For Fortune Global 1000 companies with complex global footprints and multiple third party affiliations, compliance with cybersecurity regulations, including anti-bribery and corruption laws, is a challenge. Global supply chains are inevitably elaborate, and household name businesses that include social and environmental responsibility as part of their brand awareness may not be immediately aware of their own third party (often called Nth party) business affiliations.
Lee Kirschbaum, SVP of product, marketing, and alliances at compliance and risk SaaS vendor Opus states, “I think any of the stats you’ll find online will say that according to the OECD, 75 percent of all corruption and enforcement actions stem from third parties. If you look at the number of third parties a company will manage, it will be – call it on average 1,000 third parties. But you’ll see if they call out their vendor population in there, it may be up to 25,000 to 50,000 vendors and third parties. That keeps growing. We don’t see that shrinking as the web of who you work with and what you do expands: we have seen growth of 25 percent a year.”
Opus offers information and workflow as well as third-party management SaaS support, and was born from a merger of Alacra and Hiperos. Its customers include household name businesses as well as life science and pharmaceutical enterprises. The premise behind Opus is that with companies free from the burden of conducting extensive compliance and risk testing, they are able to focus on improving and optimizing core business practices.
Opus starts with mapping third party affiliations. This is further complicated by Nth parties, i.e. third party vendors that a company’s third parties use.
Because of the lack of existing technology to determine Nth party affiliations, the best way to currently handle this risk is through contractual obligation, providing audit rights into Nth party discovery.
This is particularly important given the prevalence of shadow organizations: for example, in shadow IT, a marketing employee could set up a relationship with a marketing automation provider, which is then set up separately to IT.
Another good example of Nth party risks are with cryptocurrency – irreversible transactions are a baked-in feature to certain currencies such as bitcoin.
Kirschbaum says, “I think it’s an emerging technology that not enough people truly understand. And furthermore, what’s complicating it is the ability to almost mask who’s doing what. So on the one hand, blockchain overall I think is going to drive a tremendous amount of efficiencies and improvements in the market. But I do believe regulations are yet to have kept up with the emerging changes and trends.”
According to Kirschbaum, regions with high anti-bribery and corruption activity are mainly in the US and the UK, with several areas also in Asia.
Determining best practice policy is critical in managing areas of high risk. This will also be useful in up and coming markets, where gifting and hospitality are the cultural norm. As with all business practice, policy and cultural compliance starts at the top and moves down, so this is an essential launch point.