Issues between healthcare providers and third party suppliers have been well documented over the past few years. Because of the need to ensure adequate access to medical supplies, healthcare providers are particularly vulnerable due to their dependence on third parties to supply and distribute an array of products.
Relationships with outside entities such as vendors, sales agents, distributors, consultants, suppliers and business partners present potential compliance, reputational, supply chain and financial risks.
Managing the risk of third party business relationships can be very complex and time consuming; however, ignoring those risks can have unforeseen consequences.
Although you can never completely eliminate the risks associated with using third parties, those who manage these risks well share a series of best practices. Together, these best practices can help you manage your risk.
First, embed language in contractual terms specific to legal, regulatory, financial and reputational compliance.
One of the simplest tactics that organizations can implement in order to protect themselves is the inclusion of language that is specific to all of the third party obligations within every contract.
In this language, representations and assurances should be made that the third party will comply with pertinent laws, understands the company’s expectations and agrees to them in writing.
This should include not subcontracting work without approval. Failure to comply equals a breach.
Code of Honor
Second, take steps to implement a third party code of conduct, policy and certification process.
According to information from the Society of Corporate Compliance and Ethics, more than 80 percent of organizations do not have a third party code of conduct. Extend your code to third parties, or better yet, create a specific code applicable to third parties acting on your behalf.
An excellent companion to the code is a third party policy addressing an organization’s expectations about how third parties are expected to behave. Obtain certification that they have read the code and policy and agree to comply.
Third, identify and perform risk-adjusted due diligence on all third party relationships.
Often, the hardest part of a third party risk assessment is developing a complete list of the third parties the organization uses and what information is available.
After you have worked closely with various departments – including IT, supply chain, accounts payable and procurement departments – to develop a comprehensive list of all third parties, the next steps are to identify the risk level of each third party and to conduct consistent, risk-based due diligence.
Even after engaging third parties, having an effective method in place to research and monitor for new developments with respect to third parties is critical. Due diligence should be an ongoing process.
Fourth, educate and train your third parties on relevant laws and regulations. Given the risk, it is simply not enough to require third parties to comply with all laws.
Training should also be administered on relevant laws and standards of behavior.
Report the Facts
Fifth, provide an avenue for reporting compliance failures.
Providing a venue for parties to report observed compliance failures allows organizations to investigate and address issues before they escalate or become public.
Document and Automate
Lastly, the sixth best practice is to document and automate the process where possible.
Even companies who have already implemented third party risk management programs are falling short because they are relying on manual processes that do not scale and are difficult to document or audit. Document your process and, to the extent possible, automate the process around regular monitoring activities and onboarding processes.
Randy Stephens is vice president with the Ethical Leadership Group, the advisory services division of NAVEX Global. Utilizing his global experience with Home Depot, Family Dollar Stores and US Foods, he now advises organizations on third-party ethics and compliance relationships as well as general ethics and compliance initiatives. www.navexglobal.com.