The top ten mistakes compliance officers make with third-party management (and what to do about them)
Let’s face it, third-party management can be challenging. Every day, compliance officers bemoan the failures of their third-party programs. They say things like, “It’s just not working. The business hates the program and is working around it. There are payments made to third parties that haven’t had any review at all. Due diligence questionnaires remain incomplete. What do we do now?”
It may feel overwhelming, but no matter what is happening in your program, all is not lost. Most problems with third-party programs fall into one of several categories. Typically, these problems can be solved with tweaking, as opposed to a full-scale reboot of the program.
Throughout my many years working with companies to create, evaluate, optimize and fix their third-party programs, I’ve seen the good, the bad and the ugly. Patterns emerged quickly, as did solutions for the problems plaguing so many companies and their compliance officers.
Here are the top ten problems compliance offices make with their third-party program, and what to do about them.
Mistake No. 1: Everything is in scope.
When ambitious compliance officers start their third-party programs, they get excited. They see risk everywhere and want to reduce it. To do that, they take all the third-party types they can find and put them all in scope. Pretty soon they realize they don’t have the resources to manage all of the red flags or process the due diligence. They get overwhelmed. The business gets tired of waiting.
What to do about it: If you are just starting your third-party program, start small by isolating your highest-risk third parties for due diligence. These are typically your sales agents and distributors. If you’ve got a dysfunctional third-party program, try reducing the scope so that only higher-risk third parties are in scope. If you reduce the scope, be sure to put the reason for doing so in writing. Be sure to note how you employed a risk-based approach.
Mistake No. 2: Everyone gets the same level of diligence.
One of the most common mistakes I see is the exact same level of due diligence applied to every type of third party. This typically happens because the compliance officer is uncomfortable and plagued with the “what if’s”: “What if we miss something?” “What if a bad third party gets through?” This insecurity creates unwieldy programs.
What to do about it: Use what I call the “menu approach.” Due diligence options come in many flavors. For example, there are (1) initial screenings using software (like Third-Party Management from Diligent), (2) due diligence questionnaires that go to third parties, (3) escalating contract clauses, (4) reference checks, (5) desk reviews and (6) enhanced boots-on-the-ground reports. Look at your menu of options, then create a tiered approach to how much due diligence is applied based on the risk presented by the third party. The larger the risk, the larger or heavier the list of required steps.
Mistake No. 3: The due diligence questionnaire (DDQ) is ridiculously long.
It’s so easy to add questions to a due diligence questionnaire. People think, “Wouldn’t it be great to know just one more thing?” Let that happen a few times and pretty soon your questionnaire morphs from the minimum required information into a sprawling document taking third parties many hours to complete. What’s worse? Many times, the questions become overly broad or unreasonably invasive. The point of due diligence questionnaires is to get the information you need to make a decision, not to get the full life history of everyone working at the potential third party.
What to do about it: Go through every question on your current due diligence questionnaire. Ask yourself, "Is this needed to do my review?” For instance, yes, you do need the address of the third party and the name of the ultimate beneficial owners for sanctions check purposes. But do you need banking information? What about business references? Is anyone calling them? What about knowing whether or not the third party’s books are audited? Is that going to change the approval decision? If not, leave those out.
Mistake No. 4: The business can approve third parties with red flags with no compliance oversight.
“The business owns compliance” is a very popular sentiment these days in the compliance world, and, to a degree, it’s true. However, this idea can be taken too far when it comes to trusting the business to resolve red flags without the oversight of the compliance personnel. After all, it’s compliance’s job to know about compliance issues and red flag resolution. The business already wants to use the third party with a red flag – the fox shouldn’t be watching the hen house.
What to do about it: Ensure that someone in the compliance team is assigned to the final evaluation of red flag clearing. Allow the business to gather information and participate in remediation recommendations, but make sure the final decision is compliance’s to make.
Mistake No. 5: No one is responsible for reviewing the answers in the due diligence questionnaire.
Once the third party goes through all the trouble to complete the due diligence questionnaire, someone at the company must be champing at the bit to review it, right? Frequently, the answer to that is no. All those people clambering to add questions to the DDQ are suddenly nowhere to be found when it comes to reviewing whether each third party has, for example, at least two ISO certifications.
What to do about it: First, make sure your DDQ only includes critical questions (see mistake no. 3). Next, ensure that someone is assigned the review of the DDQ. If there are specialty questions, ensure the right person at the company is required to review the answers and sign off. For instance, if every vendor accessing personal data needs to answer three additional questions that must be reviewed and approved by IT – make sure a specific person in IT reviews and approves those answers.
Mistake No. 6: The attestations are impossible.
A popular line in attestations is “We attest that we have never, ever, ever broken any kind of law ever before and will never, ever, ever do so in the future.” Come on. That just doesn’t work. Most of the employees at the third party were probably speeding on the way to work. These overly broad attestations create a problem, as most of them can’t be edited. The worst ones have third parties lying before they even start the relationship.
What to do about it: Keep your attestation reasonable. Ask third parties to tell you important things. Ask them to attest that they will tell you if they become the subject of an investigation or are charged. Ask them to attest that they won’t bribe anyone on your behalf or work through a third party to do so.
Mistake No. 7: Third parties are required to fill in the same information on multiple systems for multiple due diligence processes.
Your poor third parties are suffering fatigue from filling out their name in ten systems. And then their address. And then their email address. And then…
To a certain degree, it’s understandable. There are different systems to manage different risks. But when it takes third parties hours and hours just to get through onboarding, that’s a problem.
What to do about it: Work with the other risk managers to incorporate information sharing as much as possible. Ask software vendors if their products can talk to each other using an Application Programming Interface (API). See if it is possible to combine the various due diligence questions into one system. Make it as streamlined as possible.
Mistake No. 8: Believing that a written policy and one email means that everyone knows and understands the program.
We can’t be blamed for thinking everyone knows about our third-party program. After all, the business received an email about it last year and attended a ten-minute training two years ago when it launched. They know they need to process third parties through the system, right? And they will remember when to do so. Right?
What to do about it: At a minimum, make training and/or communications an annual event for people who are likely to choose in-scope third parties. Perform targeted training or send them communications specifically highlighting the program and its requirements. Follow up with them once a year to make sure they’re clear on the process. Don’t believe that because a policy exists that people know about it or are going to follow it without prompting.
Mistake No. 9: Employing the one-and-done approach without performing re-screening or ongoing monitoring.
It’s always best not to contract with a bad third party in the first place. Terminating a relationship is harder to do once the business starts to flow. Many companies review third parties only at the initial contracting phase. That’s a problem, because good companies go bad. What’s worse? Sanctions change daily, and a company or person who was clear yesterday may have massive red flags today. The one-and-done approach isn’t defensible.
What to do about it: Use a risk-based approach for continuous monitoring. Many companies re-review low-risk third parties every three years, medium-risk third parties every two, and high-risk third parties every year. At the very least, take a sampling of your third-party universe to re-review periodically.
Mistake No. 10: Not clearing out and archiving unused third parties.
One medium-sized company I worked with thought they had over 17,000 third parties. They thought that until they did a data clearing so they could see only those active in the last 18 months. The result? There were only 3,000 active third parties. That made the due diligence requirements much more manageable!
If you’ve got garbage data, then you’ll have garbage reporting. Taking a risk-based approach and gathering insights is impossible if you aren’t looking at a true representation of the third parties currently operating for your company.
What to do about it: Work with the finance department to get a list of recently active third parties and cross-check it against your current database. Archive the third parties that aren’t in use anymore to keep the records.
Running a good third-party program is hard, but it is much easier to do so successfully if you avoid these mistakes. Implementing these solutions will take you far in creating an effective, efficient and defensible third-party program.
To further explore best practices for overcoming these key challenges, watch my full webinar on managing third-party business relationships today.