REUTERS | Global Creative Services (no copyright)

How to eat the ‘Third Party Elephant’: the first step in effective third party risk management

Third parties (3Ps) can be valuable partners, providing competitive advantage through the supply chain and access to opportunities and markets. However, it is well known that 3Ps can expose businesses to bribery and other regulatory risks, with the OECD’s 2014 Foreign Bribery Report stating that 75% of the bribery cases it examined were carried out by third party intermediaries. Whilst most legal and compliance professionals, and to varying extents our business colleagues, understand this risk, managing 3Ps is a daunting task for those implementing a new 3P risk management process, and an on-going and challenging one for those further along the journey.

Many organisations dive straight into 3P management by developing frameworks, or purchasing technology platforms without investing enough time in understanding their 3P ecosystems. This can be an expensive mistake.

The first bite of the elephant in a 3P programme is the thorough identification of 3Ps. This is critical if you are thinking about a framework for the first time. This is also important if an existing framework is being reviewed, as your 3P landscape may have evolved since the management system was introduced. Your identification (or review) exercise should seek to gather information on your 3Ps such as:

  • Who are they?
  • What do they do for us?
  • Who do they typically interact with on our behalf?
  • How much do we pay them?
  • Where do they operate?

Without this business intelligence, it is impossible to design systems that will be risk proportionate and fit for purpose.

So, what are some of the factors to be considered when embarking on, or reviewing, a 3P identification exercise?


Start by defining the scope. Will you focus on bribery or are you required to gain insight into a broader suite of risks such as sanctions, anti-trust, modern slavery, data privacy and tax evasion? Your organisation’s risk profile should inform this question. Other factors that will determine scope include:

  • Compliance programme maturity – a new or less mature programme will probably focus on a specific area of risk. Conversely, companies with mature programmes will want a complete view of a 3P’s suitability to partner with them by reviewing the gamut of risk areas.
  • New regulation – this could be a key factor in determining scope. For example, the UK’s new failure to prevent facilitation of tax evasion legislation has resulted in companies querying their 3P landscape to identify where their tax evasion risk exposure lies.
  • 3P population – Anecdotal evidence from the business or data from prior exercises will provide an indication of the scale of your 3P landscape. If the population is significant, you might want to phase your information gathering by focusing on the highest risk relationships.
  • How deep into your supply chain will you look? For example, will you seek information on 2nd and 3rd tier supply chain members?

Develop your information-gathering tool

Decide what sort of information you require. Your information gathering tool doesn’t have to be as extensive as a full-blown risk assessment questionnaire. At this stage, you simply need sufficient information to help you carry out a preliminary risk-ranking and form an early view of the risk exposure. At a minimum, your request list should include:

  • Name of third party.
  • Address.
  • Country of registration.
  • Date of incorporation.
  • Countries of operation.
  • Type of third party.
  • Relationship length.
  • Affiliations to politically exposed persons or State-owned enterprises.
  • Current agreement and term.
  • Business case.
  • Services provided.
  • If sales channel intermediaries – order volumes and revenues.
  • Payments: quantum, type and frequency.

Provide a standard template to be populated with responses or provide a central portal. This makes analysis of the returned data easier and quicker.

Involve your business partners

It will serve you well to involve the business in scoping and designing the exercise. As part of your process, engage with your business partners and explain the WHY, WHAT and HOW. Don’t forget to tell them what is in it for them. Most importantly LISTEN. The business will provide important insights. Consider piloting the exercise with one or two business units. They could serve as champions for the project.

Running awareness training ahead of a launch or re-launch is an effective way to get the business to understand or remember the value of the 3P management exercise. Engaging with the business will also help you to get much needed buy-in. Remember two key questions the US DOJ lists in its guidance on the Evaluation of Corporate Compliance Programmes in relation to policies and procedures:

  • Who has been involved in the design of policies and procedures?
  • Have business units/divisions been consulted prior to rolling them out?

Get a member of the executive team to sponsor the exercise. Consider one of the commercial team rather than the General Counsel and/or Chief Compliance Officer to provide both a level of independence but also to provide valuable commercial input and tone-from-the-top.


Legal and Compliance functions can often be focused on their own agendas particularly if they are not integrated into the business. They may fail to consider what else might be happening across the business when planning or deploying their projects. Think about when to launch. Set realistic deadlines. Ensure the business has adequate time to collate the data. If you don’t, you will end up with sub-optimal information.

Other factors to consider include:

  • What other information requests have recently been submitted to the business?
  • Avoid (or take into consideration if avoidance is not possible) busy month-end or year-end periods.

Analyse the data

Once you have the data, you should sort, query and risk-rank your 3Ps. This analysis will provide useful management information such as:

  • How many of your 3Ps operate in high risk territories?
  • Is a 3P providing services to multiple business units which you’d previously been unaware of?
  • Does your business have exposure to state owned 3Ps or those affiliated to politically exposed persons?
  • Does the data throw up anomalies such as unusual payments or weak business rationales?

A well-positioned and thorough exercise will often result in a streamlined 3P landscape even before detailed risk-assessment occurs where it may become apparent that a number of 3Ps don’t deliver commercial value.

Your exercise will give you a helicopter view of the types of 3Ps in your ecosystem, what they do for you and therefore the potential risk exposure. This will enable you to develop a risk-based 3P management framework based on data and not a hunch.

Lucille Dolor is a qualified solicitor and Business Ethics and Compliance Advocate who helps businesses earn profit responsibly. Lucille has 20 years’ plus experience in corporate governance, values-based ethics, organisational culture, regulatory risk and compliance, anti-bribery and corruption, fair competition, conflicts of interest and the new UK tax evasion legislation. Most recently, as Group Head of Business Ethics at Spectris plc, she led, developed and embedded a business integrity strategy and compliance programme across a highly matrixed , international and cross-cultural organisation resulting in a consistent and strong values-based culture with a focus on Absolute Integrity. 

Leave a Reply

Your email address will not be published. Required fields are marked *

Share this post on: