Companies Should Have Plan for Addressing Third-Party Risks

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Michael Greene

Dec. 11 — Third-party risks can create significant compliance-related risks as well as reputational risks for organizations, and having an enterprisewide approach to these risks is critical for almost any company doing business with third parties, according to speakers at the Dec. 10 NYSE Governance Services “Managing Third-Party Risks Forum.”

Although there was agreement among the panel that a lack of information makes it impossible to know 100 percent about all of a company's third-party vendors, the speakers said it is important to have a process to create long-term sustainable relationships with trustworthy partners.

Reputational Risks

The conversation when it comes to third parties is expanding dramatically, according to Erica Salmon Byrne, executive vice president of compliance and governance solutions at NYSE.

That is because there is a growing awareness of the myriad ways in which third-party vendors can create significant compliance-related risks.

Cathy Allen, chairman and chief executive officer of The Santa Fe Group and director of Synovus Financial Corp. and El Paso Electric Co., said the reputational harm caused by things such as bribery, security breaches and the way vendors treat customers should be a concern for many companies.

She added that “hacktivists”—hackers that have some sort of political or personal agenda—are emerging and looking for ways to embarrass companies. She cited the recent Sony Pictures breach as an example of this type of reputational risk.

She said there is so much critical information that can be breached, and often third-party vendors hold this critical data. If they are not applying the same standards of conduct as the organization, then the company is really at risk, she said.

Old Risks, New Processes

Stephen Donovan, chief ethics and compliance officer at International Paper Company, noted that from his perspective, compliance risks in this area have not changed much during the last five years, However, companies are changing the ways they address these risks.

According to Donovan, more companies are addressing third-party risks on an enterprisewide level, which is a more integrated and holistic manner of risk assessment.

He also noted that his company has a process that deals with risks on an enterprisewide level so that different risk areas are not dealt with by different functional groups within the organization.

This approach is similar to the “federated approach” to compliance that is recommend by Michael Rasmussen, chief pundit for governance, risk management and compliance with GRC 20/20 Research, LLC.

Increased Complexity

Peter Nolan, senior managing director at FTI Consulting, said that companies are also seeing an increase in complex demands from upstream businesses. He added that he does not see this trend changing anytime soon.

Consumer-focused companies will expect more than just checking boxes because they are faced with reputational risks, said Donovan.

He added that setting expectations is key to making this work. There are a lot of good tools out there, but what a company really needs to develop is an organic approach to this process that inevitably take more time and work.

Nolan added that dealing with these demands depends on the individual business, the sector of business and the countries in which a company operates.

‘True Value Distinction.'

Donovan was also asked about passing on the costs of increased compliance requirements. He noted that his company was not trying to develop its processes to simply conduct due diligence, but also was trying to build sustainable value relationships with its supply chain.

It is not just about weeding out the bad apples and finding third parties that will agree to the company's provisions and certifications, he noted. Instead, it is important to develop a process for identifying those vendors with whom a company is going to form long-term relationships, so there will more collaboration and innovation in delivery products, he added.

There is a quid pro quo, he said.

Bad Apples

Nolan, however, posed the question of what companies should do to find out whether they are dealing with a “bad apple” when there is lack of information. Third parties sometimes do not have track records and outside of the U.S., public records can be extremely limited so it can be difficult to find out if a third party has violated any laws, he added.

Donna Vitalie, senior director for business conduct & compliance and records management at AOL, noted that her company performs background checks and hires outside consultants to determine the credibility of vendors. She noted that the lack of information about third parties can be a real challenge, but ultimately this is part of the risk of doing business and companies have to make informed choices with the best data they have.

Board Perspective

Allen noted that she is seeing more boards adding risk committees.

A November National Association of Corporate Directors survey indicates that many directors want changes in the allocation of risk oversight responsibility.

Allen also noted that boards are looking at organizational functions and whether a company has the right resources and people in place to assess risk.

More companies are focusing on protecting the crown jewels and critical infrastructure, she said.

She also noted that companies should be looking at the best practices in the industry and how they can learn from other businesses.

Moreover, with social media, it so easy for things to go viral, she said. Accordingly, a crisis management committee should make sure that an organization has a presence and is able to get the company's message out, she added.

According to Judy A. Smith, a crisis expert and former White House deputy press secretary, a business needs to be prepared to effectively communicate its message during a crisis, which includes having a “social media crisis plan”.

To contact the reporter on this story: Michael Greene in Washington at

To contact the editor responsible for this story: Ryan Tuck at


Request Corporate on Bloomberg Law