Third parties that generate value – and risks

No company is an island. To a greater or lesser extent, they all benefit from relationships with suppliers of raw materials and products, business representatives, service providers and partners. It is a complex ecosystem that presents opportunities and risks: these relationships can raise the level of competitiveness, innovation and added value, but they can also open the door to potential conflicts of interest, compliance violations and other damages to a healthy business environment. Having a strong and well-structured governance to manage this ecosystem is critical to avoiding unfavorable situations – especially in a scenario such the Brazilian one, where discussions on compliance and the fight against bad corporate practices have been more evident than ever before. Robust management tools can shield organizations from public image harms, financial loss and involvement in illegalities arising from their relationship with third parties.

Companies’ concerns regarding risk management and third-party governance is reflected in “Focusing on the Climb Ahead”, a global survey conducted by Deloitte. The study interviewed nearly 1,000 organizations from various sectors in the Americas, Europe, the Middle East, Asia and Africa and shows that the level of maturity on these issues is growing, as well as investments in the area and the structuring of mechanisms to mitigate risks. At the same time, there are still great opportunities for advancement in many of the companies consulted. Less than 10% of the respondents stated that they use customized technologies to manage their third-party governance; and only 2% of the participants monitor their suppliers’ entire supply chain, which increases the risk of violations of human rights, labor laws and other non-conformities.

“Even if the organization has a well-structured system of internal governance, there is the challenge of extending this model to the parties that integrate the business but that are beyond the limits of its management”, points out Camila Araújo, Deloitte’s partner in the Risk Advisory area. The alliances with all those partners and stakeholders may harm the company’s image and even, in extreme cases, involve it in unlawful actions. “It isn’t something new, but it has taken on a large scale in the post-Anti-Corruption Law scenario”, continues Camila, noting that the legislation enacted in 2013 made companies responsible for acts of third parties that may have generated benefits for their business. “It’s always difficult to keep up with the activities of these partners. Therefore, each organization must develop internal compliance practices for all links in the value chain”, adds the specialist.

Any partner or supplier who participates in a company's business may pose a risk, a channel for irregularities. The control of these situations is still maturing in Brazil., Camila Araújo, Deloitte's partner in the Risk Advisory area.

Camila mentions cases of giant companies that have had similarly significant losses due to participants in their ecosystems. “In 2017, British Airways suffered an IT breakdown, which caused a total shutdown of its activities for three days. Imagine the loss. The cause was an outsourced worker who tripped over a cable and shut down a server”, she reports. Another example was the invasion of the database of the US retail chain Target in 2013. A hacker took advantage of a vulnerability from one of the company’s suppliers and obtained personal data from more than 41 million customers. “The result was a $ 500 billion drop in market value”, recalls Camila.

The 10 imperatives for good third-party governance

The “Focusing on the Climb Ahead” survey sought to determine the priorities of the companies participating in the survey regarding risk management in third party governance. In descending order, these were the most mentioned topics:

1. Promoting better internal coordination among risk managers, business unit leaders, legal teams and auditors;

2. Establishing more rigid due diligence processes over third parties;

3. Ensuring more resilience in the face of disruptions and uncertainties related to third parties;

4. Identifying strategic partners and direct them governance efforts equal to their importance;

5. Improving technology in monitoring third party activities;

6. Prioritizing the mitigation of internal cyber-risks;

7. Reinforcing assurance activities with partners;

8. Strengthening visibility and transparency throughout the value chain, including subcontracting made by third parties;

9. Assessing cyber risks to which partners are vulnerable;

10. Enhancing clarity about the requirements involved in business cases related to the business ecosystem.

Third-party ecosystem governance involves raising awareness of the benefits of effective compliance. This is the opinion of Rodrigo Bertocelli, President of the Brazilian Institute of Law and Business Ethics (IBDEE). “Companies can be classified in three stages. There are those that simply adhere in a formal way to avoid suffering sanctions. Others are already concerned with measuring the effectiveness of their initiatives. And at the more mature level, there is a whole culture focused on compliance that encompasses not only the internal public, but the entire stakeholders’ ecosystem”, says Bertocelli. In an environment like the Brazilian one, in which some of the largest organizations in the country have suffered damage in their image and considerable financial losses when engaging in corruption scandals, the positive impact of good governance is doubled. “Companies today need to see themselves as parts of a larger context. Their practices affect social, environmental, and financial plans, and the consumer does not tolerate organizations that misbehave anymore. Governance not only prevents risks, but offers more value and sustainability.”

An example of a Brazilian company whose business depends on a complex network of partners and outsourced workers is Gol. The list of services and products suppliers of the country’s largest airline company surpassed 4,700 companies in 2017 and transacted more than R$ 5.8 billion in purchases and recruitment.  “Gol relates to a wide variety of companies in different locations”, says Brunno Cruz, corporate risk and compliance executive director of the airline. The company has a “second line of defense” that integrates risk assessment, monitoring and internal controls under the coordination of Cruz’ board of directors, whose work is complemented by an internal audit that operates independently. “We seek to associate the governance of third parties relationships with internal processes for reviewing regulations, training and multidisciplinary discussions”, explains Cruz. “This structure provides more intelligence and effectiveness in the monitoring and handling of risks.”

monitoring the ecosystem should be part of the compliance system. Rodrigo Bertocelli, from IBDEE

For Camila Araújo, from Deloitte, “improving third-party monitoring methods must be constant and consistent. Many companies audit their partners at the time of hiring, but then abandon the practice. Formal codes and procedures – that investigate, for example, the possibility of conflicts of interest involving employees and contracted firms – help protect companies against misconducts that may affect them. Such care must persist throughout the duration of contracts, and beyond.”