Balancing the needs of procurement and the needs of compliance
Compliance can often be labelled as a roadblock or hurdle to doing business. There is the idea that compliance professionals and lawyers are there to slow down the process, take resources and be the lifeguard for the remaining fun seekers and deal makers in the pool. As we all know, the pool can just be more dangerous (and fun) when there aren’t the rules of “no running” “no jumping” and the ubiquitous “no horseplay”.
Instead of thinking of compliance as a roadblock or hurdle to overcome, I (and others) prefer the analogy that the compliance function is like the brakes on a car. Sure, the brakes make the car go slower at times but, sometimes, slower is a good thing. The better, bigger and stronger the brakes are on an F1 race car, the quicker it can take turns and navigate tricky sections of the track. Without the brakes on a car, it would have to slowly putter around the track because it can’t go fast, can’t slow down and is essentially out of control and at the mercy of its own momentum. The car without the brakes is at a competitive disadvantage. Also, what happens to a brakeless car when it needs to make a pit stop or when the race ends?
Changing this mentality of the brakes vs. roadblock is an important (and large) endeavour, but there are some smaller victories that can be found when working with other departments. One department alliance that is the most important when it comes to risk management of third parties is procurement.
Third party risk management is at the top of the priority list for many compliance professionals as some of the largest fines have been a result of malfeasance involving outsiders. Companies these days typically have a decent grasp on controlling the compliance-related actions of their own employees but trying to manage or even know the risks presented by third parties is often an unknown and daunting topic. Some dangers presented by third parties can include an agent paying a bribe to a government official to win a contract for your company, using travel agencies to mask the giving of elaborate gifts, suppliers using child labour leaving your company exposed to data breaches. The list of ways that your third parties can hurt your company is a very long one.
When dealing with these third-party risks, procurement is a key ally within your company. However, there are often, although not always, some differences in priorities:
The Venn diagram of some of the main Compliance vs Procurement priorities
This is not to say there aren’t other priorities for these groups but these are at least some at the top of most lists. There are some of these priorities that could been seen as opposed to each: minimise reputational, integrity, and legal risks versus obtain goods and services at the lowest prices. It takes extra time and resources to have a third party fill out a questionnaire, possibly translate the responses, review the responses, assign a risk rating, conduct due diligence, chase down missing or confusing information, obtain the necessary approvals, document the process, etc. This process can often be duplicated across multiple departments at a company and can add weeks to the onboarding process. There needs to be a balance between the two sets of priorities.
There is also the question that is either in the back of someone’s mind or bolden spoken at a meeting, “We’ve been doing all these extra compliance checks for months but haven’t rejected any third parties yet based on those findings or found anything else too serious. Why are we continuing to spend our time and money on all of this?”
Here is why:
- The current process you are using might not be looking in the right areas – While it can be a good thing that you haven’t had any major red flags raised during the onboarding process, it could just be that you aren’t asking the right question. For example, do you ask about any litigation in the past 5 years for the company? What about of the key principals? Who are the beneficial owners? Does the ownership have ties to a government agency? Does the third party know all of this information for their own third parties (i.e. your 4th parties)? If you ask different questions you might discover more risks.
- Your risk tolerance is too high – Depending on when or how your programme was initially set up, there could be no red flags because risks aren’t being rated highly enough. It is typical for a substantial portion of a third parties’ risk score to be derived from their country, type of work (agent, supplier, etc.) and risky behaviour or operations (government dealings, under investigation, etc.) If the scoring mix for these major factors is off, you aren’t going to be seeing the flags you should. Calibrating this risk score formula is part art and part science, it can take time, trial & error or outside assistance to get it just right.
- Your risk tolerance is too low – Not all third parties need to go through the exact same process. For example, you don’t need to spend 40+ hours doing litigation checks, reputation checks and background investigations for a low-risk party. It would be nice to have those kinds of resources but even if you did, it would not be an effective use of time. Look to build in “early exits” to the onboarding process. Third parties that are really and truly low risk don’t need to take up too much of your time. A low-risk party typically operates in a low-risk country, will have a low spend, has no red (or even yellow) flags in its operations and generate no hits when run through a watchlist. Move these through the system quickly, document it and move on with your life.
- The government says you have to – There are numerous cases where the government has made it a near requirement for companies to know who their third parties are. If there comes the dark day when the DOJ, SEC, Serious Fraud Office or other government agency comes knocking, you will wish you had a robust programme in place.
- What’s the alternative? – Not meant to be sarcastic, but ask what would be an alternative solution to address the risks posed by third parties. At times, “the business” can have some solid ideas on how to improve the system. Listen to them and improve it. Also make sure that they understand what is expected by the government at the same time.
At the end of the day, you’re all in this together. The compliance department is not the “risk owning” department at a company. In the above Venn diagram of compliance versus procurement needs, the intersection of the two circles is a successful and profitable business doing work that you can all be proud of. Approach the discussion as one of collaboration and addressing the risks of the business holistically.