Regulatory action and reputational damage arising from third-party actions could cost shareholders an average of ten times the size of any fine faced by companies as their market value is impacted, according to Deloitte.
Deloitte’s research, Third party governance & risk management: Turning risk into opportunity, highlights the average combined direct fine and remedial costs of failing to appropriately identify and manage third parties.
This has ranged from £1.3m to £35m before the cost of indirect losses, such as reduced sales and reputational damage. Where legislation is applicable on a global cross-industry basis for internationally operating businesses, the range is far higher, reaching £650m.
The negative impact on share price itself is an average of 2.55%.
However, Deloitte estimates that organisations could gain competitive advantage over their peers, outperforming them by an additional 4–5% return on equity, by adopting effective third-party governance and risk management (TPGRM).
In the case of Fortune 500 or Financial Times 500 (FT 500) companies, this could mean an average uptick in earnings (EBITA) of between £17m to £350m.
Kristian Park, partner and global head of TPGRM at Deloitte, said: “It’s not all doom and gloom for organisations reliant upon the services of third parties. Headline stories depicting regulatory action and reputational damage have caused many to reconsider their approach to third-party management.
“Those that adopt a proactive and leadership-led approach stand to unlock significant gains by turning risk into opportunity. Good governance and risk management is not about eliminating the risk of doing business with third parties, but rather managing it appropriately.
“An effective TPGRM structure will seamlessly incorporate the right structures, processes, people and technology into the business and ensure it is used consistently throughout the organisation.”
Seven elements of best practice
The Deloitte study provides seven elements to implementing a best-in-class TPGRM:
Governance structure: Strong governance structures are those that manage third-party risk at an enterprise-wide level, and have dedicated and empowered senior-level teams in place to drive consistent behaviours throughout the organisation.
Ownership (clarity of roles and responsibilities): The extent of ownership of performance and oversight of the TPGRM framework should be known by those tasked with it, and kept up to date to avoid an inability to manage risk in the event of staff departures or role changes.
Stakeholder engagement (awareness and commitment): An effective TPGRM programme will ensure an organisation’s people are aware of its processes and, crucially, understand how they are followed. Internal compliance is also key and dependent on the quality of “back-end monitoring”.
Capability: Ensuring that the most appropriate individuals with decision-making authority are allocated ownership for tasking TPGRM efforts. Such individuals will have the competencies and skills to apply judgement in line with business requirements and risk-management needs.
People and skills: Linked to the above, resourcing the right individuals will ensure skills, experience and seniority are compatible with TPGRM demands.
Process: Good processes are not only robust, clear, and achievable, but also aligned to the organisation’s stated risk appetite. The most optimised processes will provide a positive experience for both business and third parties.
Technology: Having the right technology in place supports a TPGRM framework seamlessly, from inception to exit of a third party. At the very highest level, this would also include the ability to manage third parties at both an engagement and relationship level, exploiting all opportunities arising from the extended enterprise.