Earlier this year, a large global organisation with significant India presence found itself answering difficult questions posed by a US investigation team under the Foreign Corrupt Practices Act (FCPA) around the actions of the company’s third-party distributors constituting the vast majority of its marketing network. Should malpractice such as bribery be eventually established in this third-party network, the primary organisation faces a hefty fine and significant reputation damage that will negatively impact share prices and profitability. Elsewhere, a few years ago, another non US-headquartered multinational company was fined $772 million for similar FCPA action resulting from inappropriate conduct of third-party contractors.
Global third-party ecosystems of organisations, also known as the extended enterprise (including suppliers, support service providers, sales agents/distributors, joint ventures, subsidiaries and affiliates) are in recent years becoming stronger sources of strategic advantage. They enable cost reduction, access to scarce skills and knowledge, business agility and other innovative forms of enhanced business value. The scale at which this is now taking place is generally much larger than in the past. However, this is also bringing in newer risks, such as the threat of high profile business failure, accountability for illegal third party action or regulatory enforcement, all leading to reputational damage and erosion of shareholder wealth.
Management research indicates this governance phenomenon over third parties is still in its infancy. Particularly in India, outsourcing and third parties are almost synonymous with IT providers, which, in turn, has traditionally been addressed through a focus on information security and addressing cyber risks. But businesses are learning the hard way that there is much more to this.
Organisational focus on third-party risk has traditionally been reactive and determined by who is driving the activity. Such a decentralised approach has led to micro-focus on risk areas that interest certain parts of a business or certain functions (for example, operational performance from a supply chain perspective or information security from a corporate security angle). Organisations are now starting to depart from this myopia and are instead taking a Board and leadership-led holistic and proactive approach to risk as a source of organisational value, covering all categories of third parties and all areas of risk. For instance, progressive Indian organisations are now considering operational risk factors (e.g. performance, quality standards, delivery times, KPI/SLA measurement) with reputational/financial risk factors (e.g. labour practices, an understanding of financial health, appropriate charging mechanisms and adherence to these) and legal/regulatory risks (e.g. compliance with bribery regulations, awareness of global industry standards as they apply to third parties, health and safety compliance etc.)
It is easy to focus exclusively on the risk and forget the potential opportunity here. As Indian organisations continue to acquire leading global businesses from technology to toys, their future profitability will depend on how well they gain strategic advantage through a well-governed third-party ecosystem which brings in innovation, facilitate expansion to new markets and provide access to capabilities not available internally. Good governance and risk management is not about eliminating risk, but rather managing it appropriately, with efforts proportional to the overall risk to the organisation.