Third-party risk management (TPRM) must be at the top of businesses' priority lists if sanctions enforcement is the Department of Justice's (DOJ) top concern following Russia's invasion of Ukraine.
After all, a business is accountable for the actions taken on its behalf by its supplier. Additionally, the risk landscape expands exponentially when those suppliers hire their own suppliers to perform the services you have hired them to perform. Prudent companies are preparing to end relationships that pose more risk than they can bear and figuring out where the lines need to be drawn in order to protect themselves.
Understanding the criticality of your third parties is the key to coming to those conclusions, Melanie Gallagher, head of TPRM at financial software provider Intuit, said at Compliance Week's TPRM Summit, which was held last week in Chicago. She advised businesses to exercise greater caution when dealing with crucial third parties during periods of increased scrutiny and to maintain flexibility when dealing with suppliers who have connections to high-risk nations.
According to Gallagher, "if you understand if there’s anything critical going in any of these regions or in Russia, then you need to make sure you have contingency plans and you’re doing scenario planning. Do I have a backup? Is this the sole supplier? What happens if anything goes wrong here—am I prepared to deal with that?’ … You can do scenario planning, say what’s the worst thing that can happen, and think through how you would deal with that."
The worst-case scenario is currently taking place for some compliance departments. Budgets that were probably already under-resourced are being stretched thin by the increased focus on sanctions compliance, inflation, and supply chain issues.
The opportunity to persuade business leaders that now is the time to invest in compliance is, however, the silver lining, according to Gallagher. Being "regulator ready," she explained, means demonstrating and documenting decision-making processes and making sure "you’ve made a reasonable effort at putting into place an effective compliance program." Resource support is one of the key factors that the DOJ's top officials consider when making enforcement decisions, as they have made no secret of.
The chief information security officer, chief procurement officer, and chief compliance officer should all be included on a risk governance committee, Gallagher advised, if you can.She said, "you’re sharing these risks and you’re making these decisions as quickly as possible with as much information as possible."
Gallagher added, "To be nimble, you have to be informed."
Defining the scope's parameters up front is a good way to manage third-party risk. When it came to her company's onboarding procedure, Gallagher observed the following at Intuit:
"We asked at the time of onboarding, ‘Do you plan on outsourcing any of the activities related to this engagement we’re about to contract for?’ I thought, ‘Great, we have that question,’ but then I ran a report, and I think 90 percent of the answers were blank," she said. "We ask the question, but clearly it’s not mandatory."
A company can keep one hand on the wheel of its crucial engagements by finding the answer to that question. Gallagher declared, "I don’t have to allow [outsourcing]. I can say in the contract either we’re not going to permit any outsourcing or we’ll permit it but we need to be able to review and approve. … If I have a critical third party, I would want to understand how they manage their third parties."
Gallagher pointed out that there is a danger in knowing too much. "If you ask for information and now you have it, you’re obligated to do something about it," she said.
To fully comprehend all the information you are given, including the names of potential fourth parties, it is imperative that you collaborate with your crucial third parties. From there, the proper levels of diligence can be decided.
By fLEXI tEAM