); the third party’s reputation for ethics and compliance; the information technology systems and cyber protections of data stored and transmitted by the third party; and the third party’s existing ethics and compliance program.
While everyone is quite familiar with this list of information, the key inquiry, however, is how to use this information to evaluate specific risks. Anti-corruption risks extend to situations in which a government official or close family member maintains an ownership interest in the third party. Sanctions risks may require examining beneficial ownership interests as well in order to apply the 50 Percent Rule. And, of course, any relationship with a third party could raise reputational risks.
The third-party population presents a unique set of risk factors that often are segregated by geographic issues, types of third parties, expectation of interactions with government officials on behalf of the company (i.e., in a representative capacity), and annual revenue as a proxy measure for the number of interactions and amount of risk. Again, some of these basic factors should be assessed in relation to the specific risk — vendors and suppliers located near North Korea, for example, create risks of sourcing materials from North Korea as part of the company’s supply chain. Companies operating in high-risk corruption countries or high-risk industries create a far different risk profile than those operating in low-risk countries.
The conduct of due diligence for onboarding purposes is not a scientific inquiry. It requires discretion and exercise of judgment. There are some hard and fast rules but most often, the company has to apply its own risk tolerance to issues that present careful balancing. The onboarding process should include appropriate follow up inquiries and documentation requirements (e.g. beneficial ownership representations when questions surround legal owners).