The compliance profession has made enormous strides in applying compliance controls to third parties in the past 30 years. Supplier codes and precontract due diligence are now common, as are compliance contract provisions and even, for some suppliers, required compliance training. That’s the good news.
However, despite these developments in third-party compliance controls, bad supplier behavior continues—even for suppliers of companies with truly excellent compliance programs. For example, the New York Times recently documented heart-wrenching stories of child labor in the United States. US companies are using immigrant children as young as 12 to perform dangerous jobs, including in meat packing plants, construction, and overnight shifts on a factory floor.[1] And the child labor problem obviously gets much worse in many other places around the world.
The work that all companies do sits in an ever-more-complicated matrixed chain of suppliers, partners, and customers. And finding effective means of mitigating the risk of bad behavior by suppliers has proved challenging. Fostering stronger partnerships with suppliers (which should allow for more real-time monitoring) should create better opportunities to mitigate third-party compliance risks.
There are five primary types of compliance controls used to mitigate the risk that suppliers will violate the law or ethical norms when producing goods or services for an organization: (1) due diligence before and during the terms of the relationship; (2) contract terms requiring compliance; (3) supplier codes, policies, and training; (4) helplines made available to supplier employees; and (5) monitoring and auditing. In this article, we consider how a partnership approach to these controls, where feasible, will likely enhance their efficacy.
DOJ guidance
It is often helpful to begin a discussion of any compliance topic with a reminder of government standards in the relevant area. And in fact, the U.S. Department of Justice (DOJ) and other enforcement authorities have increased their expectations regarding third-party compliance. For example, the DOJ’s guidance on Evaluation of Corporate Compliance Programs contains an entire section on third-party management, including guidance on risk-based due diligence and ongoing monitoring of third parties.[2]
Risk-based
As DOJ reminds us, “risk-based” is the key to third-party compliance measures. There are seemingly endless types of harm that third parties can cause. And when that large number is multiplied by the very large number of third parties that most companies interact with, it is clear that third-party compliance controls must be based on risk.
However, creating an effective means of assessing the compliance risks posed by third parties is also challenging. Indeed, the risk assessments for those companies buying goods or services from US suppliers undoubtedly failed to flag child labor as a risk. It is important to consider how we in the compliance community can be more proactive in our risk assessment processes while continuing our efforts not to “boil the ocean.”
Due diligence
Third-party controls at many companies are centered on precontracting due diligence, sometimes combined with periodically refreshing the due diligence checks. If a company can screen out bad actors before entering into an agreement with them, that is obviously the best-case scenario. However, the moment-in-time approach is not always effective at identifying issues. In a 2019 Gartner risk management survey, 83% of legal and compliance leaders indicated they had identified third-party risks after due diligence was performed and before a company recertified.[3] Where feasible, creating opportunities for ongoing monitoring is likely to lead to more timely notification of issues, which affords companies greater opportunity to respond to compliance issues promptly.
Contract terms
Organizations often include terms in contracts requiring compliance with all applicable laws and/or particular laws, such as anti-bribery or child labor. Well-crafted compliance language in supplier contracts is critical to effective third-party risk mitigation. Consider reviewing template contract language to ensure that contracts (1) require compliance with relevant laws, such as child labor; (2) allow for monitoring and auditing third parties for compliance violations; (3) permit termination of the contract where serious violations have occurred; and (4) as appropriate, permit training, helpline communications, and other compliance activities. Companies should also consider requiring their first-tier suppliers to flow down compliance requirements to second- and third-tier business partners.
Of course, while including these provisions in contracts is fairly straightforward, enforcement of the contract provisions is more difficult. Crafting contract terms in a manner that facilitates ongoing monitoring and partnering with suppliers will typically create greater opportunities to ensure compliance. This may require working with your procurement team and relevant operations personnel. In addition, even if a contract permits termination where a supplier is violating compliance requirements, it may be difficult to terminate the contract if there is no ready alternative. For critical suppliers, it may be impossible. Organizations should consider how to assist suppliers with their compliance efforts, particularly with critical suppliers. In addition, if feasible, companies should seek to expand their pools of suppliers so that contracts can be terminated when necessary.
Supplier codes, policies, and training
Many organizations have developed supplier codes and policies in significant risk areas, as well as compliance training for certain suppliers. Supplier codes typically include requirements related to general compliance and standards related to specific risks, such as child labor, human trafficking, safe working conditions, anti-discrimination practices, environmental compliance, and anti-corruption compliance. Numerous examples for organizations looking to create a supplier code are available on the internet; several associations, such as the Ethical Trading Initiative, have created supplier standards that can be used as a starting point.
A supplier code, while a helpful aspirational document, may have limited value with respect to ensuring compliance. However, to the extent it is available to the supplier’s employees, it may facilitate reporting suspected misconduct. In addition, some organizations also provide training to third parties, which may facilitate reporting of concerns.
Helplines
A critical means of continuous monitoring of third parties is to allow third-party employees access to a company’s helpline and encourage them to report suspected misconduct that relates in any way to the work that the third party performs for the company. Depending on the supplier, organizations should think broadly about how to promote speak-up channels to support employees of third parties in reporting. This can be a helpful means of providing continuous monitoring of business partners.
Monitoring and auditing
Organizations have long included audit rights in contracts, but most organizations have rarely used those audit right provisions. Indeed, there are vast opportunities to improve auditing and monitoring of third parties. The DOJ guidance asks if a company has rights to analyze the books and accounts of third parties and whether the company exercised those rights in the past. It also asks if the company engages in risk management of third parties throughout the relationship’s lifespan or primarily during onboarding.
Partnering with and ongoing monitoring of third parties is likely the most effective way to mitigate supplier risks. It is also, however, the most onerous. Approaching third-party auditing and monitoring from a risk-based perspective will make the task more manageable, as will using technology and partnering with those employees who regularly work with suppliers.
Training partner managers
As mentioned above, an essential means of continuously monitoring third parties is to train your company’s procurement team and supplier partners to be alert to compliance violations by suppliers. Those employees who work with third parties should be trained on how to monitor third parties and identify compliance violations. Training those employees who interact with third parties during business will likely be the most effective way to provide continuous monitoring of third parties. Indeed, the DOJ guidance asks how the company trains its third-party relationship managers about compliance risks and how to manage them.
Risks of third-party controls
It is vital to mention companies’ potential risks when seeking to extend compliance requirements to third parties. First, an organization could suffer greater reputational harm following publicity about a supplier’s misconduct if the corporation had well-publicized supplier compliance controls that it failed to implement. There are also potential legal liability concerns—such as the inadvertent creation of a co-employment relationship—that could result from extending compliance controls to third parties. Organizations should always proceed with caution in implementing compliance controls.
Conclusion
We have come a long way with respect to third-party compliance. Our ability to monitor and enforce our standards is greater than ever. However, when it comes to issues like the exploitation of children, compliance professionals should continue to think expansively about how we can better use our programs for the immense good they are intended to create in the world.
Takeaways
-
Despite many positive developments around third-party compliance controls, bad supplier behavior continues, even for suppliers of companies with truly excellent compliance programs.
-
Given the large numbers of third parties that most companies deal with and the many compliance risks that they present, it is imperative that third-party controls are risk-based.
-
The primary types of third-party compliance controls include due diligence; compliance contract terms; supplier codes, policies, and training; helplines; and monitoring and auditing.
-
Partnering with and ongoing monitoring of third parties is likely the most effective way to mitigate supplier risks.
-
Training employees who work with third parties regarding monitoring and identifying compliance violations is an important component of third-party monitoring.