Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Michael Volkov,
CEO and Founder of The Volkov Law Group, LLC
WITH:
Loren Johnson,
Senior Manager Product Marketing, NAVEX Global
Tanya Stricker,
Senior Manager Demand Generation, NAVEX Global
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
CONTENTS
INTRODUCTION 2
How to Use This Report 2
How This Report Is Different 3
How Do We Define “Third Parties”? 3
What Is Third-Party Risk Management & Third-Party Due Diligence? 3
1
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
INTRODUCTION
In 2018, NAVEX Global partnered with How to Use This Report
an independent research firm to survey
This analysis reflects the perspective of ethics
professionals from a wide range of industries
and compliance professionals on the importance
about their approach to building an effective
of third-party risk management as part of an
ethics and compliance (E&C) program.
overall ethics and compliance program. The
The findings in this report are based on survey data presented provides important insights,
results from 1,200 respondents who influence benchmarks and trends needed to make informed
or manage their organization’s ethics and decisions on how to improve your own ethics
compliance programs, and from approximately and compliance program. By providing a picture
500 of the 1,200 respondents who influence or of E&C program trends and insights, this report
manage the third-party risk management function outlines how third-party risk management fits
within their organization. (See respondent profile into overall activities. In this report, we analyze
in the next section for additional details.) the performance of third-party risk management
programs within the larger context of a complete
This report provides insights and analysis of ethics compliance program.
and compliance programs and specific third-party
risk management questions including: This report can help you:
△△ What are the top priorities of ethics △△ Assess and benchmark your organization’s
and compliance programs? ethics and compliance program.
△△ What resources are dedicated to ethics △△ Review your ethics and compliance program
priorities and effectiveness in comparison to
and compliance programs?
factors identified by respondents summarized
△△ How do respondents measure the in this report.
effectiveness of their ethics and
compliance program?
△△ Determine whether your third-party due
diligence screening, monitoring and risk
△△ What factors influence ethics and mitigation practices are protecting your
compliance program performance? organization or exposing it to risk.
2
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
We hope the insights presented here will △△ Agents: international intermediaries, domestic
provide the inspiration, justification and direction agencies, local advertisers and marketers
necessary to make key decisions about the future
of your organization’s approach to third-party
△△ Vendors: data vendors, maintenance,
on-demand service providers, offshore
risk management.
service providers
3
NAVEX Global | Protecting Your People, Reputation and Bottom Line
SURVEY
RESPONDENT
PROFILE N=503
Job Function
Ethics & Human Resources, Legal Internal Audit Risk Management Other
Compliance Employee Relations
21%
Large: 5,000 + Employees
40%
Medium: 501 - 5,000 Employees
39%
Small: < 500 Employees
41% Decision Maker 59% Influencer / Advisor
Location of Headquarters
14%
70%
Europe 5%
North America
1%
1% MIddle East
Asia Pacific
Caribbean
1%
Central America 5%
3%
Africa
South America
Industries
Manufacturing 12%
Educational Services 7%
Retail Trade 3%
Construction 2%
Public Administration 2%
Utilities 2%
Wholesale Trade 2%
Other Services 2%
Other 18%
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
EXECUTIVE SUMMARY
NAVEX Global produces a series of market As confirmed in this report, our comprehensive
benchmark reports throughout the year on multiple survey found that the objectives of an ethics
ethics and compliance topics – whistleblower and compliance program and a third-party risk
hotlines and incident management, policy management program are closely aligned – both
management, compliance training and third- share the objective of advancing the organization’s
party risk management. Each report captures a culture of integrity, ethics and respect (page
peer-generated, state-of-the-market view that is 14). This finding reflects the growing emphasis
unavailable elsewhere. Combined, these reports ethics and compliance programs have placed
deliver a comprehensive picture of the global on corporate culture and ethics over the last few
ethics and compliance marketplace, trends and years. Our survey and report bolsters recent trends
best practices. showing that corporations have recognized the
inextricable link between ethical culture, reduced
For this year’s third-party risk management report,
employee and third-party misconduct, and
we collected information on respondents’ ethics
financial performance and sustainable growth.
and compliance programs as well as data specific
to third-party risk management programs. This In this context, an effective third-party risk
holistic perspective focuses on the overall ethics management program is a critical component
and compliance market and includes insights to ensure that an organization’s reputation is
on a range of specific issues relating to third- protected from third-party misconduct and
party risk management. aligns third parties to the values, ethics and risk
management approach of the organization. Yet,
Our approach targets issues surrounding how
while ethics and compliance program leadership
third-party risk management fits into overall ethics
may have broad visibility into the behaviors and
and compliance programs. No one doubts the
efforts within their own organizations to build and
importance of addressing third-party risks as part
nurture strong, positive cultures, few organizations
of an E&C program. While third-party risks are
have the same level of visibility into their third
certainly one of the major risks, organizations face
parties. For many, the need to align their third
a variety of risks and are forced to prioritize risk
parties to organizational values reinforces the
mitigation strategies within a broader context.
importance of an organization investing in and
In this process, organizations have to identify
maintaining a best practices, high-quality third-
efficient and effective ways to mitigate third-
party risk management program.
party risks. Our report specifically addresses this
important issue with relevant data points, trends Consistent with this key finding of our report,
and observations, and identifies several important respondents also cited two other significant
factors to consider in managing third-party risk. objectives of their third-party risk management
These factors include maturity of the third-party program – implementing preventative measures
risk management program, adequate resources to avoid future issues or misconduct, followed
and budget, and reliance on software and by navigating and complying with laws and
automated solutions. regulations. Both of these objectives reflect
6
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
7
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
8
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
9
NAVEX Global | Protecting Your People, Reputation and Bottom Line
KEY FINDINGS
1: Foundational Data
As noted in the executive summary, this report Full-Time Employees
includes data and analysis relating to ethics
and compliance programs and third-party risk Organizations are required to dedicate adequate
management practices based on the responses of resources to their ethics and compliance program.
1,200 industry professionals. This section provides The number of full-time (or equivalent) employees
foundational information about how organizations assigned to E&C teams and a dedicated budget
approach ethics and compliance strategies today are essential indicators of an organization’s
and trends within the market. commitment to program success.The results
outlined below were generated from respondents
This information provides the backdrop against to the survey questions relating to ethics and
which third-party risk management programs compliance program management.
are designed, implemented, measured for
effectiveness and improved. Of the 1,200 Interestingly, the results discussed below confirm
respondents, approximately 500 individuals a continuing trend noted in prior benchmark
completed a specific section of the survey focused reports – organizations that maintain a dedicated
on third-party risk management. The third-party compliance program budget and assign additional
risk management questions were designed full-time employees also have a dedicated budget
to develop insights relating to third-party risk for third-party risk management and are increasing
the assignment of full-time employees to third-
management market and program trends.
How Many FTE (Full-Time Employees) or Equivalent are Assigned to Your E&C Program?
5 to 10 17%
1 to 4 50%
Fewer than 1 9%
33: Q10_How Many FTE (Full-Time Employees) or Equivalent are Assigned to Your E&C Program?
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
party risk management. This trend may reflect and performance improvements. The absence of
that third-party risk management duties are being a budget framework complicates an organization’s
executed within the organization’s ethics and ability to identify relevant risks and implement
compliance program. We will continue to monitor effective mitigation strategies to maintain regulatory
this trend and the consolidation of third-party risk compliance. The inability to retain and grow
management responsibilities from other functions experienced ethics and compliance professionals
(e.g., procurement, supply chain management) due to a lack of budget forces organizations
into ethics and compliance programs. to reinvent or repeat program planning and
implementation every few years. As a consequence,
As we have seen in our prior benchmark reports,
E&C programs fail to mature or evolve. This
the performance and program maturity of an
disconnect is even more disturbing given changes
ethics and compliance program is significantly
in the organization’s risk profile. Defining a budget
influenced by the number of full-time employees
allows organizations to consistently know where they
dedicated to a program and the budget.
stand and build long-term strategies independent
of employee retention.
Program Expenditures
The good news is that budgets for third-party risk
An organization that maintains a dedicated
management are slated for the largest expected
budget for its E&C program is committed to
increase in funding among ethics and compliance
compliance. Twenty-three percent of respondents
program components. Just over one-quarter (27%)
reported they have no dedicated budget for its
of the respondents indicated that their third-party
ethics and compliance program. We observed
risk management program expects to see at least
a similar result in last year’s third-party risk
a 10 percent budget increase in the next year.
management report.
12
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
What is Your Dedicated Annual Budget for E&C, not Including Employee Salaries
(in U.S. Dollars)?
$1-50,000 41%
$50,001-100,000 11%
$100,001-250,000 10%
$250,001-500,000 6%
$500,001+ 9%
How Will Your E&C Program Budget Change in the Next Year?
31: Q8_What is Your Dedicated Annual Budget for E&C, not Including Employee Salaries (in U.S. Dollars)?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Base: Respondents involved in decisions for specific E&C programs, n=556-748.
32: Q09_How Will Your E&C Program Budget Change in the Next Year?
13
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
02: Q12_Which E&C Program Objectives Are Most Important to Your Organization Over the Next 12 Months?
14
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
Analysis: The results reflect an important As noted in the executive summary, we continue
trend in ethics and compliance programs and to see the rise in the importance of third-party
third-party risk management – organizations risk managers in ethics and compliance
are recognizing the importance of promoting programs. As these professionals take on greater
an ethical culture. This year’s results reflect responsibilities, they usually have a dedicated
an important transformation in E&C program budget for their function and exercise increased
objectives. In past years, the top objective was to decision-making authority.
avoid legal and regulatory enforcement matters.
The increase in, and consolidation of, third-party
This perspective has evolved. This year, both ethics
risk management responsibilities into ethics and
and compliance and third-party risk management
compliance programs is a natural development
professionals indicated that their top objective is
as regulations and enforcement agencies expect
their organization’s ethical culture. It is clear that
organizations to expand their programs to
ethics and compliance professionals understand
manage and mitigate third-party risks. As part of
the importance of an ethical culture to a company’s
this overall responsibility, ethics and compliance
overall financial performance and sustainability.
programs share their company’s code of conduct,
Third-party risk management plays a critical role
implement ethics training and other program
in promoting and protecting a company’s ethical
elements with their third parties, and often require
culture from third-party misconduct.
attestation to policies and behavioral expectations
before agreements can be completed.
15
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
Top Program Concerns control (28%), conflicts of interest (25%) and anti-
bribery (21%) round out the top five concerns
Findings: Ethics and compliance departments face identified by respondents.
a broad array of risk in today’s global economy
and regulatory framework. According to our survey △△ Organizations with more than 5,000 employees
respondents, E&C professionals are most concerned identified anti-bribery and fraud as top concerns
about implementing an effective business code of almost three times as often as small organizations
conduct (46%) and responding to cyber security with fewer than 500 employees (35% vs. 12%)
events (44%). Procedure management/quality and nearly two times as often as midsize
organizations with 500-5,000 employees (19%).
Which of the Following E&C Topics Are Top Concerns in Your Organziation?
Procedure Management /
Quality Control 28%
Anti-Bribery and
Corruption / Fraud 21%
Social / Environmental
Responsibility 14%
Financial Integrity
7%
and Insider Trading
Anti-Money Laundering 7%
Workplace Violence 6%
16
NAVEX
03: Q17_Which of the Following Global
E&C Topics Are| Top
Protecting
ConcernsYour People,
in Your Reputation and Bottom Line
Organization?
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
△△ Organizations with fewer than 500 employees require third parties to attest to its understanding
identified procedure management/quality of its obligations under the code of conduct.
control as a top-three concern more than An organization has to infuse its procedures for
larger organizations (37% vs. 29% 500-5,000, onboarding, monitoring and auditing its third
15% >5,000). parties with robust reinforcements of its ethical
culture and its commitment to integrity.
Organizations with $1 billion in revenue were
more likely to indicate cyber security and data Cyber security is a constant high-risk concern to
privacy as a top concern than lower revenue or ethics and compliance professionals. While cyber
government/non-profit organizations (53% vs. security risks pose significant potential harm from
36% and 45% respectively). outside actors who are dedicated to launching
sophisticated cyber-attacks, organizations are
Analysis: Reflecting the recent focus on ethical
fighting back with encryption to protect against
culture and integrity, respondents identified ethics
such attacks. However, companies continue to face
and code of conduct as their top concern (46%).
significant risks through internal actors who may
Consistent with past results, cybersecurity and data
deliberately seek to steal or breach company data,
privacy (44%), conflicts of interest (25%) and anti-
or inadvertent actors who fall prey to phishing and
bribery (21%) fell within the top five concerns.
other cyber-schemes designed to launch malware
Corporate compliance program best practices attacks. As a result, ethics and compliance
and government expectations for third-party professionals have focused on training, security
risk management programs have stressed the and awareness strategies to prevent employees
importance of providing positive incentives from falling for phishing schemes and to protect
for third parties to adhere to ethical behavior the organization from employee sabotage. Third
and compliance. To this end, an organization parties also create significant cyber security risks
can craft and disseminate an engaging code of through access to corporate data that should not
conduct – an all-encompassing policy on expected be ignored.
behaviors, compliance and reporting – and
17
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
18
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
behavioral standards and cultural change. Because to a compliance program and instrumental to an
a code reflects what matters to the organization effective third-party risk management program.
and how it celebrates its people, processes and
A risk-based due diligence program for third
goals, it should define and connect all stakeholders
parties is the lowest-ranked program element
to its mission and values, including its third parties.
in this group of responses. As noted above, the
NAVEX Global sees an optimized code of conduct
responses in this chart include every survey taker,
as the cornerstone of an effective ethics and
not restricted to those who know and manage
compliance program.
their third-party risk. The response, at 45 percent
Both enforcement agencies and organizational (representing 569 respondents), aligns to our
stakeholders expect ethics and compliance expectation for where the market is today and
programs to abide by the law and develop and how third-party risk management is evolving in
maintain a positive working environment. A code the ethics and compliance space. That said, many
is a central element of a successful program. organizations may take too lightly the damage
The second most commonly included program that third-parties can inflict on their reputation and
element, effective policies and procedures that finances by minimizing their focus or ignoring this
prohibit and reduce misconduct, is similarly central essential compliance program element completely.
19
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
Other 2%
05: Q14_Which of the Following E&C Activities Will Your Organization Be Prioritizing Over the Next 12 Months?
20
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
Analysis: Even though ethics and compliance That said, the program element prioritized above
professionals have a significant number of third-party due diligence are important tasks
pressing priorities over the next 12 months, it is that contribute to a more effective third-party
surprising that only 23 percent of respondents risk management program. Increasing awareness
indicated that improving third-party due diligence of policies and regulations, improving training
and oversight was one of their top three priorities. activities, supporting frontline managers on
While this response was disturbing, it may reflect responsibilities, auditing and conducting risk
the number of competing priorities to third- assessments will improve the overall operation
party risk management. Interestingly, none of the of the third-party risk management program.
responses topped 50 percent, indicating ethics
and compliance professionals face a large number
of important priorities.
21
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
22
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
23
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
Rating Ethics & Compliance as Good. For each category of performance, the
Good response was the highest selected response.
Program Performance This reflects a positive attitude and approach to
Findings: Most respondents were satisfied with managing an ethics and compliance program. The
the performance of their organization’s ethics large number of positive responses may reflect
and compliance program. Less than a fifth of recent accomplishments, senior management
respondents rated their ethics and compliance support and some aspirational influence.
program performance as Poor or Fair. However,
With respect to third-party supervisors of third-party
a significant number of respondents rated
risk management programs, most respondents
measuring effectiveness (25%) and managing
assessed their programs as either Average or
third-party risks (21%) as Poor or Fair.
Good, and generally avoided an Excellent or Poor
Analysis: The survey results provide important rating. In the absence of any significant negative
insights into how ethics and compliance events relating to ethics and compliance functions,
professionals view the performance of respondents are likely to perceive that their
their compliance program. In general, E&C program is operating well enough.
professionals view their program performance
Please Rate the Performance of Your Organization’s E&C Program in the Following Areas:
Poor Fair Average Good Excellent
Developing Policies and Tracking Attestations 5% 9% 27% 43% 16%
n=1,264.
07: Q20_Please Rate the Performance of Your Organization’s E&C Program in the Following Areas
24
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
Third-Party
Monitoring System 17%
30: Q23_Did Any of These Programs Help Prevent Misconduct or Ethical Violations in Your Organization in the Past Three Years?
25
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
Advanced 17%
Maturing 41%
Basic 31%
Reactive 11%
26
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
27
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
extent to which businesses are dependent on greater the risk that the third-party may siphon
foreign government for commercial business off money to fund illegal activity. When an
(e.g., tenders and contracts) and regulatory organization retains a third-party to conduct
approvals and licenses increases the level of all of its business in a specific area, and the
risks when engaging a third-party. third-party may be responsible for a large
△△ Type of third-party. Some types of third- amount of the organization’s revenue, the
organization’s level of scrutiny over the
party relationships create more risks than
third-party should increase.
others. While the specific level of risk will
vary depending on the mix of various factors △△ Historical engagement with that third-party.
discussed herein, some third parties create An organization’s historical relationship with
higher risks because of the nature of their a specific third-party should be reviewed as
operations. In most cases, commercial agents, a separate risk factor. If there were red flags
distributors and resellers tend to represent identified in prior reviews, the organization
higher risk than consultants and contractors. should review the history of the company’s
△△ Financial commitment of the engagement. relationship with the third-party, the performance
of the third-party and the occurrence of any
Third parties that assist in generating significant
unusual events during the relationship.
revenues and large contracts create higher
risks because they have more opportunities A key component of an effective third-party
to use money for illegal purposes. As a result, risk management program is the specific risk
the higher the revenue earned by a third-party assessment of each third-party, the measurement of
on behalf of the engaging organization, the such risk, and an ability to rank third parties based
500 to 999 7% 8% 7% 8% 5%
28
10: Q24_How Many Third Parties Does Your
NAVEX Organization
Global Engage
| Protecting YourWith?
People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
on a risk calculation. Such a structure ensures that When conducting due diligence, an organization
the organization is able to stratify risk among the may identify one or more red flags during the initial
organization’s entire third-party risk environment. business justification, a preliminary risk assessment,
or during screening or monitoring. A risk-based
This is reinforced by the Department of Justice’s
automated program can help identify and reveal
(and Securities and Exchange Commission’s)
red flags. Depending on the nature and significance
Resource Guide to the U.S. Foreign Corrupt
of red flags, the organization can review its risk
Practices Act that states the nature and extent of
policies, procure additional relevant information
third-party risk should determine how the engaging
and decide whether the red flag is a deal killer
organization identifies, manages and mitigates that
or not. Deeper analysis may negate the red flag,
risk. A successful risk-based program, built on a
or it might show that the risks are not related to
comprehensive understanding of where third-party
the existing engagement. Importantly, engaging
risk lies, allows organizations to reasonably allocate
organizations must make an educated decision
resources to higher risk situations.
based on reasonable assurances and actions taken
As we noted in last year’s report, we often receive to reduce the risk and protect the organization.
questions about whether organizations should
When addressing red flags it is important to make
engage high-risk third parties. In some cases, the
sure the decision to engage is logical, consistent
engaging organization may find that there are
with handling of other third parties and well
no reasonable alternatives. And retaining a high-
documented. A red flag that is overlooked because
risk third party can be justified provided that the
of insistence from a high-level executive or
organization applies a robust due diligence review
circumvented because a foreign official may have
based on an accurate risk-ranking, monitors the
recommended the third party will create significant
third party’s conduct and reputation and audits
risks of misconduct and government enforcement.
the third party.
26% to 50% 6% 4% 5% 7% 8%
12: Q25_What Percent of Your Third Parties Do You Consider to Be High Risk?
29
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
What Are the Top Three Challenges for Your Third-Party Risk Management Program?
Reactive Basic Maturing Advanced
n=53 n=149 n=197 n=80
Consistently Monitoring
Third Parties
53% 42% 60% 53% 50%
14: Q26_What Are the Top Three Challenges for Your Third-Party Risk30
Management Program?
△△ A sizeable number (39%) of organizations their third parties. Reactive and Basic programs
managing 100 or more third parties indicate are chronically lacking in resources and budget
the volume of third parties they manage is a authority to devote to implementing an
top challenge. effective third-party risk management program.
Alternatively, mature programs are challenged by
Analysis: The top challenge cited by responding
different issues – the number of third parties they
organizations (53%) is consistently monitoring
manage, training, monitoring and the complexity
third parties. On page 34 of this report, we note
of due diligence program requirements.
that 61 percent of respondents report monitoring
their third parties. Though nearly two-thirds of When implementing a robust third-party risk
respondents monitor their third parties, half of the management program, most organizations
respondents find it challenging to do so, but more underestimate the number of third parties they
than a third of respondents believe that monitoring engage, especially when they consider agents,
third parties is an important priority. resellers and contractors, and the level of risk
each of these types of third parties create. Nearly
The FCPA Guidance cites continuous monitoring
20 percent of our respondents engage 5,000
as a key element of an effective third-party
or more third parties. That is a large number to
risk management program. However, it does
scrutinize, assess and manage.
not specify how such monitoring should be
conducted. Given the absence of specific A small number of respondents indicated that a
directions, organizations struggle with execution lack of clear guidelines from regulatory agencies
of monitoring programs. is a top challenge. Enforcement agencies in the
U.S. and UK in particular have been issuing more
In terms of program maturity, the survey found
guidance, explaining how they evaluate ethics
that Reactive and Basic programs struggle with
and compliance programs and third-party risk
a lack of internal resources, training third parties
management programs.
on policies and expectations and monitoring
31
NAVEX Global | Protecting Your People, Reputation and Bottom Line
Third-Party Risk Management Programs Continued
fact that 69 percent of Advanced programs and As explained in the FCPA Guidance, a third-party
45 percent of Maturing programs are building a risk management program is incomplete and
robust risk-based program. Aside from these unable to effectively accomplish its purpose if the
positive developments, the survey results revealed engaging organization does not screen all of its
that there are still a number of organizations with third parties consistently and comprehensively.
Reactive programs that do not classify nor assign There is no way to accurately risk-score third parties
risk levels to third parties. The three-quarters of and to identify and stratify their respective risks
Reactive programs that don’t do anything currently unless all data points are reviewed. Risk data allows
to address third-party risks reflects a lingering organizations to gain visibility across third parties
group of organizations that have failed to make and unambiguously identify where their third-party
any commitment to addressing third-party risks. risk lies. With such information, organizations are
able to mitigate their risks, including conducting
A majority of all survey respondents screen and
enhanced due diligence of third parties when
monitor their third parties. Such steps are a basic
necessary. Without doing so, organizations are
requirement for any organization that engages
needlessly exposing themselves to avoidable risk.
third parties. Still, it is surprising that 30 percent
of all respondents do not perform screening, and While some may suggest that a comprehensive
nearly 40 percent of respondents do not monitor screening and risk identification process is
their third parties. impracticable for Reactive and Basic programs,
Perform Enhanced Due Diligence on Our Third Parties 41% 4% 23% 47% 85%
34
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
such an attitude is short-sighted and ignores the Third-party risk management programs are
fact that a single third-party can create significant designed to protect engaging organizations
enforcement risks and threaten a company’s from multiple forms of risk, including an ethical,
reputation. A malignant third-party can create financial or operational failure by the third-party,
risks for all the organizations with which it agency enforcement activity and reputational
interacts. Depending on the size of the engaging damage. Pursuing a consistent risk-based, third-
organization, the consequences can vary and even party risk management program that applies to all
threaten the very existence of smaller organizations. third parties that includes identifying, stratifying
There is no excuse for organizations to avoid basic and mitigating risks is a competitive and basic
due diligence procedures to manage third-party requirement for all organizations, big or small,
risks, particularly when – as seen earlier – almost Reactive or Advanced.
everybody now understands the requirements of
regulatory agencies.
35
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
36
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
What Technology Are You Currently Applying to Manage Your Third-Party Risk?
Reactive Basic Maturing Advanced
n=53 n=149 n=197 n=80
An Internally Built or Highly Manual System
(Paper-Based or Stitched-Together Software) 35% 64% 62% 17% 6%
0% 20% 40%
Base: All respondents, n=485.
Numbers may not add up to 100% due to rounding.
Please RateTechnology
20: Q29_What Your Third-Party Technology
Are You Currently Solution
Applying to Manage on the Following:
Your Third-Party Risk?
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Base: Respondents whose organization uses a third-party risk management software, n=64.
37
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
How Do You Access the Effectiveness of Your Third-Party Due Dilgence Program?
Select Up to 3 Primary Methods.
Benchmarking Program
Performance Against Peers
13%
Other 2%
38
23: Q32_How Do You Assess the Effectiveness of Your Third-Party Due Diligence Program? Select Up to 3 Primary Methods.
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
Analysis: The most common assessment assessment programs to capture and monitor the
methodologies used by third-party risk benefits of more sophisticated third-party risk
management programs employing software management programs.
solutions are periodic risk assessment and
It’s important to note that third-party risk
program audits or legal review. A software-
management programs should do more than
based third-party risk management program
reduce regulatory action. Though regulatory
centralizes management and increases program
action generates headlines, third-party failures
efficiencies. Such a program reduces the risk
can be much more damaging to an organization’s
of an enforcement action which can result in
reputation, operational integrity and revenue.
serious harm to an organization. Assessment
Assessing program performance should therefore
of a software-based third-party risk program’s
include not only an absence of regulatory action,
performance, however, should not be limited
but also qualitative measures revealed through risk
to just avoidance of an enforcement action,
assessments and audits, such as program breadth
but should encompass overall risk mitigation
and capacity, process efficiency and consistency
factors such as operational efficiencies in
and an ability to allow program leaders to
processing of third-party risk candidates,
confidently sleep at night.
and continuous monitoring and audits of third
parties. Organizations are designing robust
How Would You Rate Your Third-Party Risk Management Program Overall?
Reactive Basic Maturing Advanced
n=53 n=148 n=197 n=80
Excellent 3% 2% 1% 2% 13%
24: Q33_How Would You Rate Your Third-Party Risk Management Program Overall?
39
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
Findings: Just over half of organizations (56%) Analysis: There is a significant disparity among
agreed that their third-party due diligence third-party risk management programs on the
program significantly reduces a variety of risks. overall reduction of risk depending on the
One-third of organizations (33%), however, are maturity of the program. Advanced organizations
neutral on whether their program reduces risks, observed substantial risk reduction. Organizations
reflecting a need to focus on understanding their that commit to implementing best practices and
program effectiveness. effective strategies achieve significant benefits in
risk reduction, while less mature programs still
Although the vast majority of Advanced
face major third-party risks.
organizations indicated that their risks are reduced
as a result of their program (84%), only 41 percent
of those with Basic programs and 13 percent with
Reactive programs observed risk reduction.
Rate Your Agreement With the Following Statement: Our Third-Party Due Diligence Program
Significantly Reduces Our Legal, Financial and Reputational Risks.
Reactive Basic Maturing Advanced
n=53 n=148 n=197 n=80
Strongly
Agree 13% 4% 5% 15% 30%
Neither Agree
33% 57% 41% 28% 15%
or Disagree
Strongly
Disagree 2% 9% 3% 1% 0%
28: Q34_Rate Your Agreement With the Following Statement: Our Third-Party Due Diligence Program Significantly Reduces Our Legal,
Financial and Reputational Risks.
40
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
What Damage Has Your Organization Incurred in the Past Three Years
Resulting from an Ethics Issue?
26: Q21_What Damage Has Your Organization Incurred in the Past Three Years Resulting from an Ethics Issue? Select All That Apply.
41
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
Analysis: While one third-party failure can cause We further analyzed third-party-related damage
significant damage to an organization, the survey tied to other important measures in this report. For
measured how organizations viewed their risk in example, we found that of those who identified
comparison to how organizations reported third- their third-party risk at 75 percent or higher, only
party-related failures. The comparison confirmed 25 percent relied on a purpose-built solution to
that organizations that view their third-party manage their third-party risks. This disconnect is
risks as substantial reported higher risk and disturbing and reflects an organization’s failure
organizational damage. to address a real and substantial threat to the
organization and the need to target third-party
Percent of Respondents Indicating
EXPECTED RISK Third-Party Related Organizational Damage risk for mitigation.
51% or Higher 21%
In the table below, we further divide the analysis on
26 to 50% 20% expected risk, and reported organizational damage
10 to 25% 14% due to third-party risk by key industries. As we can
see, transportation and manufacturing represent
10% or Fewer 8%
elevated relative risk, yet the predominance of
None 4%
respondents expect ten percent or fewer of their
third parties should be considered high risk. Given
Of those organizations which indicated that 50 the outcomes for these industries, it is likely that
percent or more of their third parties were high for many organizations, there is a tendency to
risk to their organization, 21 percent reported underestimate third-party risk.
third-party-related damages.
42
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
Given these elevated risks related to third parties, When we questioned respondents on whether
we further analyzed what steps are commonly their third-party due diligence program reduces
taken within these industries to better manage their third-party risks (page 40), 53 percent of
and reduce their third-party risk. Needless to respondents who experienced third-party related
say, it is concerning that within those industries damage in the last three years either agreed or
in which we see elevated third-party risks, many strongly agreed that their program significantly
organizations are applying paper-based or reduces their organization’s third-party risks.
stitched-together software solutions to manage This finding suggests that organizations that
that risk. Manufacturing is ahead of the game have experienced third-party related damage
by deploying purpose-built third-party risk understand and respond to such risks by
management solutions 18 percent of the time. tailoring their program to reduce such risks.
Yet, that is still discouragingly low considering Further, this result underscores the importance
the level of third-party risks we see in the of a comprehensive third-party risk management
manufacturing vertical. system to help identify and mitigate risk prior
to significant enforcement, operational or
reputational impact.
43
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
44
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
CONCLUSION
In this, our fourth consecutive report on third-party from inconsistencies with the organization’s
risk management, we see positive trends in terms risk profile, and screening or monitoring
of organizations working to pursue effective third- results. There is no legal requirement not to do
party risk management programs. business with a third party that generates an
alert or red flag. But the engaging organization
△△ Start at the right place. If your organization must be able to justify the engagement and
has not formalized its third-party risk
showcase protections and actions against that
management program, understanding best
risk should the engagement be audited or the
practice design and operations is important.
third-party fail.
Out-of-the-box, one-size-fits-all solutions
don’t work; each organization has different Finally, use a solution that’s designed and built
inherent risks. Your program needs to reflect to make your job easier. Although NAVEX
actual risks rather than assumptions. Global offers a solution designed to do so
(see the next page), beyond marketing our
The first step is to gather the right
own solution, it is beneficial to the entire
stakeholders from within the organization,
market for educated buyers to understand
including the compliance team, the legal
capabilities and demand innovations that help
team, audit, procurement, IT and others,
their organizations better manage and reduce
so everyone can understand objectives and
their third-party risks. As we see in this report,
identify and score the organization’s unique
even when organizations understand their
risk profile. That profile should steer all other
third-party risks, too many are not yet applying
processes, including scoring and prioritizing
automated and purpose-built software to
risk review, screening, monitoring and
manage and reduce that risk. Yet, the evidence
conducting deep dives to ensure the risk
of effectiveness from doing so is conclusive.
is understood and reduced.
As enforcement agencies investigate
Once the organizational risk is identified, it is
organizations for compliance with the laws and
the first sounding board against which any and
regulations, it is imperative companies are able
all third-party engagements are reviewed and
to demonstrate reasonable efforts to identify,
justified. Only after risk criteria is set should
prioritize and mitigate third-party risk. Given
third parties be approved, screened, monitored
the significant benefits to mature third-party
and engaged. The life cycle management of
risk management programs in reducing risk
third-party risk requires consistent and constant
due to consistent mitigation practices from a
review, adaptation to new requirements and
state-of-the-art third-party risk management
realities and an ability to suspend or end
solution, organizations have to embrace the
engagements where risk is unmanageable.
inevitable expectation that investing in robust
Keep in mind that many organizations do risk management solutions will become the
business with third parties that operate in high- norm for a large percentage of ethics and
risk regions or that throw red flags resulting compliance programs.
45
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
△△ Don’t do half the job. We often refer to a party misconduct and illegal behavior, even
third-party risk management program as an though the chances that such conduct could
insurance program. If an organization owned lead to an enforcement action are relatively
a fleet of automobiles but didn’t know the low. Significantly, the risk of an enforcement
inherent risk to the organization of operating action is not the key driver of risk mitigation
those cars, the organization would be at strategies – an organization’s culture and
great risk. reputation are its most valuable intangible
assets, and every incident of misconduct
If those cars were distributed through
threatens them.
third parties – agents and resellers, for
example – to distant regions of the world △△ Third-party risk management is much more
where the engaging organization could not than just avoiding enforcement actions. As
keep a watchful eye on them, and if they noted in this report, effective third-party risk
were expensive to replace and might be management programs promote an ethical
inappropriately used to service government culture, integrity and respect, while minimizing
officials, such a risk would be potentially risk of an enforcement action. A consistent
devastating to the organization. and robust third-party risk management
program is a critical component of every ethics
If that organization insured only some of those
and compliance program. We recommend
cars, or only those in a certain region, the
that organizations build a third-party risk
organization is putting itself in unnecessary
management program to improve visibility
peril. Like a third-party failure, if even one
and risk identification, to increase consistency
of those cars was used in a robbery or other
and reduce third-party related risks, and to
unethical action and the organization did not
gain significant operational efficiencies.
maintain appropriate insurance, such an event
could threaten the organization’s reputation, △△ Technological solutions using software or
financial stability and even survival. automated systems are rapidly advancing
third-party risk management programs.
△△ Third-party failure threatens reputation Software and automated platforms offer
and sustainability. Third-party misconduct unique opportunities to leverage resources and
and illegal behavior can have devastating build efficient due diligence, monitoring and
consequences to an organization. In 2016 auditing functions. Organizations are aware of
and 2017, the U.S. Department of Justice these benefits and increasingly seek resources
initiated more than 100 FCPA investigations. to implement these cost-effective solutions.
In day-to-day operations, organizations
regularly face potential harm from third-
46
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
Key Metrics
△△ Creating a culture of ethics, integrity and △△ More than half of responding organizations
respect is the top ethics and compliance (58%) have a Mature (41%) or Advanced (17%)
program objective (68%) and is seen as more third-party risk management program. Almost
important than implementing preventative a third (31%) have programs that are Basic
measures and practices to avoid future issues and 11 percent categorized their program
(62%) and navigating and complying with laws as Reactive.
and regulations across jurisdictions (47%).
△△ Most organizations engage risky third parties,
△△ Ethics and compliance professionals are although most organizations classify only a
most concerned about implementing an small number of third parties as high risk (just
effective business code of conduct (46%) and over half indicated 10% or fewer would be
responding to cyber security events (44%). considered high risk). However, a sizeable
Procedure management/quality control number of organizations (24%) indicate that
(28%), conflicts of interest (25%) and anti- between 10 and 25 percent of their third
bribery (21%) round out the top five concerns parties are high risk.
identified by respondents.
△△ The top three challenges facing organizations
△△ Ethics and compliance departments identified managing third-party risks are consistently
their priorities for the next 12 months. The monitoring third parties (53%), a lack of
top three were: increasing awareness of the internal resources (45%), training third parties
company’s policies and regulations (50%); and securing attestation to comply with
improving or increasing ethics and compliance applicable policies and procedures (36%).
training activities (40%); and training and
supporting frontline managers and supervisors
△△ Approximately one-quarter of responding
organizations indicated that some of the top
on their responsibilities (39%).
challenges to its program are the complexity
△△ With the increasing focus on measuring of due diligence requirements, lack of clear
and testing the effectiveness of ethics and program ownership, and the number of third
compliance programs, organizations are parties they manage.
employing a variety of methods to assess
• More than half of Reactive or Basic
compliance program effectiveness. Some
organizations cited a lack of resources as
of the metrics cited by respondents include:
a top challenge, significantly higher than
number of code of conduct breaches (43%);
organizations with more mature programs.
analysis of internal audit findings (41%),
conducting exit interviews (40%)
and employee surveys (40%).
47
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
48
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
49
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
ADDITIONAL RESOURCES
NAVEX Global offers many valuable resources to help you increase your training program effectiveness.
Visit our resource library at http://www.navexglobal.com/resource-center to find these tools and more.
50
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
Michael Volkov, CEO and founder of The Volkov Law Group, LLC, has over
35 years of experience in practicing law. A former federal prosecutor and
veteran white collar defense attorney, he has expertise in areas of ethics
and compliance, internal investigations and enforcement matters.
The Volkov Law Group is a recognized leader in the ethics and compliance
field. As a former federal prosecutor and Justice Department official,
Michael Volkov has extensive experience with best practices, government
expectations, and industry standards for ethics and compliance programs.
51
NAVEX Global | Protecting Your People, Reputation and Bottom Line
2018 Ethics & Compliance Third-Party Risk Management Benchmark Report
52
NAVEX Global | Protecting Your People, Reputation and Bottom Line
AMERICAS EMEA + APAC
5500 Meadows Road, Suite 500 4th Floor, Vantage London
Lake Oswego, OR 97035 Great West Road
United States of America Brentford, TW8 9AG
info@navexglobal.com United Kingdom
www.navexglobal.com info@navexglobal.com
+1 (866) 297 0224 www.navexglobal.co.uk
+44 (0) 20 8939 1650
PLEASE RECYCLE