Related Links

  • Arthur D. Little
  • Elsevier Ltd is not responsible for the content of external websites.


Managing and creating value from third-party risk

Stephen Watson and Javier Serra

With major construction and infrastructure development companies, including those in the renewable energy sector, increasingly expanding their footprints into countries far from their home markets, Stephen Watson and Javier Serra from Arthur D. Little give some essential advice for successfully managing third-party risk.

In some sectors, companies can critically depend on third parties. It is not unusual for over 90% of any given contract value to be passed on to these third parties. If the third party has financial issues during the relationship, it can lead to delays in the work and overall contract delivery. If a third party behaves in an overly contractual or argumentative manner, it can lead to delivery delays, additional costs and often the need to dedicate more company resources to manage the third party. If a third party is involved in corruption cases (either real or alleged), legal liability may extend to the company and have reputational impact.

We predict that this situation will continue to increase in the coming years. For instance, major construction and infrastructure development companies are increasingly expanding their footprints into countries far from their “home markets”. Major infrastructure development in the coming years will be carried out in emerging markets with potential for higher rates of return and lower levels of national debt. The third parties in these emerging markets tend to be less well known and could bring new risks. 

At the same time, national legislation covering corruption has tightened significantly – one example is the UK Bribery Act 2010, which has an international scope that applies to all companies with UK operations. Overall, regulatory trends increasingly make companies responsible for corruption and bribery carried out by their partners and third parties, with the related penalties and sanctions increasing and having transnational impact. For instance, sanctions include the loss of the company’s ability to undertake contracts in the legislation’s country of origin and the criminalisation of its executives. 

However, companies can take steps to mitigate, manage and even create value from this situation. In particular, companies are increasingly using detection and prevention approaches to detect, avoid and manage risk. There are three major benefits to this approach:

  • First of all, it allows early identification of potential economic risks. These include financial weakness from a partner or a payment default by a customer, technical issues such as conflicts or delays in recent projects, and compliance issues such as convictions or recent cases of corruption. 
  • Companies that perform and keep records of their third parties can mitigate their liability if cases of corruption arise afterwards. 
  • It allows cost optimisation, particularly during the business development phases. The ability to detect counterparty risks in advance implies better allocation of resources and better business decisions.

In our experience all major international construction companies and developers of significant infrastructure projects carry out assessments of their third parties, or at least of some of them. However, this is usually conducted in an unstructured way, without standard procedures, leading to time and cost inefficiencies. To ensure effective and efficient assessments requires the design and implementation of a comprehensive third-party due diligence system.

Based on our experience, we have identified the following key success factors for successfully implementing a detection and prevention system:

  • Holistic perspective: The due diligence process should include all major compliance risks.
  • Risk orientation: Focusing analyses only on higher-risk situations. From a compliance perspective, legislation provides the guidelines for selecting the third parties to be assessed. From a technical and financial perspective, volume and criticality of the third party to the company must be the guiding principle.
  • Proportionality: The dedication of resources and depth of the analysis must be adequate. Construction companies are not international intelligence agencies, which means that the added value of the assessment should be higher than the costs of carrying it out, as in any other business.
  • Independence and objectivity: The information included in the financial and technical assessments must be provided independently and objectively. For example, the compliance and financial perspective should be performed by independent units as, for instance, business development teams tend to be more optimistic about third parties than other teams.
  • Leverage all available sources of information when assessing third parties: Reports from reputable sources or institutions bring transparency and credibility, but must coexist with opinions and experience of staff within the organisation. There must be a defined methodology for selecting information that assures its traceability and maintains confidentiality.
  • Aimed for decision-making: The due diligence analysis of the third party is not intended to “veto” its selection, but should help to decide which third party to select. Only in extreme cases (for example, imminent bankruptcy or presence on an international sanctions list) should the possible relationship with the third party be vetoed based on the due diligence analysis.
  • Willingness to anticipate: The effort associated with bid preparation and procurement processes is very high, which means that the earlier the assessment is carried out, the earlier the company will make a decision about the third party, and it will avoid incurring unnecessary costs associated with a potential third-party relationship that is too risky.
  • Easy assessment criteria: Criteria have to be easy to apply so that risk level is not a factor subject to interpretation. For example, a criminal conviction of a third party’s executive is a serious issue, but it is not the same if the conviction took place five or twenty years ago. Establishing clear and straightforward criteria and standards on risk adoption needs to be efficient. Risk appetite needs to be a company decision, not a decision that depends on the risk aversion of each employee.

Arthur D. Little recommends putting in place detection and prevention systems, especially for companies in certain industries, to achieve the following benefits:

  • Improve the selection of third parties, which ultimately will lead to higher company valuation, as it is the straightforward consequence of having more trustworthy customers, partners and suppliers.
  • In the case of being involved in a corruption incident involving a third party, the company would be able to reduce its liability and exposure by providing evidence of having risk detection and prevention systems in place. 
  • Help create a stronger company culture in risk management.
  • And last but not least, the costs of developing such systems are, in Arthur D. Little’s experience, far lower than the cost of liability, which makes it an attractive value creation opportunity.


Stephen Watson and Javier Serra are Principals at Arthur D. Little. Watson is based in Cambridge and has 20 years experience in risk management in the construction, transport and petrochemical manufacturing sectors. Serra is based in Madrid and has 14 years consulting experience in strategy development and implementation and operational transformation, including risk management topics.


Share this article

More services


This article is featured in:
Policy, investment and markets