Any large company attracts a host of external vendors and suppliers around it. When managed well they can provide years of good service, especially as they can come to understand how their big customer works and dream up ideas that, ultimately, can create better products and services.
But so many different independent companies, with different tolerances for taking risks, different ethical policies, and different cultures make life hard for corporate compliance teams who must make sure that the firm’s activities comply with the myriad regulations in their operating markets, and to the firm’s ethics policy.
The best thing compliance teams can do to help employees stay within the law and the firm’s policies is to minimize the administrative burden of doing so.
“When you construct elaborate compliance programs, the reaction from the business is typically, ‘This is another hassle I have to go through before I can get on with my real job,’” said the chief compliance and audit officer of a large manufacturer in CEB’s client network.
Three Ways to Manage the Tension
This understanding of how employees react to compliance requests underpins the manufacturer’s third-party risk management program. The compliance function has re-oriented its approach so that business partners see Compliance as a service that will help – and not hinder – the pursuit of their own objectives.
There are three main parts to the program.
Make the process easy to navigate: As well as providing their own support throughout the process required to manage third-party suppliers, the compliance team understands that business partners also need advice and guidance from other functions, like Finance and Internal Audit. So the compliance team makes sure that business partners are given the right support and resources from internal functions at each stage of the process (see chart 1).
Compliance also created a web portal to help business sponsors find the right guidance and track their compliance “to-dos.” One time-saving feature is the ability to search for suppliers than have an existing relationships by the type of service provided and location. Business partners in charge of a vendor relationship also receive automated reminders so that they don’t lose track of what needs to be done next. This combination of compliance support and nudges to stay in compliance makes the process less painful for all.
Chart 1: Third-party vendor compliance process Source: CEB analysis
Give business partners confidence they are in compliance and managing risk properly: The compliance team gives business partners specific “treatment plans” to guide their risk management. “This allows the business to know what to expect, barring any unforeseen red flags during due diligence,” said the director of the third party risk management program. Chart 2 is an illustrative example of a treatment plan for a particular risk category.
Chart 2: Typical treatment plan Source: CEB analysis
For particularly high-risk third party suppliers, Compliance representatives will actually train and provides resources to the vendors themselves. They are selected as high risk based on factors like their strategic importance to the business, and the controls they already have in place. Of course, these compliance-led efforts greatly reduce business partners’ work and helps to promote external adherence to standards (see chart 3).
Chart 3: Example of support for “high risk, high ROI” third parties Source: CEB analysis
Use any data generated to provide business intelligence: The support goes beyond third-party risk management. The compliance team also provides valuable business intelligence about the types of contracts that vendors are offering and how well they have been onboarded into the company that can help important business decisions.
It’s services like this that reaffirm the value business partners can get from working with compliance. As the chief compliance officer explains, “The mark of success is that it’s not just a compliance requirement. We are providing a service to the business and they understand the value of that service.”