Beyond Due Diligence: Monitoring Performance of Third Parties

Author: Leslie Benton, J.D.

Due diligence and onboarding of third parties, while extremely important and often complex efforts, are only the first steps in a successful relationship with your organization’s third parties. As the business relationship develops over time, the value, fit for purpose, and quality of the third party are revealed. What you do to monitor and evaluate the performance of your third parties throughout that relationship is vital to protecting your organization from legal, ethical, and business risks. 

A quick review of liability for third party actions from the latest Department of Justice FCPA guidance and the fact the more than 80% of FCPA matters since 2019 involved third-party intermediaries serves as a stark reminder as to how real the risk can be. And, every week there seems to be new data breach notice, often stemming from a weak point at a third party entity. 

There are several opportunities to evaluate the performance of third parties and mitigate risks to your organization within the normal course of the business relationship. In this post, we discuss how organizations might approach keeping in closer connection with how their third parties are performing against business and compliance expectations. 

Risk Drives Scope and Frequency of Reviews 

The measures you take to evaluate the performance of third parties after screening, due diligence, and onboarding should be based on the level of risk inherent in the engagement and the residual risk that remains after controls are established. Considerations include: 

• How critical is this third party to your organization to continue to operate? 
• Is there higher risk in retaining this third party just because of where they happen to be operating or the type of work they perform?  
• Is this third party a sole source for this service or product? 

Annual (or less frequent) due diligence refreshes, transaction sampling, or monitoring watchlists for issues of reputation or politically exposed persons may be sufficient with third parties of low risk and low criticality. But an agent or distributor based in a corruption prone geography or a critical supplier for which there are few, if any, alternatives should be watched for signs of concern during the regular course of the business relationship. For those higher risk third parties, quarterly check-ins or, even better, making more frequent performance observations part of the course of the business relationship is preferred. 

Compliance can’t be everywhere, and audits can be resource intensive (not to mention the difficulty in securing the contractual right to audit) and are not necessarily the answer here. A well-trained business relationship owner is in a far better position to observe changes in the behavior and performance of a third party that might warrant additional attention or remediation.  

Integrate performance evaluations into your business activities. 

The first line of defense is the business – the relationship owner. They drive the relationship and should be equipped with the tools and training to succeed in fostering that relationship and protecting the business. Train your business relationship owners on performance standards to identify any red flags that require further inquiry. Embed the practice of asking, looking, and listening for signs of compliance or non-compliance with expectations into the ongoing activities and interactions that naturally occur over the course of the relationship. 

Get your business owners ready to monitor performance. 

• Encourage them to take advantage of site visits and observations during the normal course of business.  
• Provide a list of red flags to watch for.
  • Red Flags – Payments and Documents
    • Unusual or untimely payment requests
      • Requesting payments in cash 
      • Altered dates on invoices or changes to the invoices themselves – requested remittance to a different bank account or address, invoice issued from a difference location or department, etc. 
      • Unusual requests for travel, accommodation, or meals 
      • Refuses to provide invoices or other documentation 
  • Red Flags – People
    • The primary contact mentions family members with business ties to the third party or to government officials 
    • New / unfamiliar people attending meetings – Who are they? Why are they present? 
    • Are contacts uncharacteristically dodging your questions or refusing to meet with you or giving you answers to questions that are inconsistent with prior conversations and behavior? 
• Show them how to escalate concerns.  
• Prepare them to ask, look, and listen for signs of the third party’s compliance with their obligations.
  • Understand how the third party manages their third parties
    • Is the third party meeting those operational processes outlined in their answers to due diligence questionnaires? 
    • Has it become clear that the third party does not have the ability to live up to its contractual obligations and performance standards? 
    • Get to know their compliance program – Do they have a hotline? Are they doing training? Are they running risk assessments? Are codes and policies accessible by their employees? 

Share the results of what you find with other internal stakeholders and your third parties. Implementing these types of periodic reviews from a place of partnership with the third party is much more effective than taking the position of policing your third parties. Focus on remediation and recognition for good performance and progress made. 

Best Business Practice 101 – Standard Operating Procedures and Documentation 

In the latest Department of Justice (DOJ) guidance for Evaluation of Corporate Compliance Programs, some of the questions prosecutors will ask about third party risk management include: 

• How does the company monitor its third parties? 
• How does the company train its third-party relationship managers about compliance risks and how to manage them? 
• Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process? 

The DOJ and other regulators expect a reasonable, risk-based effort in managing third party risks – not a completely exhaustive effort. Have standard operating procedures (SOPs) for how to document the ongoing performance of third parties and make this part of business line training. 

Make it convenient to document observations about the health of the relationship. Make consistent records of evidence and observations of a third party’s compliance or non-compliance with terms, conditions, and performance.  

Why is Documentation Important? 

Even if the government doesn’t come knocking on your door asking to see evidence of what you knew, when you knew it, and what you did about, there are other uses for this recording keeping. Having consistent and accurate documentation of your third-party evaluation efforts serves many purposes including:  

• providing rationale for continuing the relationship,  
• creating baselines for remediation or performance improvements,   
• transferring relationship knowledge to those beyond the business relationship manager, 
• gaining insights from performance trends across geographies or types of suppliers, and 
• providing justification for refining the due diligence or risk assessment process. 

And, If the day comes when you need to terminate the relationship for failure to perform, you will have the documentation you need to support your decision and to ensure that the third party does not reenter your ecosystem down the road. 

What to document 

• Document why you got into the relationship with the third party and why you continue to stay in the relationship.  
• Document if you have confidence or reliance in what the third party is telling you – and, the reasons why or why not. 
• If there are deviations from SOPs or allowances for non-conforming third-party behavior or performance, clearly note the reasons for any deviation. 

The best approach is the one tailored to your organization 

The size of your organization, your compliance team and your third-party universe are all secondary considerations behind risk scoring of your third parties when determining if you are sufficiently overseeing their performance. Your organization might be a large, multinational or a smaller company with a domestic or regional footprint. You might have hundreds of third parties or tens of thousands of third parties. Take advantage of the unique opportunities in and needs of your organization to develop a method of monitoring third party performance that: 

• Matches the level of risk assigned to your third parties 
• Creates a standardized and convenient process used consistently by the business 
• Furthers the relationship between you and your third parties and encourages the adoption of ethics and compliance best practices 
• Provides documentation of your rational for continued engagement with or termination of third parties 

Connect with one our experts to learn more about how Ethisphere’s specialized assessments can assist in uncovering the capabilities, threats, and opportunities for improved third-party risk mitigation.