Efficiently managing own compliances through software solutions is now a given for most organisations. However, having a robust compliance management process for managing third party compliance risk brings along a unique set of challenges. The standards and metrics for assessing one’s own compliance risk is often not at par with those implemented for third party vendors, suppliers, partners and contractors. Several reasons can be attributed to this, mainly the difficulty in monitoring and lack of appropriate standards and metrics. Non-compliance by third parties can potentially have devastating consequences for principals, especially when there are multiple crucial third parties involved with a company. Thus, it is an integral part which cannot be ignored and is of great importance in the overall wellbeing and proper management of risks for any organisation.
Defining Third Party Compliance Risk
Third party compliance management is a process of ensuring that key vendors, suppliers, partners and contractors involved in or impacting the business of an organization, are compliant with the laws, rules, and regulations specific to their industry and to the extent they may affect the principal/engaging company. These third parties can range from key suppliers of materials and services to delivery/distribution partners for last mile delivery and everyone in between. It is important for every organization to:
- Define which type of third parties’ compliance is to be monitored;
- Segregate the various third parties into different risk categories (key materials provider being high risk, housekeeping being low-medium risk and so on); and
- Identify and list out the specific compliances (including compliance with internal policies, SOPs, etc.) for the third parties, which it would like to monitor.
The Importance of Third Party Compliance Management
While onus of completion and liability of non-compliance might not extend directly to the principal/engaging organization, we have seen several instances here and here where non-compliance by a third party has had adverse impact, financially, reputationally and otherwise, on the principal/engaging organization. These adverse impacts can manifest in the form of loss of profit, business, and goodwill. Section 134(5)(f) of the Companies Act 2013 imposes a duty on the Directors to ensure that they have devised proper systems to ensure compliance with the laws and that such systems are adequate. While an emphasis is placed on maintaining systems and checks in place for a company’s own compliance requirements, third party compliance is often overlooked or kept outside the purview of such systems, which in turn may present these systemic non-compliance risks.
Challenges in managing Third Party compliances
Some of the significant challenges involved in implementing a robust third party compliance management framework are:
1. Culture issues:
While staying compliant is the foremost priority for an organization, it might not be the case for the third-party vendors associated with it. Due to their nature and market dynamics, small and medium sized third party companies may not have a time-tested culture of compliance and further, resistance to change given the “manageable” risks. Instilling the change in attitude in third parties, can exhaust several important resources of the organisation.
2. The ever-changing legal landscape:
Frequent changes in compliances applicable to organisations and their third parties adds to this challenge. Third parties with low capital and small budgets may be unable to implement appropriate processes for staying up to date and complying with latest requirements.
3. Requirement of resources:
The monitoring of compliances requires immense time, trained personnel and ongoing costs. Without proper allocation of appropriate resources, there could be certain aspects that end up slipping through the cracks. The amount of time and resources which is to be put into the exercise increases with the increase in the number of third-party vendors involved with a company.
4. Lack of software/automated solutions:
The monitoring of the compliances applicable to third parties becomes difficult without use of any automated solutions that help have better visibility and also easier reporting. This can be far more challenging with the increase in the number of such third party vendors.
To learn about the various methods/processes you can use to implement appropriate third party compliance management system/solution at your organization, stay tuned for the second part of this blog post where we will cover these details along with the benefits to be derived therefrom.
Written by: Ayon Chakraborty, Amala Halder
Edited by: Agnishwar Banerjee
Disclaimer
All material included in this blog is for informational purposes only and does not purport to be or constitute legal or other advice. This blog should not be used as a substitute for specific legal advice. Professional legal advice should be obtained before taking or refraining from an action as a result of the contents of this blog. We exclude any liability (including without limitation that for negligence or for any damages of any kind) for the content of this blog. The views and opinions expressed in this blog are those of the author/(s) alone and do not necessarily reflect the official position of Lexplosion Solutions. We make no representations, warranties or undertakings about any of the information, content or materials provided in this blog (including, without limitation, any as to quality, accuracy, completeness or reliability). All the contents of this blog, including the design, text, graphics, their selection and arrangement are the intellectual property of Lexplosion Solutions Private Limited and/or its licensors.
ALL RIGHTS RESERVED, and all moral rights are asserted and reserved.
