A proactive approach to third-party compliance

CorporateGovernor newsletter [Download the PDF]
In today’s highly competitive business environment, most organizations are placing greater reliance on their contract-based relationships to gain an advantage. Companies depend on a wide range of outside business partners, licensees, vendors and service providers to achieve cost control, revenue generation and other management objectives. While contracts may help these organizations reach goals, many do not consider the array of risks these agreements represent .

Today’s companies have risks coming at them from all angles and at all times — from data breaches, corruption, fraud, financial mismanagement, business interruptions and, most especially, regulatory risk. Regulatory risks are a greater threat than ever. In Grant Thornton LLP’s 2014 Chief Audit Executive Survey, 62% of audit executives rated regulation as having a significant impact on their organization’s growth, and 73% of them include regulation in their audit plan. Regarding third parties and vendors, 57% of respondents rated them as having a significant impact, and 67% include these partnerships in their audit plans1.

In light of this current environment, companies must be vigilant in managing how emerging risks affect their third-party relationships and the contracts that govern those relationships. For example, data privacy and security may not have been a major concern a few years ago, but now companies are subject to numerous rules and high-stakes penalties. In many cases, the lack of a well-written contract or the absence of contracts to address all relevant risks can put organizations in a precarious position. Even if your organization currently has a strong compliance program, emerging risks can make contract compliance ineffective.

So how does your company react to the continued regulatory changes and risks that may impact your third-party relationships? Grant Thornton recommends that organizations adapt to changes on a proactive basis to protect their strategy and objectives, and mitigate the risk of third parties introducing risk to their overall compliance efforts.

Here are three steps to take to evolve your third-party contract compliance program to proactively address regulatory and overall business risks.

1. Evaluate the current contract compliance program.
Engage with internal stakeholders concerned with risk mitigation — legal, internal audit, supply chain/procurement, and finance. Clearly document the process for contract compliance, evaluate that process, and review the results with stakeholders. It’s important to discuss whether the program is supporting both the current and emerging risks affecting the business. Historically, relationships with third parties aren’t evaluated as frequently as they should be. Many companies fail to look back and update older contracts, which leaves a significant amount of exposure.

Next, determine what internal and external changes affect risk, and identify deficient practices and control weaknesses. This includes understanding the risks, conflicts of interest, and policies and procedures. For example, with the birth of the Dodd-Frank Wall Street Reform and Consumer Protection Act, bribery and corruption became a focal point of risk for organizations. Companies quickly recognized that they need to have the right controls in place to mitigate bribery risks, monitor operations and provide training for their employees. But when they do business with a third party, what happens if that company violates bribery or corruption rules overseas? Many companies fail to assess these risks or build in controls to address contractual relationships so the risks do not get passed back to their company.

With the fast pace of regulatory change, companies not only need to consider current requirements, but also what might be next. They will need to proactively monitor changes in legislation, statutes and industry trends to stay ahead of the compliance curve and avoid the headache of being in a reactive state. For example, will regulators issue new requirements after the massive data breach at Target? While no company has a crystal ball, any compliance initiatives or audit programs should reflect the known and unknown regulatory requirements to the greatest extent possible.

Another consideration is emerging markets, which can expose companies to risks that are not addressed in their current contract compliance programs. With emerging economies expected to dominate global growth, succeeding in these markets has become a strategic imperative. Yet doing business in uncertain markets creates new risks for companies. They need to identify and manage key country compliance requirements. They should understand their full global risk profile and assess their global footprint risks.

Understanding business partner relationships is essential to identifying these risks. In many cases, channel relationships are unclear and inconsistent across organizations. Companies need to ask numerous questions in order to identify the types of channel partners, their practices and behaviors, and the entities they do business with to understand the respective risk that each poses to the business. When assessing the risk, consider the business framework in which the company operates and look at all areas: sales, operations, supply chain, etc.

2. Redesign (or design) the program.
Once organizations have thoroughly evaluated existing contract compliance programs and inventoried existing and likely future risks, it’s time to develop a detailed master plan. In many cases, this will be a redesign of an existing compliance program that is not sufficiently comprehensive. However, it might mean designing a new program. In either event, it’s critical to establish management ownership and program leadership so that it will have sufficient authority and support. This is also the time to rewrite or establish clear and comprehensive policies, procedures and processes for the program. It’s useful to incorporate an analytical framework to assess risk factors and strategic direction.

Keep in mind that a compliance program needs to strike the right balance between having a formalized process for evaluating relevant risks and being flexible enough to adapt to change. As external and internal risks impact the company, the compliance program needs to evolve.
Overcoming organizational resistance to change 2
Companies must have the flexibility to react and make the adjustments necessary to their contract compliance. Doing so requires getting organizational buy-in and support for the compliance program and its objectives. Here are some of the key communications that need to take place both up and down the organizational ladder:

Communicating with senior management
•    Communicate to senior executives.
•    Customize your communication plan to the audience.
•    Highlight key issues, risks and exceptions.
•    Understand management concerns.
•    Develop audit governance.
•    Focus on improving processes.
•    Agree on remediation plan with stakeholders.

Communicating with middle- and lower-level management
•    Provide direction and training.
•    Highlight pending tasks and review audit objectives.
•    Ensure a single point of accountability.
•    Analyze technical capabilities.
•    Break down key issues to sub-issues.
•    Provide clear escalation guidelines.
•    Develop tailored recommendations.
•    Review the results in different ways to seek areas of concern.

This stage is also the time to begin managing any organizational resistance to change. Central to the program being embraced and accepted throughout the organization is smooth global coordination that engages local teams. Successful change relies not only on leadership from above, but also upon buy-in from middle- and lower-level management. (See “Overcoming organizational resistance to change” in the sidebar.)

  • Has the need for change and the company’s strategy been communicated to all levels within the organization?
  • Are initiatives consistently aligned and ongoing communication provided regarding organizational success?

3. Implement and constantly monitor to evolve and adapt.
A proactive contract compliance program stays ahead of risks as they emerge, which requires redefining the company’s approach and policies as needs change. This can’t be a “set it and forget it” compliance program. Adapting the program requires building reporting structures and automating data collection to establish structured communication and status reporting. Then, as issues arise, the contract compliance program should be revisited regularly. Companies need to continuously monitor their contracts and be ready to make process changes.

It can be extremely helpful to leverage technology and tools such as data analytics/business intelligence, performance measurements, and risk indicators to maximize results and support decision-making. As organizations amass an increasingly high volume of data, these tools can help them harness that data to inform decisions about risks and improve the customer experience.

Moreover, companies need to be aware of the implications of technological innovations to data security and privacy, financial reporting processes, and even the viability of their company’s business model. This requires regularly assessing the company’s policies and procedures in dealing with new and pending laws, regulatory changes, regulator reviews, and other ongoing developments.

The pace of change from a competitive, regulatory and technological perspective continues to accelerate, so companies need robust and adaptive contract compliance programs to ensure that they are not being exposed to risks introduced by third parties. To be prepared in the face of continually changing and fast-growing regulatory risks, companies need to develop an adaptive compliance program that strikes a balance between having a formalized process for evaluating all the risks that are relevant to the organization, and one that is flexible enough to adapt to changes in the external environment or the strategic direction of the company and its stakeholders. Ultimately, as external and internal aspects change, the contract compliance program needs to evolve. If it doesn’t, it simply isn’t protecting the enterprise from risk.

1 CorporateGovernor white paper, Keeping third-party risk in check
2 For more information, see the APQC best practice report, Transformational change: Making it last, championed by Grant Thornton.