Leaks of customer data, corrupt practices by foreign agents, IT breaches. These are just some of the biggest risks that companies face with their third-party relationships. Despite the known dangers, few get it right when it comes to budgeting for their defense strategies.
That’s particularly true of mid-sized firms whose third-party ecosystems have grown while their compliance practices have remained stuck in a small-company mentality.
Often these companies have cobbled together compliance budgets as they’ve grown. That means is they end up with critical gaps that cost more to set right later. For example, a general counsel may have set up a program to assess foreign bribery and corruption risks some years ago … but did not put in place a system to re-certify and monitor relationships. The result is an outdated program that must be started anew.
Or maybe that GC smartly included contract language giving their firm the right to audit its higher-risk third parties … but there’s no budget to carry out those audits. It could be problematic if an enforcement agent investigation finds that your third-party contracts include a right to audit, but it’s never been exercised.
Battle of the budget
Despite the obvious need, mid-sized companies’ compliance pros still get pushback when they seek to fund compliance programs despite evidence to justify the expense. It’s finally widely accepted that smart technology is vital to cope with rapidly changing regulation and digitalization of customers’ private data.
Even so, it’s not enough to simply buy some software and put up your feet. Budget should also be allocated to follow up on tech-identified problems, such as cutting relationships or remediating them. That requires funds for training, ongoing monitoring, due diligence, audits and investigations.
How much will a thorough compliance program cost? Well, how long is piece of string? The expense varies widely on factors including the industries and geographical areas in which a company operates. The bulk of the effort and expense will be devoted to the relatively small number of high-risk partners, but that could range from as low as 3% to or as high as 20%, depending on the industry.
Arguably the biggest cost determinant has less to do with the company and more about the type of partner it chooses to help it set up and run a compliance program. A firm that relies exclusively on external legal and technical expertise will end up paying a lot more than one that uses strategically assembled solutions to identify and isolate which third parties require spend — and which do not.
The process — and costs — of budgeting for a compliance program can seem daunting, but let’s break it into two broad categories: Set-up and maintenance.
The initial set-up involves creating and supporting a tech platform. It also requires constructing a mechanism for assessing the company’s spectrum of third-party risks. The next step requires drilling down into individual relationships to thoroughly understand the risks. Creating mechanisms for legal reviews of program operations and third-party assessments could require up to $50,000 and $25,000, respectively.
Technology is vital for breaking down internal silos and efficiently documenting responses obtained through questionnaires sent to suppliers and agents. The set-up and customization can range from $3,000 to $20,000 for a mid-market firm. If internal tech support is required and you will be billed internally, don’t forget to budget for this item which could cost up to $50,000.
The important point here: It needn’t be overly expensive. Smaller firms can get most of what they need from technology by using something that’s best in class and more prescriptive, rather than a highly customizable option that requires more resources to set up and run.
Budget wild cards
A compliance program that isn’t updated and monitored consistently is almost as bad as no program at all. Some would argue it’s even worse. That’s where the maintenance portion of the budget equation comes in, including tech licensing fees ($3000 to $20,000 per year), ongoing monitoring of third parties (up to $20,000) and changes in assessments to keep up with evolving national and international regulations (up to $25,000).
It’s also essential to budget for due diligence. If your assessment deems a third party to be high risk, you’ll need more research. Perhaps you have a third party in Vietnam who does a lot of selling to government, raising the potential for you to be associated with FCPA violations. Research to determine factors such as who is really behind that company, whether it’s ever had any compliance issues, and whether it has its own anti-bribery program will be essential.
Budgeting for this item can be tricky, but industry peers and vendors can help you assess what proportions of your population may require research.
The maintenance side also contains several budget wild cards.
Staff training is one. It’s important to invest in training that gives your compliance team the skills to manage your hottest third-party risk areas. If most of your problematic relationships are in China, you should direct training dollars toward educating your colleagues at the front line of these relationships. The cost depends on a variety of factors, including whether you train internally versus hiring outside corporate specialists.
Will you need a budget for conducting investigations? Building it in raises awareness internally that you can play a key role in proactively identifying and mitigating risks.
While many of the line items mentioned above may be estimates, the exercise of budgeting alone is worthwhile. As you assemble the budget, questions regarding risk appetite, resources available, and how you operate your program will become much more obvious. Making smart, informed choices about how you allocate funds can help you achieve a well-functioning, defensible program without major spend.
Original source: Entrepreneur