CASE STUDY WEBINAR: Join Pfizer’s Keith Lichtenwalner to hear how he built a strategic, highly automated and scalable third-party risk management program.

Evaluating Third-Party Business Risk: Know Where Your Vendors Are Operating

Lauren Weiner explores the importance of third-party risk management, through the analysis of real-life international third-party failures. How can an organization keep up with their vendor's reputation and business practices to avoid the same fate?

by Lauren Weiner, Threat Analyst

June 19th, 2019

I

It is fair to assume that your day-to-day tasks at the office do not include checking in on each and every vendor, whether the consulting firm your company has hired to help with the restructuring of the organization or the firm of the company lawyer that you pay on retainer. Years ago, your company researched the vendor and ultimately made the decision to enter into a business agreement together. Since then, you request their services as needed and pay the fee accordingly. In fact, your company has gone through this same process – including conducting periodic assessments and monitoring for cyber risks – with dozens, if not hundreds, of vendors without giving much thought to continued monitoring of their reputation and business practices. After all, it’s difficult to keep up with so many vendors and even if you did have the time, you likely trust that they will continue to do honest work.   

But if the company that has access to your entire customer database began to operate in a risky legal or business environment, would you find out? How would you know if the firm that handles your company's finances signs a contract with a sanctioned government entity? After all, some of the most reputable companies have been cited for conducting business using less traditional procedures while conducting business abroad.     

Examples of companies punished due to international third-party failures 

Some well-known companies have been fined for failing to abide by lawful business practices while engaging in international transactions, and although events such as these may not warrant severing ties completely, you may want to consider taking steps to insulate your company from any potential similar legal or reputational blowback. For instance, in 2010, McKinsey and Company signed a contract with the Mongolian government to consult on a new railroad project (after the State Department released a notice about the increasing levels of corruption in Mongolia). Construction was halted midway through the project due to a series of fraud and embezzlement charges, and McKinsey’s involvement was under scrutiny as well. While McKinsey did not face any official charges, they are no longer welcome to do business in Mongolia.  

Similarly, in 2015 Bristol-Meyers Squibb’s joint-venture in China was reported to the Securities Exchange Commission (SEC) for bribing health care providers with cash and other gifts in exchange for prescription sales. Bristol-Meyers Squibb was required to pay upwards of $14 million in fines to settle the charges.  

In 2016, Anheuser-Busch InBev violated the Foreign Corrupt Practices Act (FCPA) by using “third-party sales promoters to make improper payments to government officials in India to increase the sales and production” of their products in the country. Anheuser-Busch InBev had to pay over $3 million in disgorgement and report updates to the SEC about their improved business operations for two years following the judgement.    

A simpler way to monitor your vendors’ business risks 

If a vendor pursues a joint-venture or some other contractual agreement in a country where unethical or potentially illegal business practices are frequent, you should be the first to know. Penalties for FCPA violations can include multi-million-dollar fines, prison time, and other collateral consequences. Punishments such as these could dramatically disrupt your vendor’s normal operations and even weaken your information security defenses. Why not be proactive in mitigating all third-party risk posed to your company? Being knowledgeable about your vendors’ whereabouts enables you to make a just-in-time decision if necessary.  

Prevalent Business Risk Report

Prevalent can help 

Prevalent’s Vendor Threat Monitor (VTM) team stays up-to-date on your vendors’ public activities and alerts you to any events that may affect your company’s security. We notify you about various risks to your vendor, ranging from opening a new headquarters, to firing a CEO, to new partnerships and joint ventures, to expanding into new or a particularly risky region. We monitor major sanctions lists and provide you with automated notifications if one of your vendors has been sanctioned. 

As an example of the data we collect and report on, see the screenshot below. You’ll see that we collect and analyze information regarding organizational risks, regulatory and legal risks, brand risks, and financial risks, with these risks informing an overall risk score that provides greater clarity on the health of your most important business relationships. 

Prevalent’s continuous business and cyber threat monitoring makes it easy for you to keep tabs on all of your vendors so you can continue to make educated reevaluations of the companies you work with. And, as part of the most complete Third-Party Risk Management (TPRM) Platform on the market, cyber and business monitoring augments control-based assessments to provide a 360-degree view of vendor risks – inside-out, and outside-in. 

For more on how Prevalent can help you address your vendor risk challenges, contact us today. Or, download the latest Forrester report discussing the value of business and cyber risk monitoring.