Third-party risk: How to trust your partners

Risk managers are increasingly focusing on third-party risks, hoping to control new threats to performance and reputation. But trust still factors heavily.
By Andrew Kenney

Third-party risk: How to trust your partners
Image by 3alexd/iStock

Economists once assumed that the new intercompany partnerships of the 1980s and 1990s would give way to mergers and joint ventures. Yet many services and goods today are delivered not by monolithic firms but by sets of companies that bridge sectors and continents.

Businesses small and large are relying on networks of allies to reach new markets and capital, creating relationships that are lasting longer than anyone expected. In response, a team of researchers from four universities in the United States and Amsterdam has examined how firms are measuring and controlling risk in this complex new world.

The group interviewed 38 managers at three unidentified international firms—referred to in the study only as biotech, technology, and retail—that rely heavily on partnerships. Separately, the researchers surveyed 56 chief audit executives.

Their study, published in the Journal of Management Accounting Research (see "The Use of Management Controls to Mitigate Risk in Strategic Alliances: Field and Survey Evidence," JMAR, Vol. 26, Issue 1 (Spring 2014), pages 1—32, available at aaapubs.org/loi/jmar), finds that the companies most dependent on partnerships, including technology and biotech companies, have established groups of employees and rules to manage their portfolios of partners.

Risk managers, they found, are bringing formal management techniques to these kinds of deals, hoping to control for a laundry list of new threats to performance and reputation. But, in many cases, it still comes down to trust.

The research team included Margaret Christ, an assistant professor with the University of Georgia's J.M. Tull School of Accounting; Henri Dekker, professor of accounting at VU University Amsterdam; Karen Sedatole, professor of accounting with Michigan State University's Eli Broad School of Business; and Shannon Anderson, a professor of management at the University of California—Davis Graduate School of Management.

In a recent interview with the JofA, Anderson highlighted the risks and rewards that a new partnership can bring. Here is a transcript of the conversation, which has been edited for length and clarity.

What makes partnership risk unique?

Anderson: We have a lot of experience in talking about risk within the company. Within the firm, you can kind of start from the presumption that everyone has the same aligned incentives around that single firm's profitability and performance and the way it interacts with all of its stakeholders.

But now we have to bring together two different firms, and while those two firms have presumably some shared space where there can be a win-win, they could compete in other spaces. And so their incentives may not be completely aligned across all of their businesses, and they do have two separate sets of shareholders and constituencies that they're beholden to. The controls have to recognize that.

Are partnerships inherently more risky than going it alone?

Anderson: It's going to be difficult to coordinate between the two parties. What [companies] are setting out to do is difficult to begin with. We're bringing this intellectual property together. We have a suspicion that when we combine it, something new and innovative may emerge, but it may not.

But the thing to keep in mind as a practitioner is: You have to ask yourself, as a baseline, what would my performance risk be for going it alone? You could have risk that a competitor beats you to the punch. And so it's this speed of competition that is driving firms to get over their fears of working together, but then to think prudently about controls.

What were the most prevalent of the 19 partnership risks you identified?

Anderson: The most common fear was around the protection of intellectual property. It went across all three of the firms, most prominently in biotech and technology. The concern is that you can write all the contracts you want, but once the intellectual property is leaked, or it becomes public domain, you can't get it back, and you may not be able to extract a high-enough penalty on the party that was responsible for the leak to compensate you for the loss of it.

Another that was equally important was product and service failure risk. This was the concern that whatever product you're providing is not going to deliver according to expectations and standards.

Another one was supply chain risk. This was most prominent in retail. Most recently, we had port shutdowns on the West Coast, and people worried, "Are we going to get materials into our stores in time for Christmas? Are we going to be able to have our shelves stocked?"

How do firms keep track of relationships and related risks?

Anderson: One of the most powerful controls in strategic alliances is the control that you use in selecting a partner in the first place, long before you write the contract. So you're going to use various routines to vet these suppliers, vet these partners, vet these customers, if you will. "Are they a good fit with my organization?"

When firms first enter into strategic alliances, they're feeling their way along—and it's often very relationship-driven and very idiosyncratic to the people involved in negotiating.

But as firms become more and more experienced in setting up these alliances, there are ways to form relationships. It might start between two individuals [who] see some potential and start a conversation. But very, very quickly, before that conversation can go to any level of commitment, the internal party must bring this to the alliance group and say, "This is what I'm contemplating."

What does an alliance group do?

Anderson: This central alliance group is a repository of information on all current alliances, the terms of those alliances, and the performance data of how those alliances are going. They're at central headquarters, and they're primarily a legal team, but they also include finance executives and people who have awareness of all other alliances that the firm is currently engaged with.

Let's say you've got a partner who's interfacing with five different parts of the organization. That partner could be performing very well in one of the transactions and very poorly in four. One of the things you can do [with a central alliance group] is leverage the partner's interest in doing business with all five parts of the business.

You gain bargaining power from having that information, and you gain consistency, of course, when you see a partner that over and over again, in different settings, with different relationships, performs well. Then you've got an even sounder basis for trusting that partner in the future.

How far will a good contract carry a new relationship?

Anderson: One of these firms, the biotech firm, said, "If you end up in litigation, you're not trying to resolve a problem, you're not controlling anything, you're just seeking revenge. And you're probably going to lose money over it."

And so, the issue is not, "Do we write good contracts?" Contracts are very important because they become the shared understanding of each partner of what they think they're trying to do. But once the contract is written, anecdotal evidence suggests it's largely put in the drawer, and from then on you've got to work through things in real time and respond to unanticipated problems.

While the contract can anticipate some things, it's control systems that are going to give you the flexibility to respond to the unanticipated in real time, as you move forward in this relationship that presumably may be anticipated to last some years and to cover many transactions and relationships.

What's the most effective approach to such a broad spectrum of risk?

Anderson: The thing I took away from this study, more than anything, is the complexity of the portfolio of risks that these firms are facing, and counterpoint to that, the complexity of the portfolio of controls that they're going to use.

One of the things that they're going to want to do is reach out to different parts of the organization, certainly well beyond the financial organization, who understand the operational and relationship risks, performance risks that they will be exposed to, and really come up with that long laundry list.

And then, if they anticipate that this is going to be a repeatedly used mode of operation—if they have a portfolio of alliances to manage—they have to think about, "What can we learn, and how can we impose some standards and practices more generally for the firm, so that there is learning across the alliances?"

What is one topic they might start with?

Anderson: Exit agreements are a really important thing. [Companies] enter into this agreement sometimes with an open-ended horizon, because we expect to innovate and to discover something new, and then we're going to all go off and get wealthy together.

But we'll have to also, at the outset, have a very sober conversation.

What are the divorce agreements? How do we walk away and maintain our happiness with one another? A lot of conversation happens upfront about stipulating under which we're going to revisit how things are going, and we're going to evaluate performance and decide whether it should continue.

Previous research split alliance risk into two categories: the "performance" risk that the partners will fail together and the "relational" risk that a deal will divide profits to one firm's disadvantage. What new lens does your research introduce?

Anderson: The third category of risk that stood as somewhat distinct is compliance and regulatory risk. This relationship, this collaboration is going to take place and be governed by sometimes more than one government's regulations. It's also going to be conditioned by the culture and norms of at least two firms. They have their values, their ethical standards, their mores, and so forth. And so, all of the firms that we saw spoke of this compliance-regulatory risk cropping up in some fashion.

In our retail firm, the retailer [in the study], one part of their product line is clothing, and as you might imagine, quite a bit of the garment and clothing industry is situated in Southeast Asia. One of the compliance and regulatory risks that they fear is that there will be some revelation that a supplier is violating those norms and that exposes them to reputational risk in their own markets. It exposes them to litigation, of course, if actual rules are violated—but all the firms had this in some form or fashion.

What specific controls are companies implementing as partnerships draw them into new domains?

Anderson: That's where we found a stronger reliance on trust between partners. If you were really exposed to these kinds of risks, you were going to take a lot more effort in your supplier selection to find a reputable partner, to find a partner that already had experience, that you could look to as a foundation for initial trust.

As you are going through the relationship, one of the things that's very common in this setting is informal review of partner operations: unannounced audits, visits to one another's locations and sites, exchange of employees.

The idea is that we need to be able to audit and anticipate the ways in which a partner or rogue employees of our partner could choose to act—to be aware of those possibilities.

How do relationships mature?

Anderson: In time, you can even have trust where you can say, "I trust you to do what's in the best interest of our partnership, even though it may not in the short term be in the best interest of your firm, because we're in this for the long run."

When I can see a history of behavior, and when I know what our relationship could be going forward, I can have more trust.

It may be of a calculative nature, where I say, "I trust you not to jeopardize the future because it's worth it to you to keep this relationship going." But it also can be socially bound, where I've had a beer with this person, I trust them, I think they're a good person, and I don't think they're going to do anything to harm me.


How audit committees can help stem third-party risks

Audit committees have plenty of risks to worry about within their organizations. But risks outside company walls can be just as harrowing.

Consider that 89 of the companies in the Fortune 500 average more than 100,000 suppliers each, according to PwC. The risks companies are exposed to because of those suppliers can be exponential—especially if those third parties have third-party suppliers of their own.

PwC offered steps an audit committee can take to facilitate its oversight and mitigate third-party risks:

Due diligence on reputation and capabilities: From simple web searches to questionnaires about compliance practices to making site visits, knowing more about a third party is the first step.

Proper reporting lines for third-party compliance: Organizations will be better equipped to mitigate risk if there is an assigned owner of the third-party management function.

Adequate contracts and policies: Agreements should cover protection of intellectual property, training of third-party employees, and rights to audit, and should define how the third party will "protect the company's IP, how employees will be trained in protecting the IP, and also anti-corruption matters for employees," PwC says.

Right to terminate the relationship for violations: Standard contracts should protect the company if a third party violates the terms of the agreement.

Extend employee hotlines: PwC recommends giving third parties access to the company's whistleblowing hotlines. Enabling anonymous reporting at the supplier level can give the company an early warning.

Set up monitoring of high-risk parties: This process is defined differently by companies, based on the dollar value of the relationship, the nature of the company's IP that the third party can access, or other measures.

Obtain periodic representations of compliance: Third parties could be required to submit evidence of compliance, including that entity's own audit. A company's decision to require periodic updates should depend on the level of risk the third party presents.

Exercise the right to audit with a documented process: Follow through on the right to audit with an actual audit that sends a clear message to the third party about the importance of compliance with a contract.

Monitor metrics and reporting: Key metrics should be regularly tracked, with specifics related to the nature of the third party's work with the company. Following up is vital when data reports are late or incomplete.

—By Neil Amato (namato@aicpa.org), a JofA senior editor.


About the author

Andrew Kenney is a JofA contributing editor based in Denver.

To comment on this article or to suggest an idea for another article, contact Jack Hagel, editorial director, at jhagel@aicpa.org or 919-402-2111.


AICPA resources

JofA articles

Publications

  • Financial Reporting Fraud: A Practical Guide to Detection and Internal Control, Second Edition (#029890, paperback; #029890e, ebook)
  • The Guide to Investigating Business Fraud (#056558, paperback)
  • Strategy and Risk Management: An Integrated Practical Approach (#PCG1309P, paperback; #PCG1207E, ebook)

CPE self-study

  • Common Investigative Techniques (#159957, one-year online access)
  • Fraud Prevention, Detection, and Response (#159966, one-year online access)
  • Fraud Risk Management (#165337, one-year online access)
  • Fraud Update: Detecting and Preventing the Top Ten Fraud Schemes (#741202, text; #158011, one-year online access)
  • Governance and Risk Management (#165349, one-year online access)
  • Risk Management (#165381, one-year online access)

For more information or to make a purchase or register, go to cpa2biz.com or call the Institute at 888-777-7077.

SPONSORED REPORT

How to make the most of a negotiation

Negotiators are made, not born. In this sponsored report, we cover strategies and tactics to help you head into 2017 ready to take on business deals, salary discussions and more.

VIDEO

Will the Affordable Care Act be repealed?

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.

QUIZ

News quiz: Scam email plagues tax professionals—again

Even as the IRS reported on success in reducing tax return identity theft in the 2016 season, the Service also warned tax professionals about yet another email phishing scam. See how much you know about recent news with this short quiz.