By Rebecca Walker
There is something exhaustingly daunting about third party compliance. As one client confided in me two decades ago, “Managing compliance for 20,000 internal employees is hard enough. How am I supposed to extend this to the employees of all our business partners?” The reality is, our business partners indeed introduce compliance risks. So what can compliance officers feasibly do, and what measures are genuinely effective?
The Expanding Web of Third-Party Relationships
In today’s interconnected global economy, reliance on suppliers and external service providers is a business imperative. This necessary reliance presents a myriad of risks, including the potential for suppliers to fall short of a company’s ethical and compliance standards, resulting in both legal ramifications and reputational damage.
Strategies for Third-Party Compliance
In an effort to mitigate these risks, organizations have deployed a range of third-party compliance controls, such as due diligence protocols, supplier codes of conduct, contractual obligations, third-party reporting mechanisms, and specialized training programs. From my experience, one of the most effective controls is training your internal team (your third-party relationship “gatekeepers”) to monitor for and identify compliance violations by third parties. Training those who interact with third parties not only augments continuous monitoring capabilities but also serves as a supplementary compliance training opportunity. This aligns with the Department of Justice’s memorandum on Evaluation of Corporate Compliance Programs, which emphasize training third-party relationship managers to identify and manage compliance risks.
Key Training Components
The content of this specialized training will naturally depend on the risk profile of the third-party relationship. For instance, if the risk involves bribery, the training should help employees identify red flags, such as requests for cash payments, payments in foreign countries, disproportionate commissions, or demands for sidestepping standard procedures under the guise of urgency.
Regardless of the specific risks at hand, training modules should inform employees of the potential consequences of supplier non-compliance and clarify the company’s expectations of its relationship managers. Moreover, training should include a strong focus on the mandatory reporting of any concerns relating to third-party compliance.
Effective Training Delivery Methods
When it comes to the modality of training, in-person sessions or videoconferences tend to yield the most effective results. The interactive dialogue between the trainer and participants often enhances comprehension and application of the material. In addition, incorporating real-world examples aids in contextualizing the training. Post-training follow-ups with managers can provide valuable insights into what was effective, what can be improved, and how the training has been put into practice.
Search the site
While some organizations bar conflicts of interest in all cases, many opt for allowing COIs to exist where appropriate. But how should appropriate be defined for these purposes?
Attending SCCE conferences is always a source of insights and new information. In these conferences I have seen quite a bit of focus on data analytics, and deservedly so.
The first time I saw Kristy Grant-Hart she put on a show about magic compliance dust and then brought the audience to reality by breaking the news that there is
In our years of assessing compliance and ethics (C&E) programs, my partner Jeff Kaplan and I have pinpointed several key attributes that we consider essential to an effective program, including