The compliance profession has made enormous strides in applying compliance controls to third parties in the past 30 years. Supplier codes and precontract due diligence are now common, as are compliance contract provisions and even, for some suppliers, required compliance training. That’s the good news.
However, despite these developments in third-party compliance controls, bad supplier behavior continues—even for suppliers of companies with truly excellent compliance programs. For example, the New York Times recently documented heart-wrenching stories of child labor in the United States. US companies are using immigrant children as young as 12 to perform dangerous jobs, including in meat packing plants, construction, and overnight shifts on a factory floor.[1] And the child labor problem obviously gets much worse in many other places around the world.
The work that all companies do sits in an ever-more-complicated matrixed chain of suppliers, partners, and customers. And finding effective means of mitigating the risk of bad behavior by suppliers has proved challenging. Fostering stronger partnerships with suppliers (which should allow for more real-time monitoring) should create better opportunities to mitigate third-party compliance risks.
There are five primary types of compliance controls used to mitigate the risk that suppliers will violate the law or ethical norms when producing goods or services for an organization: (1) due diligence before and during the terms of the relationship; (2) contract terms requiring compliance; (3) supplier codes, policies, and training; (4) helplines made available to supplier employees; and (5) monitoring and auditing. In this article, we consider how a partnership approach to these controls, where feasible, will likely enhance their efficacy.
DOJ guidance
It is often helpful to begin a discussion of any compliance topic with a reminder of government standards in the relevant area. And in fact, the U.S. Department of Justice (DOJ) and other enforcement authorities have increased their expectations regarding third-party compliance. For example, the DOJ’s guidance on Evaluation of Corporate Compliance Programs contains an entire section on third-party management, including guidance on risk-based due diligence and ongoing monitoring of third parties.[2]