Your third parties are changing now too
Why worry about third-party due diligence during a global pandemic? The truth of the matter is that we have temporarily, but dramatically, changed the way we work, commute, telecommute, shop, dine, entertain ourselves and interact with others. The changes in how we go about our daily lives are impacting the way organisations go about their daily operations. What also changed is the way in which organisations rely on our third parties and how third parties are relying on them.
As our global infrastructure tries its best to keep goods and services in the hands of those who need and want them, government leaders have expressed varying opinions on when exactly their respective nations can partially re-open non-essential businesses that have been closed due to COVID-19. There is uncertainty in the future and that has some organisations in a panic and others doing their best to keep things business as usual. With companies having to become creative business strategists in order to survive the economic turbulence, due diligence on third parties becomes essential to the protection of your own organisation.
A critical, and perhaps overlooked part of keeping business moving as usual, is in the supply chain, network of distributors and the many other types of third parties that a company relies on.
The Red Flag Group® realises that companies are dealing with many new realities and given this sudden hardship, there are big changes ahead. Companies are doing more with less and taking on new tasks, putting out urgent fires, dealing with staff and supply shortages. Our advice is to help these companies address these issues in a calculated, risk-based approach so that potential problems are avoided in the short-term and in the long-term problems are avoided.
Things have changed
Depending on the nature of a company’s business there can be a wide variety of third parties doing work on your behalf that can range from sole proprietors to large, multi-national corporations. The risks for each of these types of third parties is unique but the questions that need to be answered are largely the same:
Is your third party still open?
- When was the last time you heard from them and what information were they conveying to you about their operations? If a company is in a crisis, information can be very hard to come by, delayed or inaccurate. Some offices are closed, and it can be difficult to assess what is happening more than ever on the other side of the world.
- Are there government restrictions in place that are keeping them from doing the job they are contracted to do for your company? There are lock-downs, curfews and government restrictions that can make some jobs impossible now but what happens when those restrictions are lifted? What changed during the restrictions?
Are they going to survive this economic downturn in the short- or long-term?
- With the global pandemic being just months, or weeks old in some parts of the world, some companies that were on the brink are now shuttered. The third-party might not be solvent in a few weeks, and unfortunately, that disruption should be mitigated as much as possible by finding a possible replacement now.
- If your third parties do shut down, who can step in and take their place? Many companies have some bench strength that they can rely on to distribute their products or gain supply from but what third parties are ready to step up?
For companies that are going to replace third parties that have shut down, how much do you really know about them?
- The Red Flag Group® has often found that companies have thousands of third parties in their systems that are inactive, out of date or with incomplete records. If a company has not conducted proper due diligence on these third parties, they could be relying on data that is years old and not reflective of the actual operations.
- There are certainly temptations to cut corners when faced with a resource, money or time shortage but the penalties, both reputational and legal, can be severe for those companies that choose to partner with unethical, instable or languishing third parties that make decisions that will ultimately harm those that hired them.
Find out what has changed
Along with the financial and operational stability of a company, your due diligence efforts should focus on what has changed not only with active or soon-to-be active third parties. In some situations, a company could have been sold/bought, leadership could have been replaced or even taken over by the government in some parts of the world. If a company goes through one of these profound changes, it certainly changes their risk profile and how your company should be interacting with them.
Unfortunately, in times of strife and turmoil, companies and individuals can be tempted to engage in unscrupulous activities to keep themselves afloat or capitalise on the desperation of those in need. If a company that you are doing business with was sold off to one of these individuals with only short-term gains in mind, your company’s reputation could be in danger as well as possible government investigations later.
The compliance industry has operated in extreme economic conditions before. While the COVID-19 virus has changed the world in unprecedented ways there are still lessons to be learned. It has been said that while it is good to learn from your mistakes; it is always better to learn from other people’s mistakes. To this end, a reminder to not repeat the downfalls of the past. Some actions that your company can take now to avoid costly problems in the future:
- Update due diligence on third parties that are most impacted by the virus. There are certain parts of the world (China, Italy, Spain, France, South Korea, USA, India, etc.) that are more profoundly impacted than others. In line with the methods of taking a risk-based approach, it is prudent to check on the activities of third parties in these and the surrounding areas.
- Look at your bench of third parties and update it. There is uncertainty ahead of us. It is a good time to look at Plan B, C, D, E and F when it comes to business continuity. It is not uncommon to have a single supplier for a good/service or a sole distributor in a region/country. What will happen if that company goes out of business, who will be next in line to take the role? Update the information you have on the third party, conduct due diligence on them to be sure and pick the right partner to fill in where others have left.
- Ensure that policies and procedures are being followed. There are urgent cases that could warrant a deviation in process, but these should be properly handled. There can be the temptation to skip checks, verifications, research, questionnaires, risk scoring matrices, approval, escalations, etc. but this should be the exception, not the new norm. Compliance, legal, channel and procurement professionals should remember the “trust but verify” mantra to ensure that the other parts of the organisation aren’t putting the company at risk.
When the business of the world gets back on its collective feet, we need to look back at these times and be able to defend the approach that we took. That approach should be measured, sensible, prudent and defensible. In the small sense that this applies to third party risk management, this is a crucial time to take a hard look at the third parties operating on your behalf, be aware of changes and react accordingly.