During busy seasons, your business may temporarily outsource some of its work to third-party contractors. Hiring contractors can be a cost-effective way to manage seasonal — or even ordinary — customer demands without hiring new employees or making other long-term investments. However, third parties can introduce some financial, legal, and reputational risks. It’s important to recognize potential threats and take steps to head them off before engaging contractors.
Two Scenarios
Consider the following example: A business employs an overseas trucking entity to transport goods from a port to a customer’s warehouse. The driver, unfortunately, isn’t very honest and he pays a kickback to customs personnel to release the shipments quickly. This action subjects the business that hired the contractor to bribery and corruption charges locally — and in the United States.
Here’s another scenario: A remote contract worker hired to perform data-entry tasks lacks a robust cybersecurity program on their home network. Their computer is hacked, cybercriminals find their way into the organization’s network, and they steal confidential employee and customer information.
Neither of these scenarios is far-fetched — foreign bribes and inadequate cybersecurity put organizations at risk every day. Due diligence is a cornerstone of reducing such risk.
Containing Threats
Before hiring a third-party contractor, be sure to identify all applicable laws and regulations. Your organization’s operating footprint will determine which ones govern third parties. Anti-bribery and corruption laws often cover third parties and hold companies that engage them liable for their actions. It’s especially important to understand the laws in foreign countries where your business has a presence.
Mitigating risk requires a detailed understanding of third-party contractors. So, collect all relevant information, such as incorporation and registration documents, explanations of ownership structure, insurance coverage proof, and cybersecurity reports. Also classify third parties based on their inherent risk. Risk usually corresponds to the scope of services a third party provides. In general, the more access a third party has to your organization’s IT environment, the greater the threat.
Increase due diligence efforts for third parties with higher risk profiles. For example, scrutinize a cloud computing provider or physical security system service more rigorously than a landscaping business. Some organizations outsource their due diligence investigations. Such professional services range from researching publicly available information to performing onsite inspections of potential business partners.
But regardless of the risk level third-party vendors represent, you should review them at least once a year. After all, software, processes, personnel, and even an organization’s ownership can change over time. For the riskiest contractors, an executive in your organization with authority to approve or reject contracts should conduct the review.
Rigorous Defense
Contractor risk is only one of many threats organizations routinely encounter. Contact us to review your internal controls and risk-management efforts to help ensure they’re providing you with a rigorous defense.