The EY Global Integrity Report 2020 spotlights the ethical risks from supply chain disruption for companies under pressure from COVID-19.
With the COVID-19 pandemic upending business as usual and placing new pressures on markets globally, it highlights the need for companies to fully trust the third parties they work with. This trust needs to be built through a careful program of risk-based screening that is carried out on a consistent and robust basis.
The COVID-19 outbreak has caused significant disruption to supply networks, with 94% of Fortune 1000 companies reporting changes to their supply chains since the start of the crisis, as they diversify from existing supply chains to new partners, countries, sources and vendors. The EY Global Integrity Report 2020 (pdf) research shows that the disruption to supply chains resulting from the pandemic is seen as one of the largest threats to business integrity: 28% of respondents say it’s one of the highest risks to ethical conduct in their business.
As companies respond under pressure to ensure business continuity, they may be exposing themselves to unknown levels of risk by engaging with new third parties that have different ethical values.
34% of companies are very confident that their third parties — including suppliers, vendors, partners or consultants — abide by relevant laws, codes of conduct and industry regulations.
An intensifying problem
Even before the global pandemic, companies faced integrity-related challenges on or around their third-party practices, with issues such as beneficial ownership, modern slavery and sanctions.
As organizations start to regenerate, emerging from the pandemic into a harsher economic climate, they may be more inclined to turn a blind eye to unethical actions relating to their third parties. Whether this involves cutting corners on processes and procedures, or knowingly colluding in unethical or illegal behavior to help the organization survive, the price can be high.
Many jurisdictions state that companies have liability for the actions of third parties. In fact, 90% of US Foreign Corrupt Practices Act (FCPA) violations include acts by third parties, a Stanford Law School resource notes. 1
Although ethical third-party management is always crucial for companies, our data shows that they are failing in this regard. Only a third (34%) of companies are very confident that their third parties — including suppliers, vendors, partners or consultants — abide by relevant laws, codes of conduct and industry regulations. This is concerning and suggests an apparent lack of thoroughness in vetting and management.
What is especially concerning is that respondents cite ignoring third-party misconduct as the top unethical behavior they would commit for personal gain.
Across all respondents, 1 in 10 would ignore unethical conduct by third parties, but this figure doubles to 1 in 5 among board members. Such results will negatively affect shareholder confidence in the board members and reinforces the need for change.
Ignoring third-party misconduct is a huge risk for companies. For example, technology giants have come under fire for the working conditions imposed by their overseas suppliers.
Organizations can protect themselves from risk by holding third parties to account on their levels of integrity. This can be achieved by taking a proportionate risk-based approach to engaging and managing third parties. It’s not just supply chains that can bring about third-party risk to companies — they can face significant risk when acquiring, partnering with, or investing in other companies.
“There are practical ways an active monitoring program can help protect against third-party misconduct, in particular when supply chains are being reset,” says Emmanuel Vignal, EY Asia-Pacific Forensic & Integrity Services Leader.
Our research shows that 95% of respondents believe integrity-related risks are among the most significant when undergoing a transaction. The top risk when engaging in an M&A transaction is cybersecurity (20%). When acquiring another company, or partnering with one, companies must be certain that the third party follows stringent security and privacy practices. Other major risk factors companies face when engaging in M&A are accounting manipulation (17%) and hidden high-risk relationships (17%).
Since a scandal related to a private equity firm was exposed in 2018, and the firm’s subsequent collapse, the industry has referred to it as a “wake-up call” for investors to strengthen their due diligence procedures, which may help uncover conflicts of interest where complex relationships exist.
As investors start to look again to the emerging markets for greater returns, it is important to remember that integrity plays a significant role in M&A due diligence: 19% of organizations say that the integrity of the management at the acquired organization is among the biggest risks associated with buying, investing in or partnering with an organization.
In acknowledging the impact that unethical behavior may have, some organizations are including so-called “#MeToo clauses” in certain M&A transactions, where the target organization states that its record on personal conduct is clean.
Companies must assess the integrity of all parties in M&A activity, but our data suggests this is not happening enough. Less than a third (31%) of companies carry out due diligence on reputation and integrity, and only a quarter (25%) implement bribery and corruption reviews.
As investors emerge from the pandemic, assessing the potential opportunities before them, greater caution and care must be taken to ensure that their integrity is not compromised by the misconduct of their associated third parties.
How to protect against third-party misconduct with integrity
Actions to take now include:
- Perform proportionate risk-based screening on new third parties. Trust with third parties is built through a consistent and robust level of screening that is proportionate to the level of risk. This should identify and assess possible legal, reputational or financial risks.
- Risk-rank your third parties according to your organization’s risk appetite and integrity agenda. Determine the level of risk your organization is willing to take.
- Take appropriate actions to mitigate any red flags. Risks identified during due diligence must be addressed before engaging a third party, for example by adding specific contract clauses. Be prepared to walk away if the risk cannot be adequately mitigated.
- Update your understanding of your existing third parties. It’s not enough to perform screening once when onboarding new third parties. Ongoing due diligence should be performed on your existing third parties according to their risk ranking, so that any new or emerging risks are considered.
- Don’t forget fourth parties. Many third parties subcontract their services and will have their own respective supply chains. For the most critical fourth parties, ensure they undergo the same level of screening as third parties.
- Integrate digital technology and automation to improve efficiency and decision-making throughout the onboarding, screening and monitoring of third parties.