What ‘Adequately Resourced And Empowered’ Means For Third-Party Risk
The DOJ’s latest guidance has made it quite clear. They expect compliance programs to be adequately resourced and empowered. It’s right there in black and white. In fact, the June 2020 update, specifically changed the language in the guidance from:
“Is the Corporation’s Compliance Program Being Implemented Effectively?
Even a well-designed compliance program may be unsuccessful in practice if implementation is lax, or ineffective.”
Even a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced,orotherwise ineffective.”
This is a very clear signal from the DOJ that they will be focused on resourcing (and that now, despite COVID, is not the time to skimp on compliance).
Are TPRM Programs Adequately Resourced And Empowered?
The short answer appears to be ‘no’.
A recent industry survey, found that resourcing is a key area of third-party risk management that requires attention. This is an area of weakness that boards and senior management should be concerned about as there is clear regulatory expectation that programs need to be adequately resourced and empowered. Yet, insight from multiple sections of the survey illustrates that many third-party management programs are struggling to secure the resources and funding they require to be successful.
A third of respondents reported that they did not consider that their program had adequate funding for the people, tools, or innovation and continuous improvement necessary for the success of their programs.
A lack of resource is also evident in reported team sizes. Over a quarter of respondees (27%) indicated that they did not have a dedicated team to manage third-party risk at their organization, and 42% reported that their teams were between 1-5 people in size.
Despite having no dedicated resource or small team sizes, organizations are having to manage a high volume of third parties. Over half of organizations with no dedicated team were still having to manage more than 500 third parties.
The lack of resource coverage here is alarming and something that organizations with small team sizes and large numbers of third parties should be looking to address.
In addition to a lack of coverage in headcount, budgets (non-headcount) were typically low as well, particularly considering the complexity and criticality of third-party risk management.
Of those that did know their program budget, almost a quarter had a budget of less than $5,000. Further, most budgets were not anticipated to increase in the next 12 months, with 50% expecting their budgets to remain the same and 11% expecting them to decrease to varying degrees. This was prior to the full impact of COVID-19.
Resource was also a challenge that was called out in the qualitative section of the survey.
Many respondents mentioned the lack of resource to do the job properly, with typical responses including:
“Lack of staff to do a more thorough job”
“Lack of budget. Shrinking appetite for associated administrative burden considering no suppliers have been ‘Denied’ to this point”
“Having enough people to properly manage third-party risk”
“Being able to manage the amount of oversight and due diligence needed with limited number of resources”
“Obtaining necessary resources to bring program up to industry best practice”
“Getting budget to install and use a tool”
“Increased level of regulatory expectations without commensurate increase in resources/$”
Others also specifically mentioned the challenge associated with getting senior management to understand the level of effort and budget required for third-party risk management:
“Convincing management of the need for more resources”
“Budget and support from C-suite”
“Human Capital and Management Buy-In”
“Getting Management to understand the work required to meet the Board’s expectations”
“Getting buy-in from the line managers on the importance and the associated costs of due diligence”
Taking stock of resource, and ensuring there is enough to run an effective program, is an urgent area for organizations to address. The DOJ has made it quite explicit that compliance programs (which include third-party risk management) are “adequately resourced and empowered.” This means that programs need to be well funded and staffed. Clearly many are not.
Closing The Gap – Ensuring You Have The Right Resource
Inadequate resourcing of third-party risk programs is a recipe for trouble.
Ephraim “Fry” Wernick, a partner at Vinson & Elkins and a former federal prosecutor and assistant chief of the Justice Department’s Criminal Fraud Section has stated: “From experience investigating these cases for the Department of Justice, 99 times out of 100, when you come across a problem, it’s because you have a third-party issue. The need to beef up the resources is substantial.”
So, what can you do to ensure you have the right resourcing in your program?
Understand your program maturity
First, it helps to understand your program maturity. Understanding this helps you map your journey, including what to prioritize and focus on, where to invest, and what ‘not’ to do. It also helps with collaboration across the business as it recognizes the need for multiple stakeholders in the process. Being able to articulate maturity also provides a framework and value points to engage senior management. Their buy in and sponsorship is important. This will also help you make the right technology decisions as you have greater clarity in terms of what’s right for you now, but also, importantly, what you will need in the future. You can calculate your program maturity using our calculator. You’ll also receive a detailed report on your maturity level, its defining characteristics, and what you need to be thinking about to advance it.
Understand the scale of your program
One thing that was clear in the results of survey was that many organizations have a very high volume of third parties, but either no dedicated team or a very small dedicated team responsible for their management. Clearly the regulators expect improvements here. You should understand the size, criticality, and risk of your portfolio: How many third parties are you managing? How many are critical? How many are high risk? Also consider if your company is involved in a lot of M&A – this can radically change the number of third parties you have in a very short period of time. If the ratio of third parties managed to team size is out of proportion, it’s an indication that further support and investment is required in this area.
Present a value case for investment
Third-party risk management teams are often challenged by the business to come up with the ROI for program improvements, such as additional resources, tools, and technology. There are details in this article that point out that it’s not just overall efficiencies gained that provide value, but more importantly, it’s the protection and resilience that a mature and robust TPRM program delivers to the business that third-party teams should be focused on.
Ensure your senior management and board are engaged
It’s important to have your senior management and board engaged. The DOJ’s Evaluation of Corporate Compliance Programs, states: “The company’s top leaders – the board of directors and executives – set the tone for the rest of the company.”
The survey also found that board engagement and oversight is an important factor when it comes to advancing the maturity of programs. Organizations that had a high level of board oversight were much more likely to have programs in the Defined to Agile stages (69%) than those with low oversight (33%).
Executive sponsorship establishes the strategic importance of third-party risk management to the business. Having this sponsorship drives understanding and adoption across the organization and is a critical part of your advancing program maturity.
So, look to engage your senior management early in the process.
Third-party risk management is complex, and if you are trying to manage your program on a combination of spreadsheets, email, homegrown systems, and survey tools, you are unlikely to be meeting the expectations of the regulators.
From the outset, your program requires a system that provides a central inventory of all your third parties that includes all your third-party information, documentation, risk, compliance, and performance data. Business workflow automation will help you streamline the process of third-party management – from the initial business request, through to initial risk screening and scoring, inherent risk assessments, enhanced due diligence, onboarding, continuous monitoring, issue management and remediation, and offboarding.
Throughout this process your system should provide a comprehensive, readily accessible audit trail.
Companies looking for best-in-class systems select Aravo. Leading analyst firm, Chartis Research, has highlighted Aravo’s automation capabilities as a particular strength: “We scored Aravo particularly highly for its automation capabilities, which we view as a key strength as it reduces users’ operational burden.”
The latest guidance should be seen by those in compliance and risk as a good opportunity to take stock of where their program resource sits today, and what is required to ensure the program is well-implemented and successful going forward.
Get in touch for a better approach to third-party risk management
The Definition of Better Business
Better business is built on acting with integrity. It commands better performance, delivering better efficiency, collaboration, and financial outcomes. It inspires trust. But better business is more than that – it’s about lifting the ethical standard of an entire business ecosystem to build a better world.