What the Ukrainian War Has Meant for Third Party Risk Management

From Stricter Sanctions to Broken Supply Chains: What the Ukrainian War has Meant for Third Party Risk Management

February 2024 will mark two years since the latest conflict in Ukraine began. As well as its tragic impact on so many lives, the war has also brought new third party risks which companies need manage–or face supply chain interruptions or even enforcement action by regulators. In this blog, we look at the main risks for companies and suggest how they should respond.

Legal and financial risks of two years of ever-changing sanctions

Away from the battlefield, the conflict in Ukraine has also been fought with the imposition of economic sanctions targeting individuals and companies associated with Russia and Ukraine. Moreover, numerous other countries (like the US, UK and UAE) and supranational entities (such as the European Union) have levied sanctions aimed at encouraging the end of the conflict or cutting off military supplies.

The pace of change in sanctions regimes has increased the legal, financial and even reputational risks companies are exposed to. If a company is found to be doing business with a third party which has been sanctioned, the firm is likely to face enforcement action by a regulator and a heavy fine. Moreover, it could suffer reputational damage with negative newspaper articles connecting the firm to the conflict which has taken so many lives.

Companies doing business in Ukraine, Russia and these other countries must ensure they stay up to date with changes to sanctions lists. For example:

• In August 2023, the UK government fined a company £1 million for breaching sanctions around trade with Russia. In a notice accompanying the announcement, the government revealed over 1,600 individuals and entities had been sanctioned in relation to the conflict, including 29 banks with global assets worth £1 trillion.
• In September 2023, the US Treasury Department announced a further 100 sanctions on Russian individuals and entities who are reportedly related to military action and other alleged financial and technology suppliers of the conflict.
• The EU has imposed what it calls “massive and unprecedented sanctions” since February 2022 against entities in Russia, Belarus and Iran. Nearly 2,000 individuals and companies have been sanctioned in total, with the most recent group of 147 announced in December 2023.

Strategic and financial risks of supply chain interruptions

Both Russia and Ukraine are important links in global supply chains for products and services in sectors which constitute high volumes of global companies. Combined, Russia and Ukraine are the source of around 30% of global supplies of wheat, 35% of barley and 75% of sunflower oil, according to Accenture data. Major food and beverage companies have long-established links into both countries.

Ukraine is also a significant supplier of raw materials like neon and palladium which are used in the manufacture of semiconductors. Major retail companies in technology, automotives and medical devices rely on the supply of semiconductors to develop and power their products. The conflict has led to a shortage in the supply, which has affected many entities in these industries.

In fact, many of the world’s biggest companies have had to pause or cease the sale of certain products because their third parties can no longer deliver the materials required. The cost of these materials has also increased due to the reduced supply. Accountants at KPMG have warned that “if the war continues, companies should be prepared for more severe supply-chain impacts” and “companies are advised to review all their business continuity plans.”

Many companies are also involved in, or rely on, the flow of trade between Ukraine, Russia and other major countries. For example, billions of dollars in imports and exports are exchanged between these three countries every year. The conflict has placed these ties under threat, with devastating impacts on the many companies involved in this trade, which can hit their bottom line or even put them out of business.

The financial risks of these developments are obvious: companies can no longer sell their profitable products and services if a third party cannot deliver a critical part of that service. Companies also face significant strategic risks, because the C-Suite must allocate considerable time and resource to finding alternative options to a broken supply chain, rather than growing the business.

Reputational risk for companies associated with the conflict

Aside from sanctions and supply chain risks, companies around the world have come under scrutiny for any connection to the conflict, or perceived association with military action. Large cohorts of their customers, investors and employees have taken to social media, the mainstream media and even direct action to criticize the company, call for change, or even boycott them and their products. This reflects the growing expectations from society at large that companies demonstrate high ethical and ESG standards.

In western countries in particular, we have seen companies come under pressure for not cutting ties with the Russian regime. For example, Accenture reported that within three months of the start of hostilities, over 1,000 global companies had announced full or partial withdrawal of business from Russia. While many firms that continue to do business in Russia and the wider region are having to carry out enhanced due diligence to ensure their third parties’ activities are not directly supporting military action.

Third party risk management: companies’ best response to the impact of the conflict

The conflict in Ukraine has raised the third party risks which companies operating globally face. Firms therefore need to increase their efforts to manage these risks, with a specific focus on activities and sectors which relate to Ukraine and Russia.

There are a number of steps companies should take to mitigate these risks, including:

• Monitor third-party regulatory risks, including the latest sanctions lists.
• Understand the financial health of your third parties, to help to predict those which would go out of business in the event of ongoing disruption to the major industries in Russia and Ukraine.
• Set clear policies for your third parties about your expectations for their management of sanctions and third party risks.
• Apply a risk-based due diligence model to identify third parties at higher risk (perhaps those in particular jurisdictions and industries) and carry out enhanced scrutiny on those firms.

Overall, the best strategy for companies is to acquire the most accurate and trustworthy data, and use technology to sift through vast datasets to surface relevant third party risks. Data sources which can shed light on third party risks related to the conflict in Ukraine include:

• Sanctions data: Countries and supranational authorities publish lists of all individuals and entities who are subject to sanctions, and companies need to screen their third parties against these lists–which are regularly updated as sanctions are lifted or imposed.
• Company data: A third party might have a parent company, or subsidiary, under a different trading name. If your compliance officer cannot identify those entities’ association to your third party, you could end up unwittingly doing business with a sanctioned firm and find yourself in breach. Moreover, company data can help to assess the risk that a third party could go out of business because of supply chain disruption prompted by the conflict.
• Global news data: It is important that companies track media coverage of their third parties, and the sectors and jurisdictions in which those third parties operate, to detect potential risks of disruptions or sanctions. This requires accessing and translating content in multiple languages.

Manually reviewing all these datasets for potential risks is an extremely labour-intensive task, if not impossible, given regulators’ expectations that companies carry out ongoing due diligence. Technology solutions can remove this burden from compliance teams by rapidly screening company names against large datasets; assessing the risk of third party; and producing reports which can be sent to management, or even regulators.

LexisNexis: Helping you to overcome each of these third party risks

LexisNexis can help companies respond to the threats covered in this blog by upgrading their approach to due diligence and compliance. We bring together all these data sources and more in one place, and leverage technology to surface relevant mentions of third parties and devise a risk score based on that analysis. A third party’s risk profile will be updated automatically when new information comes to light, allowing you to stay ahead of rapidly emerging risks in this changing and unpredictable conflict.

Looking for more tips on how to implement an effective due diligence operation to identify and manage third party risks? Our new E-Book identifies the ten main trends companies need to understand and respond to. Download it for free today.