party risk and effectively manage third-party compliance relationships have
ethical, reputational and legal consequences for a business. Financial loss is
potentially significant. 58 Working with the business’s procurement,
operations or contracting functions, compliance officers need to assess the
compliance risks and opportunities associated with outsourcing a particular
function or selecting a particular vendor. 59 From enhanced due diligence of
potential third-party vendors, introduction of third-party-risk management
systems, stringent language in contracts requiring compliance with laws and
prohibiting certain actions (e.g. bribery), to training third-parties on ethics
and compliance programs, companies have attempted to enhance compliance
oversight and minimize risk in their third-party relationships.
Companies frequently seek to have third-party suppliers ensure
compliance with the company’s own code of compliance and ethics. 60
Practices vary. A study61 of business organizations reported that one-third
maintain a third-party or supplier code of conduct, and 23 percent of those
companies require third-parties to sign an agreement to abide by the code. 62
Adherence by third-parties to codes of conduct may extend beyond the
outsourcing company’s own internal code to industry codes of conduct.
Illustrative of these codes are the Electronics Industry Citizens Coalition
Code of Conduct63 and in health care, the Pharmaceutical Industry Principles
for Responsible Supply Chain Management and its Implementation
58. Id. at 21. The study reported that during a 12-month period, organizations represented
in the research spent an average of $10 million to resolve the consequences of negligent or
malicious third-parties. Id.
59. Corey M. Perman & Brian D. Annulis, Keynote Address at the Health Care
Compliance Association Compliance Institute: Third-Party Vendor Compliance Programs:
The Value, the Need, the Risk (Apr. 19, 2016), http://www.hcca-
60. REBECCAWALKER,THIRD-PARTY CODES OFCONDUCT: ABENCHMARKINGSURVEY
(2009). Walker raises the legal risks of organizations extending compliance and risk programs
to third-parties and what she calls “associative liability.” SOCIETY OF CORPORATE
COMPLIANCE AND ETHICS, THIRD PARTY RISK MANAGEMENT: A LONG WAY TO GO 2. In
another presentation on third-party relations, Ronald Berenbeim, “Finding a Delicate Balance:
Third Party Ethics Program Requirements,” a Conference Board-Ethics and Compliance
Officers’ Association Survey, October 31, 2008 cites a similar concern. Ronald Berenbeim,
Conference Bd., Address: Finding a Delicate Balance: Third Party Ethics Program
Requirements (Oct. 31, 2008), http://www.13iacc.org/files/Third_Party_Ethics.pptx.
61. SOCIETY OF CORPORATE COMPLIANCE AND ETHICS, supra note 3, at 44.
62. WALKER, supra note 60, at 3. 400 compliance professionals reported that 47%
disseminated their organizational code of conduct to third-parties but 53% did not; that 26%
require third-parties to certify to its internal, employee code of conduct, but 74% did not; and
83% did not have a third-party code of conduct that is applicable to third-parties only. Id.
63. Code of Conduct, EICC (Jan. 1, 2016),