The management of the Compliance Management Model by third parties

Why it is important to know the risks of your third parties. 

The effectiveness of the Compliance Management Model also lies in its application to third parties, as its level of operation will undoubtedly be conditioned by the size and nature of the organisation. Hence, the organisation must proceed with extreme caution in its relations with suppliers, business partners or third parties linked to the company's stakeholders. The entity must ensure that all those who relate to it within the framework of its activity effectively assume the values of the Compliance Management Model. 

Consequently, in order to be able to properly assess the Model, the company must exercise strict control over the reputation and relationships of its external partners, either through periodic controls, training, audits and/or annual certifications of compliance with the Model by the third party, with the fundamental purpose of being able to determine whether a compliance programme is capable of detecting illegal or irregular conduct committed by suppliers or other third parties, and which is likely to occur in their business activity with the company. 

The Compliance Management Model needs to be sensitive to identifying the nature of the risk and its scope that a legal person faces. As mentioned above, these risks are often generated externally to the company by these third parties. It is therefore necessary, in order to assess these risks, to integrate them into the control processes in which these third parties are involved. In this case, it is necessary to justify both the intervention of these third parties and the establishment of appropriate controls, through the implementation of mechanisms that guarantee various control elements, such as those mentioned below: 

a) That the terms of the contract specifically describe the services to be provided.

b) That the means of payment are appropriate.

c) That the contractual work described is actually and effectively performed.

d) And finally, that the compensation is commensurate with the contractual services provided.

On the other hand, in order to verify the effectiveness of the Model, the company must analyse the incentive structures established with regard to third parties, in the face of compliance risks. At the same time, it should consider what mechanisms the entity has established to be able to assess these third parties, being particularly interesting the question regarding the way in which the organisation trains and trains its own employees, who in turn must supervise these third parties or suppliers in relation to the management of their compliance risks.  

In this regard, it is important for the company to consider how it should encourage compliance and ethical behaviour by third parties, and how this affects the Compliance Management Model. Consequently, in order to verify the design of the Compliance Management Model, it is important to determine where the limits are in the ethical and legal behaviour of suppliers and other third parties, as well as to determine the organisation's past and present behaviour in relation to these third parties, when they do not exceed the minimum expectations of the requirements derived from the Compliance Management Model. 

In this way, the disciplinary measures that were taken and their consequences must be known. Reactions to irregular behaviour do not only affect the supplier or the third party that has carried out the behaviour, but it is also necessary to know to what extent this behaviour has affected other suppliers or third parties, in the sense of whether the organisation has proceeded to analyse such behaviour, and whether, as a consequence, the business relationship has been suspended or terminated or a third party with similar characteristics or relationship has been audited as a result of compliance problems detected.