Episode Transcript
[00:00:00] Speaker A: Hi, everyone. In this episode, we'll talk about the unique opportunity and responsibility that ethics and compliance has to manage its organization's third party risk and why it's becoming such a difficult endeavor. I'm your host, Bill Coffin, and this is the Ethicast.
Third parties are essential to how most companies operate. Suppliers, vendors, distributors, agents, contractors, consultants, and other business partners often help organizations move faster, reach new markets and deliver on their strategic goals. But they also create risk.
Sometimes that risk looks familiar. Bribery, conflicts of interest, data protection, labor practices, environmental commitments or sanctions, exposure.
Other times, it shows up in more immediate and visible ways, when the actions of someone outside the organization can still create serious legal, operational, financial and reputational consequences for the company that hired them.
That is what makes third party risk such a complicated challenge for ethics and compliance teams. The organization may not directly employ these individuals or control these companies, but it can still be judged by how they behave, how well they were vetted, what expectations were communicated, and what controls were in place.
One of the most important tools in that effort is a strong third party code of conduct. Done well, it is more than a contractual formality. It helps define what responsible business conduct looks like across the company's broader ecosystem. It gives partners clear expectations, and it reinforces that integrity does not stop at the company's own walls.
With us today to talk about how E and C teams should think about third party risk is Emily Miner, a director in the data and services team at Ethisphere. Emily helps organizations advance business integrity through strategic consultation on effective ethics and compliance, program design and implementation. This includes program evaluation, benchmarking against peer practices, and executive alignment. She also partners with large organizations to assess and enhance the compliance maturity of companies along their value chain. Emily, welcome to the Ethicast. I'm so glad we got you on the show.
[00:02:11] Speaker B: Me too, Bill. I've been a long time listener. This is my first time calling.
[00:02:17] Speaker A: Well, we're going to start with something that's a little at the cast reacts adjacent. I know normally this is something that me and Erica, Sam and Byrne do. So with apologies to Erica, we're going to get a little close to the news, but I think it's pertinent to get our interview off the ground because I'd like to begin by mentioning an event that made the headlines recently. When a disgruntled employee set fire to the inventory in a warehouse.
He recorded himself while doing it. He posted it on social media while airing his grievances all along the way, and it was pretty wild stuff. But what's been overlooked in that story is that the guy didn't actually work at the warehouse he torched. He worked for a distribution company that was hired by the warehouse owner as a third party.
Now, while this event is pretty sensational, what does it tell you about the likelihood and possible severity of. Of third party risk as something that E and C teams need to manage?
[00:03:06] Speaker B: Yeah, this.
This. This event, and Bill, I think you're the one that. That alerted me to it was quite sensational as. As you say.
And you know, look, managing third party risk is really hard. Like, would you anticipate that a disgruntled, if that's even the right word, employer of one of your third parties would take a lighter to many, many pallets of toilet paper?
You know, that's not something that we might anticipate. But as you also pointed out, third parties are so critical to your business operations.
As critical as your own employees. More critical in different ways in terms of the differentiated expertise or know how or products that they can provide.
But we have far less control over the actions of our third parties. We have far less insight into the culture of our third parties.
Were there, you know, any signs that may have been percolating about this particular employee? We have far less influence, you know, and in this case.
So the. The. The arsonist, I'll call him that, he was an employee of a company called NFI Industries, and they operated a warehouse in California that was a distribution center for Kimberly Clark. And as you pointed out, he. He torched the place.
$600 million in damage.
I was checking just in advance of our conversation. And as of a few days ago, which is a month since the fire, the warehouse is still smoldering. Some residents are still afraid to go back to their homes because they're having piles of ash, you know, fall into their yard.
Really, really huge event, you know, that. That was caused by this person's actions. And as he was videoing himself setting fire to pallets of toilet paper, he said, on. On, you know, in this video, all you had to do was pay us to live. There goes your inventory.
So, you know, what could Kimberly Clark have done to prevent this from happening?
You know, there are a number of steps that I am sure they did do, such as due diligence on. On NFI Industries. You know, both from an operational can you deliver the service that we're expecting you to deliver? Financial perspective, but also a compliance risk perspective. And in doing my own due diligence in, you know, in preparation for this conversation and looking into this event, I know that Kimberly Clark has a supplier code of conduct that, you know, provides guidance to their third parties and as they say, defines the minimum expectations.
I know that they have what they call social, supplier social compliance standards and they expect all their suppliers to, you know, implement appropriate actions and management systems to ensure that they can comply with the standards. Which is a step beyond saying these are standards. But it's also, we expect you to have the conditions, the management systems in place to live up to them. And you know, interestingly enough, given what this, the arsonist said in the video, one of those standards is related to wages, hours and benefits. So, you know, that is even, is even addressed.
I do also want to say that another employee of this, of the, of NFI Industries who was interviewed following the arson attack said, you know, hey, I make good money here and now I've lost my job. So no, you know, the arsonist is sort of, you know, he, he said that he's speaking out or taking action against corporate greed. Is there really a there, there in terms of his, in terms of his, you know, claims around, around pay?
You know, I don't know. Although I would suspect that, that probably not.
And you know, the last point that I'll make in terms of actions that Kimberly Clark coder did take, they also engage third party auditors to, to conduct site assessments that cover key compliance issues such as, you know, labor discrimination, etc. So with all of that in place and what seems like a fairly robust, you know, third party risk management program and procedures and controls, could, could they have done anything to prevent this?
And as I've thought about this, you know, I really, Bill, have to borrow a line that I've heard you say many times, which is that people are going to people.
I'm not really sure that there's, that there's much more they could have done. But you know, what it does indicate is that third party risk can present in ways that as you said at the outset, we expect, but also in ways that we don't expect. So what the point is that it's important to have a risk management posture and program in place to mitigate that third party risk, peopling notwithstanding.
[00:08:35] Speaker A: Now, when we talk about third party risk management, you talked about some of the things that in this case that Kimberly Clark was looking to address. But if we take a step back and look a little bit more universally, what in your experience are some of the kinds of things that E and C teams are most commonly looking to address by way of third party risk management and I guess the second half that question is, do you think that third party risk management receives enough emphasis in most EC programs given the potential severity of that risk?
[00:09:02] Speaker B: I think that third party risk is receiving more attention these days than it has in the past. But it is still, you know, thinking about third party risk management as it relates to or in relation to other core programmatic elements like your training or your investigation program or your, you know, your policies, et cetera.
Third party risk management, in my experience conducting assessments of organizations, ethics and compliance programs and having insight into their practices through our world's most ethical company process, it does tend to be less mature than those other other programmatic elements that are a little more established.
And I like to think about it from the third party lifecycle. So you know, from, from how we're identifying our suppliers or third parties to selecting them, onboarding them, the ongoing monitoring during the relationship and then the off boarding or termination.
And ethics and compliance should have a role across all stages. And you know, indeed within our world's most ethical company cohort, 99% do have a meaningful participation in or oversight of third party risk management.
It doesn't always mean that ethics compliance is, you know, the owner of your TPRM program.
They are in some cases, but in many other cases they're not.
So it's less about kind of ownership of third party risk management, but more whether or not ethics and compliance has a seat at the table and is meaningfully involved.
So where I see the kind of the maturity curve is most organizations, at least that I'm interacting with, you know, they, they, they have a third party risk management framework, they're conducting due diligence.
But you kind of where it gets a little more variable is how embedded is ethics and compliance, either the people or the considerations in those processes. So for example, can a contract be signed before due diligence is completed?
That's often the case. Or is there a gate that, you know, you can't load a third party, you know, payment information until a box has been checked that says they've cleared their due diligence.
So, you know, are the processes manual? Do you have to do batch uploads or you know, check in every week? Or are we communicating via email or are these processes supported by tools?
Are you conducting due diligence on all of your third parties, on all your third parties that pose more than a low risk, or just on your third parties that are high risk?
Do all third parties get the same due diligence or is it responsive to, you know, the level and Type of risk of third party poses. So this is where, you know, I see a lot more variability within kind of third party risk management and ethics and compliance's role. So it's not that there's nothing there, it's just how, you know, how embedded, how sophisticated, how risk responsive is it. Another place where I tend to see TPRM maturity being less mature is kind of in those other stages of the third party lifecycle. So, you know, after, after you've done your due diligence and your onboarding, how are you monitoring them or evaluating their performance? You know, obviously organizations are doing that. From a delivery perspective, is the third party, you know, meeting the expectations or requirements outlined and kind of the service agreement? But what about from an ethics and compliance perspective?
How are you communicating your expectations to your third parties? Are you providing any training to them on key risk areas and if so, which ones?
What about employees within your own organization that are managing those third party relationships? Are they receiving targeted training? Do they know common red flags to look out for? So kind of those later stages of the third party life cycle tend to be where I see less defined processes, you know, as it relates to tprm.
[00:13:57] Speaker A: You recently published an article in Atmosphere magazine entitled what Makes for a Good Third Party Code of Conduct. It's a great article. I really enjoyed producing it, I enjoyed reading it, I encourage everybody to check it out.
But in that article you talk about the importance of a robust third party code of conduct and you provide some really compelling real world examples of what strong codes look like. So I'd like to take this and flip it the other way. What are some things that you think third party codes of conduct tend to miss or underemphasize?
[00:14:28] Speaker B: You know, the thing that jumps out at me first and it's not, it's not really a mess, but it's, it's more kind of how, how third party codes are, are evolving and it's just interesting for me to watch.
So, you know, it's really common to see a third party code that reads like a list of directives.
But I'm seeing more and more codes, third party codes that are, they're framing the code as, and the provisions within the third party code as really more commitment to work with suppliers that share your values, your principles, your standards for business integrity. So, you know, it's not just get the job done and do it this way, but also how are you going to get the job done? And I think that this comes from a growing appreciation that, you know, who we partner with Matters.
You said at the beginning that companies are so often held accountable for the actions of their third parties. And that can be just from like a reputational perspective.
It can of course come from, from you know, many other ways as well. Like there's a really kind of common, common statistic that over the last, I think like 15 years or so of FCPA enforcement, 90% of those cases involved a third party intermediary. So there's a very real, you know, separate from kind of a reputational impact, there's a very real financial impact and trend of companies being held accountable for the actions of their third parties. So I'm seeing that more and more being incorporated or reflected into third party codes where it's about, you know, we want to work with organizations that share our values. And this is what, this is what that looks like a jll. Their, their code is a really wonderful example of this spirit of partnership.
So again, I don't want to say that that's a miss if you don't have, if your third party code is not framed in that way.
You know, we do have different expectations of third party codes than we do of employee codes of conduct. But it's more just an observation of, you know, a trend that I'm seeing.
One place where I do often see kind of under emphasized in third party codes is the clarity of expectations and requirements. So to give you a specific example, every third party code will say something like, you know, we prohibit the use of child labor.
Great, we all get behind that and we know why that's important.
But I also.
It's so much more powerful when you phrase that prohibition with specificity. So for example, we prohibit employing anyone under the age of 15 or the age of completing compulsory education.
When you think about, particularly for global companies or those that have global supply chains and you have all these differences in laws and customs that are affecting business practices around the world.
The use of your company's standard, which may be above and beyond that of a local law, I think is a powerful tool that really doesn't add that much word count, 5 words or 10 words or something like that, but is so much more explicit. And Microsoft, their code is a really great example of, they're really clear in their expectations above and beyond these, you know, broad statements of, you know, we prohibit xyz, they kind of, they go the next stage or the next level there.
So that's, that's one to kind of take. Take a look at the last place that I'll share that where I'm seeing a Lot more variability. So I do think some, some codes, some third party codes Ms. This is in, you know, any discussion of how the third party code addresses the company's expectations or their requirements for how the code will be implemented and enforced. So some codes are. Third party codes are, they don't really say much on that matter. It's kind of just, you know, here, here's the list of things that we expect or require you to do.
Others will have a section and many of them have this. We'll have a section that talks about, you know, in order for us to be reasonably sure that you can do all of these things that we just wrote in the previous, you know, seven pages, we expect you to have a, you know, management system that would enable you to comply with the code. We expect you to communicate these expectations to your own third parties or to your employees, employees that are going to be working, you know, on behalf or supporting our organization.
Some third party codes say that requiring with the code is a requirement of doing business. Others say, you know, it's an expectation.
Some third party codes, you know, will affirm the company's their right to audit or to request information or documentation, you know, to assure that there is compliance.
Others don't.
Some require third parties to report violations of the code in a timely fashion to the, you know, the parent organization.
Others don't. So that's a kind of that enforcement. The implementation, accountability and enforcement piece is one that I see a lot of variability and sometimes it's missing altogether and sometimes it's addressed very high level and then in other cases it's covered in much greater detail. So I think that that points perhaps to a lack of agreement around what is included or like the purpose of a third party code. And I do want to say that just because a third party code doesn't mention these things, it doesn't mean that those expectations aren't communicated to the third party elsewhere. Like right to audit is, you know, often going to be in your contract terms if you have it and maybe you have it for some third parties, you don't have it for others. So I certainly don't mean to suggest that it doesn't exist if it's not in the third party code. But I'm rather highlighting, you know, the variability that I see and I do expect that that will change as third party codes become seeing more and more as external statements of who we choose to do business with and how we expect them to behave and then therefore how we're holding them accountable to that.
[00:21:39] Speaker A: Well, Emily, it is always a pleasure to chat with you about best practices in ethics and compliance. So thanks once again for joining us on the Ethicast and I hope we can welcome you back to the program soon. I would love to to read Emily's article what Makes for a good third party code of conduct? Visit the insight section of ethisphere.com where you'll find that, as well as plenty of other free articles and blog posts on third parties, ethical culture, AI and much more. And if you'd like to learn about how Ethisphere can help you measure and elevate your ethics and compliance program, visit ethisphere.com solutions well, that's all for now. We hope you've enjoyed the show. For new episodes each week, subscribe to us on YouTube, Spotify and Apple Podcasts. Also, follow Ethisphere on LinkedIn to learn more about how we help organizations like yours make themselves more successful and and more resilient by advancing business integrity. Thanks for joining us. And until next time, remember, strong ethics is good business.
