Defining third parties
I frequently use the term ‘third party’ throughout my blog and in the course of my day to day consulting work. Most often, when we talk about third parties we are referring to suppliers, vendors or service providers, but there is a whole ecosystem of third parties present in business today – particularly applicable to those businesses that operate overseas.
As you can see from the table below, third parties also encompass contractors (often we forget about this category and may even consider them like employees, especially when evaluating insider threats, but this oversight can create downstream problems from a fraud, integrity and security perspective if not managed properly):
| Third Party | Definition |
| Joint Venture Partner | An individual or organisation which has entered into a business agreement with another individual or organisation (and possibly other parties) to establish a new business entity and to manage its assets. |
| Consortium Partner | An individual or organisation which is pooling its resources with another organisation (and possibly other parties) for achieving a common goal. In a consortium, each participant retains its separate legal status. |
| Agent | An individual or organisation authorised to act for or on behalf of, or to otherwise represent, another organisation in furtherance of its business interests. Agents may be categorised into the following two types: – Sales agents (i.e. those needed to win a contract) – Process agents (e.g. visa permits agents). |
| Adviser | An individual or organisation providing service and advice by representing an organisation towards another person, business and/or government official. Examples include legal, tax, financial adviser, consultants and lobbyists. |
| Contractor | A non-controlled individual or organisation that provides goods or services to an organisation under a contract. |
| Sub-Contractor | An individual or organisation that is hired by a contractor to perform a specific task as part of the overall project. |
| Supplier / Vendor | An individual or organisation that supplies parts or services to another organisation. |
| Service Provider | An individual or organisation that provides another organisation with functional support (e.g. communications, logistics, storage, processing services). |
| Distributor | An individual or organisation that buys products from another organisation, warehouses them and resells them to retailers or directly to end-users. |
| Customer | The recipient of a product, service or idea purchased from an organisation. Customers are generally categorised into two types: – Intermediate customer: A dealer that purchases goods for resale. – Utimate customer: One who does not in turn resell the goods purchased but is the end user. |
Distributors can be particularly challenging for product-based supply chains, especially if distributors have poor processes and controls in place to manage processes like large discounts to end users, poor end user verification, and poor inventory management controls (both stock on hand, obsolete or discontinued stock marked for discount, and stock marked for write-off). These distributors can be vulnerable to product diversion schemes.
How are companies responsible for the actions of their third parties?
It’s all to easy to forget that under legal ‘Principal-Agent theory’, the company contracting the third party (principal) is generally responsible for actions taken on its behalf by that third party (‘agent’), making it essential that companies have the right programs in place to select, onboard, oversee and terminate their third party arrangements.
Does this article resonate with you? Please vote below or subscribe to get updates on my future articles
Third party risk is an area receiving increased attention from company executives and regulators world-wide, particularly in a the following risk categories:
- Reputation risks (including political donations)
- Modern slavery risks
- Bribery and corruption risks
- Sanctions risks
- Fraud & integrity risks (both vendor fraud and against the end user)
- Security risks (including insider threats and product diversion schemes)
Increasingly, Environmental Social Governance (ESG) or sustainability considerations are also playing a role in third party and supply chain decisions based on preferences and / or pressure from shareholders, employees and customers.
All companies – large and small – are responsible for the actions of their third parties, and may find themselves the subject of reputation and brand damage as well as litigation, financial losses, and regulatory enforcement action if these risks are improperly managed. Additionally, small and medium sized companies are not immune to regulatory enforcement action simply because of their size.
What should companies do to manage their third party risks?
There are a number of actions that can and should be taken to mitigate third party risks such as those listed above. Whilst no program is ever able to completely mitigate the risk of something happening either now or at any point in the future, implementing steps to try to manage these risks does go a long way.
For offences involving bribery and corruption and breach of international sanctions regulations, regulators such as the United States Department of Justice (Foreign Corrupt Practices Act) and United States Treasury Office of Foreign Assets Control (sanctions regulations) provide pathways for principals to mitigate penalties for misconduct and illegality arising from the conduct of their third parties, but only where the principal has an appropriate compliance program in place to manage these risks.
Any program to properly manage third party risks must follow the third party lifecycle, which may include some or all of the following management actions:
| Lifecycle Stage | Illustrative Management Actions |
| Third Party program setup and governance | 1. Setting the ‘tone from the top’ 2. Develop the Compliance Obligations Register 3. Determine risk appetite 4. Develop policies and frameworks 5. Undertake risk assessments 6. Develop a risk management plan, including risk treatment strategies 7. Training and awareness programs 8. Develop due diligence frameworks and programs 9. Develop ongoing monitoring and evaluation frameworks |
| Third Party Selection | 1. Document the principal’s specific requirements 2. Perform due diligence 3. Identify the third party’s material risks, process or capability gaps 4. Identify potential treatments for these gaps |
| Third Party Onboarding | 1. Develop risk-based contract schedules which are practical, auditable and enforceable by the principal 2. Agree contracting and legal agreements 3. Agree third party audit or contract compliance arrangements |
| Third Party Operations | 1. Perform Quality Assurance 2. Manage the third party relationship 3. Provide regular oversight and direction 4. Undertake periodic audits or contractual compliance reviews 5. Periodically review and update Compliance Obligation Registers and Risk Assessments 6. Undertake periodic due diligence throughout the term of the contract with review frequency based on the assessed risk |
| Third Party Offboarding | 1. Execute termination protocols as agreed in the contract 2. Collect all principal documentation, Intellectual Property, equipment and other assets 3. Supervise the destruction of data, assets (e.g. molds, prototypes) or equipment where not easily transferred 4. Periodically review the footprint of the third party’s operations for a period after termination to ensure all IP has been returned and monitor for competitor relationships |
All businesses today need third party relationships, and whilst they do present risks they also present tremendous opportunity. Further, most businesses today would not be able to thrive without access to their third party ecosystem. Whilst there are risks inherent with third parties, these can be managed effectively and appropriately via a risk-based approach that both considers the context and materiality of the risk and implements practical, effective treatments that work for both the principal and the third party. After all, any party can walk away if contracting becomes too onerous, which may not be a good outcome for either party. Treading this fine line is one of balance and mutual agreement.
Further Reading
- Curwell, P. (2021). End User Verification, https://paulcurwell.com/2021/02/07/end-user-verification/
- Curwell, P. (2021). Magazine article – “Supply Chain Integrity: Detecting Product Diversion”, https://paulcurwell.com/2021/07/31/magazine-article-supply-chain-integrity-detecting-product-diversion/
- Katz, N. A. (2016). Detecting and Reducing Supply Chain Fraud. London: Taylor and Francis.
- Ministry of Justice (2010). The Bribery Act 2010: Guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing, United Kingdom. https://www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf
- Post, R. S., & Post, P. N. (2008). Global Brand Integrity Management: How to Protect Your Product in Today’s Competitive Environment. McGraw-Hill.
- United States (2019). A Framework for OFAC Compliance Commitments, Office of Foreign Assets Control, https://home.treasury.gov
- United States (2020). A resource guide to the U.S. Foreign Corrupt Practices Act, Department of Justice and the Securities and Exchange Commission, 2nd Edition.
- World Economic Forum (2013). Conducting Third Party Due Diligence Guidelines, Partnering Against Corruption Initiative, www.weforum.org.
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.