The Red Flag Group®
third party risk management

Third-party risk management


Getting buy-in for a third party compliance programme

Do you currently have a compliance programme?

The first step in determining how to go about gaining buy-in for a compliance programme is to check if your company already has a compliance programme in place.

If you already have a compliance programme, your company’s employee base will likely have a different attitude and outlook towards compliance than a company without a programme would. However, the fact that you already have a programme does not mean that your employees will necessarily have a positive attitude towards compliance. If the compliance programme has been unsuccessful, employees may have a negative attitude, and consider compliance a burdensome hurdle and a detriment to conducting business efficiently and competitively. In this situation, you do not have a “clean slate” to work from in gaining buy-in for a new, revamped compliance programme, and your efforts will largely be about showing employees how and why things will be different this time around.

If your company does not have a compliance programme, you do have the luxury of working from a clean slate to inform, educate and convince employees about the value of compliance, and how it benefits them and their work. Your employees will likely have fewer preconceptions about compliance, at least in the context of how compliance might affect their work within the current company. Your task, as a compliance professional, will be to sell compliance to the business units so that they are motivated and open to adopting these practices as part of their work.

What are the goals of your programme?

Even before you consider how to sell compliance to key stakeholders you need to determine what the goals of your programme are. Obviously, most companies require a compliance programme to meet various global and local regulations that, if violated, would lead to government investigation of the company and possible penalties and reputational damage. However, it will be much easier to sell the programme and facilitate buy-in from various stakeholders if your goals are more far-reaching than simply avoiding violations of anti-corruption regulations. Your goals should touch on the following:

  • Establishing your company as the most reputable organisation in its field
  • Having your organisation become a trusted corporate citizen in the community
  • Making your organisation’s employees the most trusted, diligent and honest workforce in the industry.

Setting these sorts of goals for your company will help align compliance with the organisation’s overall approach of being a respected corporate citizen. Employees will be much more likely to commit to the programme if they can see this sort of connection.

How will you “sell” compliance to the business?

Regardless of whether you are revamping the current compliance programme or instituting an entirely new one, getting buy-in from the business is often difficult because compliance is a tough sell. Companies that invest in internal programmes want to see measurable benefits, such as increased productivity, more customers or greater employee satisfaction. Most importantly, compliance is not a revenue generator, so it is no surprise that stakeholders throughout the organisation will show resistance to adopting a compliance programme.

Regardless, you need to have a plan of how to effectively “sell” compliance to the business to induce buy-in from the various stakeholders. Selling compliance can be done in two ways:

  • Stressing the benefits of compliance to the overall business
  • Describing the incentives of participating in the compliance programme – in other words, telling employees what is in it for them.

Stressing the benefits of compliance to the overall business means explaining the value of compliance in a “big picture” manner. People generally want to work for a reputable organisation that does business fairly. Accordingly, you will need to describe how a compliance programme will push the organisation beyond its competition and give it a competitive advantage in the marketplace as a result of its adherence to transparent and fair business practices.

The types of benefits you stress must show measurable results. Such benefits can include how a compliance programme will help the company:

  • prevent violations of applicable regulations and thus protect and enhance the organisation’s reputation
  • avoid enforcement actions
  • reduce penalties.

Obviously the legal fees, financial penalties and declining business that result from involvement in any enforcement action are the type of measurable indicators you can use to show employees why buying into compliance is essential.

Perhaps more important than stressing the benefits of compliance for the company is emphasising the incentives for employees to buy into the programme and adhere to it closely. Beyond high-level messaging that informs employees about company values and the general importance of conducting business transparently, incentives need to be tailored for specific business units. The following is an example of the kinds of incentives that need to be demonstrated to various stakeholders:

  • Sales and procurement:
    • more effective long-term relationships with partners
    • can initiate contracts more quickly
    • clearer standards to evaluate partners by
  • Human resources:
    • accessibility and prominence of the human resources function is increased as it becomes a point of contact regarding compliance and behaviour
    • can establish itself as the gateway to determine integrity standards for the company through its power to hire and fire
  • Finance:
    • more prominent role in the company through increased powers in carrying out audits and general fiduciary functions
  • Executive:
    • increased reputation and recognition in their industry as leader(s) of a reputable organisation
    • greater revenue for the company through improved sales channels, avoiding prosecution and increased trade

To ensure buy-in, you can also make compliance a part of the rewards process – for example, adding adherence to compliance as criteria in the review and promotion process.

There are several ways to “sell” the compliance programme, but gaining buy-in from stakeholders begins with showing value and incentivising employees.

Who do you need to get involved in the process of implementing the programme?

While it is the compliance and legal departments that will initiate the compliance programme and set the standards it must measure up to, it is the various business units that will drive the programme forward and be responsible for its daily administration. Knowing this, many companies still do not consult with these business units during the development of the programme; rather, they simply charge them with various responsibilities that they must undertake to uphold the programme.

Instead, compliance departments need to consult with the various business units that will drive the programme, even during the course of the programme’s development. This can take form in the following:

  • check with senior executives before finalising any new anti-corruption policies to ensure that all points are covered, all company values are ingrained and all corporate interests are represented
  • introduce plans for an electronic system to house the various compliance applications (such as questionnaires, third party repositories, and gifts, travel and entertainment declarations) to the managers of the departments that will use the system most often, so that they can determine which utility best fits their needs
  • discuss proposed anti-corruption language and clauses intended for third party contracts with sales and procurement to see how they might affect their ability to on-board partners
  • consult with department heads of branches in foreign countries to apprise them of the upcoming compliance programme so that they can consider how the local workforce, customs and practices may inhibit or affect the roll-out of the programme.

Besides allowing these stakeholders to feel that they have a say in the development of the programme, involving a broad spectrum of parties will help with roll-out as relevant stakeholders will have more time to infuse the programme’s requirements to the relevant line of business. Ultimately, the cohesiveness of the programme will increase greatly.

Will you be rolling out the compliance programme in various countries?

The next element you will want to consider in your quest to gain buy-in for a compliance programme is to determine whether the programme is being rolled out to any foreign countries. Rolling out a compliance programme globally requires consideration of additional factors that need to be addressed in order to acquire buy-in.

Some of the additional factors you will need to consider include:

  • foreign employees overlooking the CEO’s directions in favour of those of local management
  • basing compliance resources centrally rather than at branch offices
  • whether there may be difficulty establishing local compliance talent
  • that local values may not align with the values codified in the company code of conduct.

Looking at these factors, one of the biggest challenges to gaining buy-in is that local stakeholders will often rely on local management to guide them in their approach to compliance rather than the CEO, compliance department or any centralised department. If local management has not bought into the programme itself, it will be difficult to gain buy-in from the rank and file as well. Therefore, you must focus on gaining buy-in from local managers first.

Another major challenge to gaining buy-in is that compliance resources are often based at corporate headquarters and not distributed throughout branch offices. This predicament also touches on the third point listed above, regarding the difficulty in establishing local compliance talent. Even in the event that you attempt to establish local resources and distribute compliance talent across your company’s various regions, several difficulties can emerge. Finding local talent that can convey corporate compliance values and ethics in the local language can often be difficult and expensive. Furthermore, local resources may become close with the local business units, making it hard to effectively monitor and measure their progress and the progress of the overall branch office. To counter this challenge you must indoctrinate local compliance managers early in the process, ensuring that their values are rooted in corporate values and that their communication is effective enough to reach the local stakeholders.

If you can manage to cultivate corporate values in local compliance resources you will have an easier time aligning local values with the values enshrined in your code of conduct. Local values may be shaped by any number of factors, and these could differ with the values you have set out in your code. Local values may be driven more strongly by wealth creation, knowledge, speed of doing business or personal advancement, rather than by a strict adherence to fairness and transparency. With a local compliance team confidently pushing corporate values it will be easier to have local stakeholders buy into these values, and the overall programme itself.

Compliance officers should prioritise the task of generating buy-in for the compliance programme along with the myriad other essential tasks that are parts of implementing a compliance programme. By being able to at least have some strategy on how buy-in will be generated, the other elements of the programme will more quickly and effectively fall into place.


What is third party risk management?

Third party risk management is the process of monitoring, evaluating and managing the relationships of a company with any external parties they are associated with.

This can include suppliers, joint venture partners, subcontractors, overseas trading partners, distributors and sales agents.

Third party management is conducted to assess the ongoing behaviour, associations, performance and risks of the third party to ensure that the ongoing relationship doesn’t do any damage to the company in terms of reputation, financial or legal.

The main areas monitored include those of corporate and social responsibility compliance, contract risk management, supplier and vendor information management, performance measurement, anti-bribery and anti-corruption compliance and information security.

The need for third party risk management

As global markets have expanded and competition has increased at every level, the use of third parties has increased dramatically. In parallel, the legislation relating to third parties has also become more stringent.

The importance of third party management was highlighted when the US Office of the Comptroller of the Currency stipulated in 2013 that all regulated banks must manage the risk of all their third parties. It is no longer enough just to assess third parties prior to associating with them. The assessment needs to be ongoing and thorough.

The definition of a third party

Whilst suppliers and distributors are clearly third parties, others may be less obvious. It is not even necessary to be involved in critical activities to be considered a third party, which is why some third parties are overlooked. An independent cleaning contractor or a refuse collection company needs to be assessed in exactly the same way as a high profile key supplier. All can pose a breach to security or risk by association, which could damage the business.

It is the nature of the relationship, rather than the size of function of the third party which matters. A cleaner might have access to confidential information, which may not appear to be a huge risk, but nevertheless exists.

In all cases, the business may be damaged by being linked to a third party with unethical practices.

Third party risk management

Even a non-critical third party such as a workwear supplier, who operates in a country with a low corruption risk, could easily be considered to be low risk.

However, if the contractor has poor cybersecurity and is allowed to submit invoices electronically, it may pose a high cyber risk to the company.

Although third party risk management is predominantly linked to the financial sector, where there are increased risks of money laundering and corruption, it is applicable to any industry.

In the healthcare sector, the Health Insurance Portability and Accountability Act defines the minimum standards for protecting private patient data, and there are specific regulations for keeping and storing Protected Health Information.

Other industries are not legally required to have specific third party management systems in place but are equally bound by anti-bribery and anti-corruption regulations. Failure to be diligent can not only result in financial penalties, but also in damage to the company’s reputation. This can be difficult to recover from.