Complex regulations are accelerating the need for organizations to realign their business practices from top-to-bottom. The consequences for non-compliance present an urgent call-to-action for corporate ethics and compliance teams who need to examine not just their own practices, but also those of their external partners. 

The recent SolarWinds attack, increased ransomware incidents, and the Pipeline Attack prove that a Vendor Risk Management (VRM) strategy can’t go overlooked. In this context, the fast-changing ethics and compliance landscape outlines a new set of challenges — as well as opportunities — for the Chief Ethics and Compliance Officer (CECO) to protect their organization’s future. 

CECOs must evaluate the vulnerabilities that may surface as a result of vendor relationships and prioritize creating a third-party risk management program before an incident occurs. 

Explore the importance of vendor risk management: The Ultimate Guide to Vendor Risk Management

The CECO & Vendor Risk Management 

The CECO is responsible for organizational ethics and compliance, from holistic-level strategy all the way through to the execution of day-to-day operations. Today, organizations on the path to compliance must include third parties in their risk assessments. 

It’s incumbent upon the CECO and their team to screen third parties for ethical issues, conduct assessments, mitigate risks, and monitor business practices from onboarding to offboarding. 

Although vendor risk management programs require a significant effort to develop and implement, emerging regulations have created a mandate for organizations to prioritize them. 

Top Challenges for the CECO

Compliance laws and standards are increasingly holding organizations accountable for third parties in their supply chain. The repercussions can be significant if a vendor is found to be non-compliant in a court of law. 

To avoid costly litigation and penalties, the CECO needs to create a program for third-party risk assessment that aligns with today’s requirements. It will also be essential to build systems that allow teams to be agile in the face of further regulatory change, which is an expected dynamic in the years to come. 

Another challenge facing CECOs is their responsibility to investors, shareholders, and customers. Many groups are applying increased pressure to create transparency around business practices and to operate ethically

The number of ESG (environmental, social, and governance) investors doubled between 2019 and 2020, and these rates are continuing to grow. In the eyes of these modern investors, accountability isn’t only limited to internal company practices. They view third-party ethics, compliance, and transparency as requirements, further accelerating the need for VRM prioritization.  

Learn more about ESG Management: The Ultimate Guide to ESG Management

Obtaining complete awareness of third-party ethics and compliance practices is a heavy lift for many teams, especially those with complex and highly dispersed supply chains. Despite this reality, CECOs are still obligated to obtain a granular view of third-party practices. 

Solutions & Best Practices

To address these challenges, the best approach starts with gaining a complete understanding of every third party involved across the IT ecosystem. The teams performing these assessments need to be equipped with the right tools to uncover insights, violations, and risks at scale. 

When identifying a solution, CECOs should look for tools that natively perform the following functions: 

  • Check for compliance against sanctions lists, adverse media, and other sources.
  • Flag violations such as PEP lists, anti-slavery, bribery, corruption, and more.
  • Measure KRIs (key risk indicators) and KPIs.
  • Scale efforts globally.
  • Align with changing industry standards and regulatory requirements.

Automation supports the resolution of the challenges faced by CECOs by performing VRM activities at scale. The insights gained are the backbone of resiliency and contingency plans, helping teams operate proactively and react effectively.

How OneTrust Can Help

The OneTrust platform provides expertise in Vendor Risk Management, GRC, and much more to help CECOs and their organizations succeed. With industry-leading automation, OneTrust delivers the insights teams need to operate effective VRM programs under dynamic conditions, including: 

  • Third-party lifecycle management: Track the complete vendor relationship by hosting your third-party and product-specific assessments, contracts, and documentation in one place. 
  • Third-party risk assessments: Increase team efficiency for third-party due diligence efforts and continuous monitoring with automated workflows for laws, frameworks, and standards surrounding ethics and compliance. 
  • Third-Party Risk Exchange: Save time on your assessment efforts by accessing risk analytics and control gap reports on thousands of third parties.
  • Risk mitigation workflows: Use workflow automation to develop mitigation recommendations and treatment plans for third-party threats to your compliance.
  • Proactive preparedness: Gain a holistic view of contracts and critical attributes for each third party to create resiliency and contingency plans in case of disruption.

OneTrust Vendorpedia simplifies third-party risk management for CECOs and their teams. Request a demo today.  


Further reading: 

Next Steps:


Follow OneTrust on LinkedInTwitter, or YouTube for the latest on vendor risk management.