Six Criteria to Determine Whether a Third Party Issue is Strategic
Over the past two decades we have witnessed the globalization of corporate ethics, compliance, and risk management. We have also witnessed a material increase in investigation, enforcement and cooperation by government agencies like the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in the United States and equivalent agencies in other countries (such as the Serious Fraud Office in the UK), as well as increasing international cooperation between law enforcement agencies. These investigations have focused heavily on key issues like anti-corruption, anti-fraud, and anti-money laundering, all of which often involve third parties.
This trend includes non-governmental entities like Transparency International (TI) and the Organization for Economic Cooperation and Development (OECD) that over the past two decades have developed deep and broad expertise, guidance and data on all manner of anti-corruption, anti-fraud, anti-money laundering and other criminal, civil and unethical behaviors.
In order to successfully manage third party risk, including strategic third party risk, senior management first needs to fully understand, manage and mitigate these risks.
Add to all these developments the latest trend: the slow but steady realization by boards of directors of their critical risk oversight role. With boards’ heightened awareness comes greater scrutiny of the c-suite and the CEO on all manner of corporate risk, including strategic risk and third party risk. Recent risk surveys of boards of directors demonstrate their increased sensitivity and concern over certain key risks – including reputation risk, cyber-security and corruption. In all three cases, third parties are often, if not always, inextricably linked to these risks.
In order to successfully manage third party risk, including strategic third party risk, senior management first needs to fully understand, manage and mitigate these risks. But their work does not end there – executives need to know when these risks should be presented to the board of directors both on a regular or periodic reporting basis and during critical times when such issues have become material or are part of a crisis.
Different challenges require different responses. In some cases a third party risk event may require a tactical or operational response that is confined in time, location, resources and response. In other instances, the strategic context in which a third party risk issue might emerge may determine a different response – a more coordinated, regional, global or even crisis management response depending on its characteristics.
In order to understand where a particular third party risk may fall, it is useful to think of third party risk on a continuum or spectrum of key criteria from mostly tactical to mostly strategic or even critical. I’ve developed the following graphic to assist those responsible for managing risk in their companies determine when and how to respond to different risk-related incidents.
The following is a series of criteria management should consider to determine whether a third party issue is or has become strategic:
Criteria #1 - Level: Is the Third Party Risk that has been Identified Related to the Business Strategy or Business Plan?
The more tactical and contained the third party issue, the least likely it is to rise to the level of the c-suite and the board. The more it is related to the business plan or strategy and the broader its operational impact, the more likely it needs to be brought to the attention of the highest levels of the organization.
For example, a third party IT services consultant at a local office who is terminated for cause (improper invoicing) does not rise to a strategic issue. However, a third party business partner who is accused or convicted of bribery and corruption can have a potentially strategic impact on a company’s business plan.
Criteria #2 - Context: What is the Geographical and Structural Context of the Third Party Risk?
If a risk is strictly local and its impact contained, it may not grow to be strategic. However, the greater its impact geographically or systemically within the company, the more likely it will become strategic in its implications.
For example, a virus inadvertently deposited by a third party consultant on a local laptop is not a strategic risk; a concerted cyber-attack on a company’s servers using a third party’s network credentials is strategic.
Criteria #3 - Materiality: How Well Known and How Material is the Third Party Risk to the Organization?
The better known and addressed the risk, the less likely it will become strategic and critical. However, if a risk is not known and/or not properly addressed by the organization, the more material it can become and thereby the more strategic or critical its potential negative impact.
For example, an energy company knows that it has environmental exposure and risks and ensures compliance with local laws by working with a well-regarded environmental firm. If the firm turns out to be incompetent and irresponsible and the consequences to the company are the loss of a license to operate in the country, it could have strategic implications.
Criteria #4 - Timing: When and How is the Third Party Risk Unfolding?
The more one-off and short-lived a risk, the less likely it is to become strategic. However, if it has further reverberations and/or is not handled in a timely manner, the risk can become increasingly problematic to the organization and eventually even become a strategic challenge or crisis.
For example, one incident of not conducting proper due diligence on a third party may not rise to a strategic risk. However, a systemically irresponsible approach to conducting both initial and ongoing third party due diligence can lead to multiple incidents or a material one with strategic risk implications to the company.
Criteria #5 - Resources: Who Must Be Deployed to Address the Third Party Risk?
The more layers of local, national and international company resources, including cross-functional experts, that need to be deployed to properly address a specific third party issue, the more likely the issue will become potentially material, even strategic.
For example, a proposed strategic partner in a new market will require not only the deployment of local resources for due diligence purposes, it is likely to require national, international and senior management attention as well for both vetting and approval. If such vetting does not take place or there are issues with the third party (the party turns out to have been convicted of corruption in the past, for example), such third party issue will become strategic and subject to crisis management.
Criteria #6 - Reporting: Who Needs to Know about the Third Party Risk?
The higher up one must go on the corporate echelon, the more likely the risk is strategic. Additionally, if reporting to outside authorities is part of the consideration, this risk issue poses even greater potential strategic implications. The Table on Page 6 is meant to provide guidance to risk managers and others who are analyzing whether a third party issue constitutes a strategic third party issue requiring the attention of (and potentially resources from) the highest levels of the organization.
Third party risk in today’s increasingly challenging global business environment is inevitable. Companies that understand when third party risk becomes strategic and know when to raise it to their c-suite and board are companies that are more resilient and prepared to deal with the complex conundrums of the age of hyper-transparency.
Read more on this topic
Author: Andrea Bonime-Blanc is CEO of GEC Risk Advisory, the global strategic governance, risk, integrity, reputation and crisis advisory firm (www.GECRisk.com) and author of The Reputation Risk Handbook: Surviving and Thriving in the Age of Hyper-Transparency (http://bit.ly/1284TMR)