Know Your Third Party Risk

The diversity of the global supply chain has brought unprecedented opportunity to manufacturers, which can expand product lines, speed production, lower costs and get into many more markets than they could have in the past. In fact, today the bulk of value creation for a company’s production is happening outside of factory walls, within a complex ecosystem of global suppliers; a recent study by KPMG and Florida State University College of Business found that in-house value creation in some industries has fallen to as low as 20 percent.

But this more interconnected supply chain has also given rise to unprecedented risk. At any place in your logistics network, the negligence or nefarious actions of third-party suppliers can cause your company to unwittingly run afoul of regulations, such as the foreign corrupt practices act (FCPA). As companies like Microsoft, Walmart and Cognizant have all recently learned, not having a good handle on what third parties are doing won’t absolve you in the eyes of the regulators when rules are broken.

“If you look at all the large FCPA settlements handed down by the Department of Justice and the Securities and Exchange Commission, most or all the settlements had to do with the company not knowing their third parties, and not knowing they were doing business with a third party that was bribing foreign government officials,” says KPMG Partner Matthew McFillin, who heads up the firm’s forensic investigations and disputes practice. “And look at the companies that have settled—not all are Fortune 500 companies.” Indeed, midsize organizations are increasingly in the crosshairs, forced to pay costly settlements, lawyer fees, consulting fees—all of which take a toll on the bottom line. The reputation hit alone can level a business; one Oxford Metrica study estimated that after suffering an “extreme reputation event,” a company has an 80 percent chance of losing at least 20 percent of its value.

As the company grows and adds more third-party suppliers, so, too, grows the risk, McFillin adds. “So, if you’re a CEO of a company thinking you want to grow by 10 to 20 percent per year, this is really something you need to start thinking about now and get your arms around.”

One of the classic mistakes made by both small and large companies is insufficient due diligence when onboarding a new relationship, whether because that party’s role didn’t seem to warrant a thorough check or because time and resources were lacking. Those companies that do not allocate the necessary resources in the initial stages or those that rely on surface-level procedures, such as basic Internet searches and database checks, leave far too much up to chance, says Anu Sandhu, Head of Solution Management for KPMG, adding that many midsize companies currently rely on self-reported surveys for third-party due diligence. “Because it’s self-reported, it can very easily be classified as safe,” she notes, “but it’s not.”

However, thanks to big data, artificial intelligence and other new technologies, due diligence is no longer a laborious, manual exercise; today, multiple parts of the process can be automated, enhancing both speed and accuracy. “So what used to traditionally take, let’s say, three to five business days to produce, we are now able to do that in a matter of hours, if not minutes, depending on the third party,” says Pradeep Pai, CTO and Head of Engineering, KPMG Spectrum. He notes that KPMG’s risk-based Integrity Due Diligence can be applied either proactively or reactively for both identifying and managing risk. Reporting covers different levels of due diligence ranging from basic “desktop” due diligence and rapid assessments—within a few minutes—to enhanced due diligence and forensic investigative capabilities that could include in-country fieldwork and information gathering from human and other sources. KPMG assists clients with assessments utilizing technology augmented with subject matter expertise.

In one recent example, a global life sciences company wanted to assess current and prospective third-party intermediaries (TPIs) and business partners of one of their major business units in Asia, Europe, Latin America and the U.S. for adherence to its ethical standards and compliance policies. They also wanted the company’s compliance team to be able to assess the background and reputation of potentially higher‑risk TPIs, including entities and individuals such as medical professionals.

KPMG provided enhanced due diligence assessing the background and reputation of potentially higher-risk TPIs including entities and individuals such as distributors, agents, consultants, clinical research organizations and medical professionals. With a thorough understanding of the client’s TPI population, KPMG was able to help develop appropriate, risk‑based due diligence procedures; build out teams for due diligence, local language and subject‑specific review and quality assurance; and perform risk‑based due diligence on third parties around the world via the KPMG cloud-based solution.

Best of all, they were able to customize the approach based on the specific third party’s profile, says Sandhu. “If you have a solution that’s more automated, you can execute multiple risk approaches and cover the entire portfolio in a timely way.” Onboarding new third parties has become a much easier task, she adds. “They can easily add them and go through the necessary due diligence—it’s far more streamlined, as opposed to starting from zero.”

The resulting reduced risk pleased the board as well, noted McFillin. “Boards are always asking about this now. The fact that they were able to communicate to the board that they were able to get their arms around the risk in a quick and cost efficient way—that’s always good.”

Ultimately, the process of improving due diligence practices helps the business from more than just a risk perspective, says McFillin. “There are so many good business reasons to do this. For example, you may be able to consolidate vendors or you might get better pricing if you move certain business from one vendor to another vendor.” And if the procurement, compliance, legal and business teams are all communicating and collaborating, “the business benefits both from a business and from a risk standpoint.”

 

KPMG Mid-Market is focused on delivering solutions specifically designed for mid-sized companies. We leverage our knowledge, broad expertise and relationships to help you navigate today’s evolving challenges and help you break through the barriers that limit your ability to compete and grow. Whether you’re looking to expand your business, optimize profitability, get the right team in place, raise financing or exit—we’ll listen, connect you to the right people and work alongside you to find the answer. For more information, please visit https://advisory.kpmg.us/issues/mid-market.html