'Companies Need To Establish Effective Communication Processes With Third Parties'

Supply chain risk continues to rank among the top concerns of executives. How can an organisation integrate this with overall enterprise risk management?
In my view it is important but may be not be very significant in the overall scheme of things. It is more of an operational risk. This risk becomes more important only if there is a significant dependence on vendors/products for sourcing or product quality within supply chain or challenges to ramp up the supply chain with regards to achievement of business goals. This is more industry specific and companies are monitoring it as part of their overall risk management framework through adequate risk mitigation strategies and oversight.

However the most important risk themes emerging across geographies and businesses are mainly pertaining to cyber security, technology evolution/innovation impacting business models, products, service delivery, etc, regulatory compliances (especially cross border – FCPA, GDPR, Data security, AML etc), People & talent risk, third party risks, cloud computing, social media, stakeholder management, natural resources availability – mainly water, government policies, Negative consumer perspectives/changing consumer perspectives, digital revolution, etc.   Companies need to focus on these risks as applicable to their businesses.

Organisation are still not fully equipped to manage extended enterprise risk. What are the major guidelines one should keep in mind while building a framework to manage third party risk?
Organisations are significantly outsourcing various business activities to third parties. These may be in the nature of product manufacturing, technology service delivery, processing of transactions, customer service, outsourcing of functions, hosting of technologies, etc. In addition to entering into supply or service contracts, organisations are also entering into various partnership agreements, alliances, joint ventures, joint marketing contracts, etc. Hence the third-party eco system is very large ranging from low value contracts to multi crore contracts and also varies in nature & complexity of services/products. Keeping this background in perspective, organisations need to have a holistic view towards managing their third party risks.

In order to implement / build a strong framework to manage third party risks, organisations need to focus on three main elements i.e. People, Process and Technology.

While organisations are building controls framework to meet various statutory and regulatory requirements, how can one assess the effectiveness of such frameworks?
The effectiveness of frameworks can be assessed by the following:

•    Self-Assessment and Independent Audits: Companies can implement a self-assessment framework for business owners to provide their assessment on compliance levels. These assessments can be periodically validated to determine their accuracy through third party independent audits or audits done by independent internal teams/ functions. Companies/ Boards may then assess the compliance reporting accuracy done by management through self-assessments visa vis. independent audits. This will provide them a view of the effectiveness of the frameworks. Management and Audit Committees are also including ‘Compliance Audits’ as a key audit review area in the internal audit plans.    

•    Assessing the compliance content:  Companies need to review their compliance contents i.e. applicable laws, provisions etc. with an aim to ensure that the content is relevant and as far as possible comprehensive. This again can be done by internal teams or through external consultants/service providers. If organisations are large and have multiple businesses/operations/units, they may want to benchmark the compliance content across their business operations to identify anomalies/mismatches if any.

•    Assessing Management Focus on Compliance:  The effectiveness of the framework is also dependent on how much importance/seriousness do the individuals charged with governance and oversight give to compliance. Compliance with legal laws/regulations/standards should be embedded in the ethos of the organisation and also be an import agenda in meetings and forums.  Required actions should be taken to address non-compliances and also behaviours which support non-compliances. Demonstration of such principles will give more comfort on the effectiveness of the frameworks.

•    Strength of enablers: In addition to management focus, the kind of investments which companies make in terms of technology, trainings, communication, enhancing the framework maturity on a yearly basis also strongly demonstrates the effectiveness of the framework.

•    Non-compliances identified by regulators:  The ultimate litmus test of the effectiveness of any compliance framework is based issues identified by the regulators directly based on their reviews and checks.  If these issues were not proactively identified by the management through the framework then the effectiveness of the framework itself can be questioned.

Indian companies still need to focus on compliance training, compliance strategy processes, and policy management as they are lagging behind in these areas as compared to global companies. What is the role of Chief Compliance Officer (CCOs) with respect to this?
As the risk landscape continues to shift, and as ethics and compliance functions become more integrated into the fabric of organizations, CCOs are assuming a much more strategic role when it comes to helping organizations manage compliance and reputational risk. In the past, risk management was the purview of other areas of the organization, while the CCO focused primarily on routine compliance risk management activities. However, in more recent years, many organizations have begun to recognize that the risks CCOs mitigate—in particular, reputational risk—are critical. Fundamental to the CCO’s role is designing programs that help to ensure compliance with laws, regulations, and enterprise policies. Mature organisation recognize that the CCO’s efforts ultimately protect the organization’s reputation—perhaps its most important asset. CCOs role is focussed on developing processes and a mind-set that weave integrity into the fabric of the organization. At a macro level their role is not limited to supporting the company address pains pertaining to compliance and ethics issue but to help the company to build processes and culture which will help to prevent such issues.

Do CCOs have enough authority to be able to address the right risks and are they using effective metrics to measure their compliance programmes?
This varies across organisations based on their maturity levels, ethics and integrity principles, importance given to the compliance function, governance oversight, etc. Over the last decade, companies are realising the implications of non-compliances on their business.  These can range for minor penalties to complete business disruption and brand erosion.  Those who have gone through the pain of a compliance /integrity issue know the importance of compliance and hence do not treat it as a cost but a tool for business continuity and growth.  CCOs in such organisations possess the required authority to address the right risks and have the necessary tools to measure effectiveness of compliance programs. At the end of the day it is the company’s intent and CCO’s competencies which matters the most.