Third Party Risk Metrics

Measuring your risk exposure with vendors, suppliers, and more

Which third party risk metrics should you be measuring for not just an accurate third party risk assessment—but one that will satisfy regulators?

The DOJ has focused on the final step in the lifecycle of a third-party relationship as a key metric for evaluation of third parties. This means more than including boilerplate language in a contract. It means taking action—including termination of a business relationship—if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location. This is a longer way of saying; you must manage—and measure—the relationship.

Relationship Manager for Third Parties

The starting point for the management of a third party is a Relationship Manager for every third party with which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the key metrics the Relationship Manager should track (and document, of course) include:

  • Point of contact with the third party for all compliance issues
  • Maintaining periodic contact with the third party
  • Meeting annually with the third party to review its satisfaction of all company compliance obligations
  • Submitting annual reports to the company’s Compliance Oversight Committee (COC) summarizing services provided by the third party
  • Assisting the company’s COC with any issues with respect to the third party

Compliance Oversight Committee

A company should have a Compliance Oversight Committee (COC) review all documents relating to the full panoply of a third party’s relationship with the company. After the commercial relationship has begun, the COC should monitor the third-party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplemental risk associated with any negative information discovered from a review of financial audit reports on the third party.

Ongoing Monitoring of Third Party Risk Metrics

A key tool in managing the affiliation with a third party post-contract execution is ongoing monitoring. Your ongoing monitoring should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. The process can be described as (1) capture the data; (2) analyze the data; and (3) report on the data. As a baseline, I would suggest that any ongoing monitoring of a third party include, at a minimum, a review of the following metrics:

  • the effectiveness of existing compliance programs and Code of Conduct
  • the origin and legitimacy of any funds paid to Company
  • all disbursements made for or on behalf of Company
  • all funds received from Company in connection with work performed for, or services or equipment provided to, the Company

If you want to engage in a deeper dive, you might consider evaluation of some of the following metrics:

  • Determine that actual due diligence took place on the third party
  • Review compliance training program, both the substance of the program and attendance records, to determine its effectiveness
  • Review third-party hotline reports
  • Has the third party disciplined any employee?
  • Review employee expense reports for employees in high-risk positions or high-risk countries
  • Spending limits for gifts, travel and entertainment that were provided to, or for, foreign governmental officials. Any overages?

Tying together Your Third Party Risk Metrics

In addition to monitoring and oversight of your third parties, you should periodically review the health of your third-party management program. The robustness of your program will go a long way towards preventing, detecting and remediating any compliance issue before it becomes a full-blown FCPA violation. As with all of your metrics, you need to fully document the steps you have taken so that any regulator can test your metrics. You should also use these metrics to conduct a self-assessment on the state of your compliance program.

Ready for a deeper program assessment? Download our Department of Justice Compliance Program Self Assessment, updated in accordance with the latest DOJ Guidance for Corporate Compliance Programs.