Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...
By Michael Greene
Dec. 11 — Third-party risks can create significant compliance-related risks as well as reputational risks for organizations, and having an enterprisewide approach to these risks is critical for almost any company doing business with third parties, according to speakers at the Dec. 10 NYSE Governance Services “Managing Third-Party Risks Forum.”
Although there was agreement among the panel that a lack of information makes it impossible to know 100 percent about all of a company's third-party vendors, the speakers said it is important to have a process to create long-term sustainable relationships with trustworthy partners.
The conversation when it comes to third parties is expanding dramatically, according to Erica Salmon Byrne, executive vice president of compliance and governance solutions at NYSE.
That is because there is a growing awareness of the myriad ways in which third-party vendors can create significant compliance-related risks.
Cathy Allen, chairman and chief executive officer of The Santa Fe Group and director of Synovus Financial Corp. and El Paso Electric Co., said the reputational harm caused by things such as bribery, security breaches and the way vendors treat customers should be a concern for many companies.
She added that “hacktivists”—hackers that have some sort of political or personal agenda—are emerging and looking for ways to embarrass companies. She cited the recent Sony Pictures breach as an example of this type of reputational risk.
She said there is so much critical information that can be breached, and often third-party vendors hold this critical data. If they are not applying the same standards of conduct as the organization, then the company is really at risk, she said.
Stephen Donovan, chief ethics and compliance officer at International Paper Company, noted that from his perspective, compliance risks in this area have not changed much during the last five years, However, companies are changing the ways they address these risks.
According to Donovan, more companies are addressing third-party risks on an enterprisewide level, which is a more integrated and holistic manner of risk assessment.
He also noted that his company has a process that deals with risks on an enterprisewide level so that different risk areas are not dealt with by different functional groups within the organization.
This approach is similar to the “federated approach” to compliance that is recommend by Michael Rasmussen, chief pundit for governance, risk management and compliance with GRC 20/20 Research, LLC.
Peter Nolan, senior managing director at FTI Consulting, said that companies are also seeing an increase in complex demands from upstream businesses. He added that he does not see this trend changing anytime soon.
Consumer-focused companies will expect more than just checking boxes because they are faced with reputational risks, said Donovan.
He added that setting expectations is key to making this work. There are a lot of good tools out there, but what a company really needs to develop is an organic approach to this process that inevitably take more time and work.
Nolan added that dealing with these demands depends on the individual business, the sector of business and the countries in which a company operates.
Donovan was also asked about passing on the costs of increased compliance requirements. He noted that his company was not trying to develop its processes to simply conduct due diligence, but also was trying to build sustainable value relationships with its supply chain.
It is not just about weeding out the bad apples and finding third parties that will agree to the company's provisions and certifications, he noted. Instead, it is important to develop a process for identifying those vendors with whom a company is going to form long-term relationships, so there will more collaboration and innovation in delivery products, he added.
There is a quid pro quo, he said.
Nolan, however, posed the question of what companies should do to find out whether they are dealing with a “bad apple” when there is lack of information. Third parties sometimes do not have track records and outside of the U.S., public records can be extremely limited so it can be difficult to find out if a third party has violated any laws, he added.
Donna Vitalie, senior director for business conduct & compliance and records management at AOL, noted that her company performs background checks and hires outside consultants to determine the credibility of vendors. She noted that the lack of information about third parties can be a real challenge, but ultimately this is part of the risk of doing business and companies have to make informed choices with the best data they have.
Allen noted that she is seeing more boards adding risk committees.
A November National Association of Corporate Directors survey indicates that many directors want changes in the allocation of risk oversight responsibility.
Allen also noted that boards are looking at organizational functions and whether a company has the right resources and people in place to assess risk.
More companies are focusing on protecting the crown jewels and critical infrastructure, she said.
She also noted that companies should be looking at the best practices in the industry and how they can learn from other businesses.
Moreover, with social media, it so easy for things to go viral, she said. Accordingly, a crisis management committee should make sure that an organization has a presence and is able to get the company's message out, she added.
According to Judy A. Smith, a crisis expert and former White House deputy press secretary, a business needs to be prepared to effectively communicate its message during a crisis, which includes having a “social media crisis plan”.
To contact the reporter on this story: Michael Greene in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Ryan Tuck at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)