Michael Rasmussen

GRC Analyst & Pundit

Navigating Third-Party Risk Management: An EU & UK Perspective

The structures and realities of business today have changed. Traditional brick-and-mortar business is outdated: physical buildings and conventional employees no longer define the organization. The modern organization is an interconnected web of relationships, interactions, and transactions that span traditional business boundaries. Layers of relationships go beyond traditional employees to include suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, temporary workers, agents, brokers, dealers, intermediaries, partners, and more. Complexity grows as these interconnected relationships, processes, transactions, and systems nest themselves in intricacies, such as deep supply chains and subcontracting relationships. Roaming the hallways of an organization means crossing paths with contractors, consultants, temporary workers, and more. Business today relies and thrives on third-party relationships; this is the extended enterprise.

The European Union and the United Kingdom stand at the forefront of global trade and business partnerships. However, with increasing interconnectivity comes the challenge of managing third-party risks. For companies headquartered, operating within these jurisdictions, or in the supply/value-chain of companies that do, understanding and mitigating these risks is not only crucial for resilience but also for compliance.

The Essence of Third-Party Risk Management

Third-Party Risk Management (TPRM) involves identifying, assessing, and controlling risks presented by outside entities with which a business engages. These entities could range from suppliers, vendors, and contractors, to any other non-internal party involved in the value chain.

In the context of the EU and UK, several legislative frameworks emphasize third-party risk management:

1. German Supply Chain Act

Germany took a major step in 2021 by enacting the LkSG (Lieferkettensorgfaltspflichtengesetz, yes, German’s love complex words), otherwise known as the Supply Chain Due Diligence Act. This legislation focuses on human rights and environmental protections within supply chains. Under the act, companies are required to:

• Conduct due diligence throughout their supply chains.
• Establish risk management processes.
• Implement grievance mechanisms.
• Provide annual public reporting on their due diligence activities.

For businesses, this means that simply monitoring one's immediate suppliers is not enough; it's about ensuring every part of the supply chain, no matter how distant, is compliant. This regulation has now influenced the EU Corporate Sustainability Due Diligence Directive that will require every member country of the EU to pass a law similar to Germany’s LkSG.

2. UK Bribery Act and Sapin II in France

In the context of anti-bribery and corruption, the UK has its Bribery Act and France has Sapin II. Bribery and corruption enforcement actions reveal that third-parties are most often involved in these misdeeds. These laws aim to bolster transparency, fight corruption, and modernize economic activity in the UK and France. One of their major components is TPRM, especially concerning bribery risks. Key mandates include:

• Organizations must implement a compliance program that includes a code of conduct, a whistleblowing mechanism, risk assessment methodologies, and third-party due diligence procedures.
• Engage in continuous monitoring and regular updates of their compliance measures, especially when partnering with third parties.

3. UK Corporate Governance Code

Although the UK Corporate Governance Code primarily focuses on board leadership and company performance, it indirectly emphasizes the importance of TPRM. For instance:

• Companies must foster relationships with shareholders and stakeholders, which includes understanding the risks they bring.
• Regular engagement with the workforce (which could include third-party contractors) to determine their views and manage associated risks.
• Under the most recent changes, the board has to issue resilience statements. An organization cannot be resilient without looking at the extended enterprise of third-party relationships.

Challenges in Implementing TPRM in the EU & UK

While the importance of TPRM is undeniable, its implementation is fraught with challenges:

1. Complex Supply Chains: Especially for multinational corporations, supply chains can span continents. Each link adds potential risk factors.
2. Diverse Regulatory Frameworks: As illustrated above, different countries have different regulations, making a standardized TPRM approach difficult.
3. Cultural Differences: What's acceptable in one country or region might be taboo in another. Navigating these nuances is essential for effective TPRM.

Mitigating Third-Party Risks: A Way Forward

For businesses operating in the EU and UK, here are some steps to ensure an effective TPRM:

• Due Diligence: Always vet third parties before engagement. Understand their business operations, financial health, reputation, and any potential red flags.
• Continuous Monitoring: Risk management is not a one-off task. Regularly monitor third parties for potential risks and ensure they remain compliant with evolving regulations.
• Clear Contracts: Ensure that all contracts with third parties have clauses that allow for regular audits, adherence to regional regulations, and stipulate repercussions in case of breaches.
• Training and Awareness: Ensure that employees at all levels understand the importance of TPRM. Regular training sessions can keep them updated about the latest best practices and regulatory requirements.
• Leverage Technology: Use advanced TPRM solutions that can automate due diligence, monitor risks in real-time, and provide actionable insights.

The EU and UK, with their progressive stances on business transparency, human rights, and environmental protection, provide both opportunities and challenges for businesses. While the regulatory landscape may seem daunting, with a robust third-party risk management strategy, businesses can not only comply with regional mandates but also foster trust and build stronger, more resilient relationships with their partners. A haphazard department and document-centric approach for TPRM compounds the problem and does not solve it. Organizations need to address third-party risk with an integrated strategy, process, and technology to manage third-party relationships with real-time information and risk intelligence.