vendor due diligence- what you don’t know about third party risk can hurt you!
DESCRIPTION
Third party risk is an emerging trend across the supply chain, legal and ethics and compliance fields. Organizations are being held responsible for the actions of their third parties and processes, and record keeping must be put in place to protect against undue risk. Veteran third-party risk experts Mike Vermillion and Randy Stephens explore trends around managing risk in the supply chain, what companies are doing correctly, where there are areas for improvement and how to manage effectively against these risks in the coming years. They discuss: The Compliance Landscape for Third Party and Agent Liability: FCPA, UK Bribery Act, OECD standards and recent cases of note. The Four-Step Approach to the Risk Assessment Process and Adequate Procedures: Identify and prioritize Due diligence Mitigating risks; and Developing and implementing an ongoing process for onboarding, monitoring and training. The Solution: Building, refining and automating the feedback loop and recordkeeping. Presented by: Randy Stephens, Vice President, Ethical Leadership Group, Mike Vermillion, Senior Director, Third Party Risk Management SolutionsTRANSCRIPT
March 2013
The Use of Third Parties – What You Don't Know CAN Hurt You
What We Are Going to Cover
Who are Third Parties?
Why is this a Risk?
Best Practices for Managing Third
Party Risks
Due diligence
Implementation
Automation
1
Business Complexity and Third Party Relationships
3rd Party Risk: A Complex Network of Relationships
Source: Compliance and Ethics Leadership Council
SUPPLIERS IN
EMERGING
MARKETS
TEMPORARY
EMPLOYEES
SUBCONTRACTORS
INT’L
INTERMEDIARIES
DOMESTIC
AGENCIES
OFFSHORE
SERVICE
PROVIDERS
DATA
VENDORS
FOREIGN
DISTRIBUTORS
DEALERS /
RESELLERS
LOBBYISTS
AUDITORS
INT’L JOINT
VENTURES
PARTNERSHIPS
SUPPLIERS’
SUPPLIERS
CONTRACTORS
VENDORS DISTRIBUTORS
CONSULTANTS
JOINT
VENTURES
SUPPLIERS
AGENTS
YOUR
CORPORATION
A High Level of Complexity
Corporations need to manage
divergent legal relationships across
a multitude of partners, and
struggle to gain visibility into
often-hidden risks.
The Use of Third Parties by Business is Increasing…
Economic conditions
Company cutbacks
Cost of third parties versus internal development
Productivity
Flexibility of workforce
Globalization
Companies need representatives all over the world
Specialization
Lobbying
Reselling
Distribution
Limitation of Liability (false sense of security)
4
Contractor/Labor Issue
Supplier/Labor Issue
Vendor/Data Privacy Issue Contractor /Data Privacy Issue
Consultant/Privacy Issue
Contractor/Data Privacy Issue Agent/FCPA Issue Top Ten: $800M
JV & Agent/FCPA Issue Top 10: $365M
Advisor/FCPA Issue Top 10: $400M
Agent/FCPA Issue Top 10: $32.3M
Agent/FCPA Issue Top 10: $185M
Agent/FCPA Issue Top 10: $338M
5
…So Are Third Party Enforcement Actions
Risks Associated with Working with Third Parties
Why is This a Risk?
Third parties represent your company
o They may have little or no loyalty to your company
o You have less control over the actions of third parties
Do you even know all of the third parties you use?
What do you know about them?
International laws and guidance hold you accountable
o FCPA Guidance (November 2012)
o Risk Based Due diligence
o Understand the business rationale for using third parties
o Undertake some form of monitoring and auditing of third parties
o UK Bribery Act
o “Adequate Procedures”
7
Global Anti-Corruption Case Studies
Best Practices for Managing Third Party Risk
Risk Assessment Commitment
Policies, Procedures,
Internal Controls
Communication and Training
Compliance Infrastructure
Disciplinary Guidelines
Third Party Accountability
Monitoring and Auditing
Review and Testing
Elements of an Effective Anti-Corruption Program
Third Party Compliance Best Practices
Embed language in contractual terms specific to legal, regulatory, financial and reputational compliance
Implement a Third-Party Policy and Third-Party Code of Conduct
Identify and perform risk-adjusted Due Diligence on all business relationships
Educate and train your third parties on relevant laws and regulations
Require that third parties certify compliance with all laws and regulations that govern their business
Provide an anonymous avenue for third parties to report potential violations of laws and regulations
Document, Document, Document!
Automate what you can
Third Party Due Diligence
Best Practice Approach to Third Party Due Diligence
1. Pre-Screen Understand and assess the inherent operational and jurisdictional risk to your organization prior to performing due diligence.
2. Risk Assessment Best-in-class screening process that provides a comprehensive view into complete enterprise risk—financial, regulatory, reputational, and governance.
3. Risk Mitigation and Action Steps
Dictates mitigation activities that must be taken by both the third party and you.
4. Ongoing Monitoring Periodic re-screening process that identifies change in enterprise risk, ensures information is kept current, and continued compliance to client policies.
4. Monitor 3. Mitigate 2. Assess 1. Pre-Screen
Risk Prioritization
Evaluate potential risk across all
business relationships
Size isn't necessarily best indicator
of risk
Other risk drivers
o geography
o type of product or service
o length of relationship
1. Pre-Screen
Identity Risk
Are they who they say they are?
Do names and geographies match?
Established track record?
Years in business?
Corporate affiliations?
2. Assess
Reputation Risk
Adverse media sources
o Newspapers & magazines
o Transcripts
o Trade publications
o Academic literature
Multiple languages
Cross-referenced with appropriate
keywords
Process to minimize false positives
2. Assess
Sanctions and Watch Lists FATF Financial Action Task Force Bank of England Consolidated List HM Treasury Investment Ban List HM Treasury Sanctions Hong Kong Monetary Authority HUD LDP Interpol Most Wanted Exclusions OSFI Consolidated List OSFI Country Offshore Financial Centers Peoples Bank of China (PBC) Primary Money Laundering Concern Primary Money Laundering Concern Jurisdictions Reserve Bank of Australia Terrorist Exclusion List UK FSA UN Consolidated List Unauthorized Banks World Bank Ineligible Firms
Ireland Financial Regulator Unauthorized Firms Japan FSA Japan METI-WMD Proliferators Japan MOF Sanctions Monetary Authority of Singapore Nonproliferation Sanctions OFAC Non-SDN Entities OFAC Sanctions OFAC SDN OIG Australia Dept. of Foreign Affairs and Trade Bureau of Industry and Security Chiefs of State and Foreign Cabinet Members Commodity Futures Trading Commission Sanctions DTC Debarred Parties EU Consolidated List EPLS FBI Hijack Suspects FBI Most Wanted FBI Most Wanted Terrorists FBI Seeking Information FBI Top Ten Most Wanted
~400 watch lists and sanctions lists
worldwide
2. Assess
Conflicts of Interest Risk
Government ownership
Do officers/directors hold
government position?
Are officers/directors former
employees?
PEP list screen
2. Assess
Compliance Risk
Is there a commitment to ethics at
the top?
Are policies in place?
Do they conduct training?
Any record of fines or violations?
2. Assess
Financial Risk
Cash flow
Balance sheet - leverage
Bankruptcy track record
Contract as % of revenue
2. Assess
Enhanced Due Diligence
2. Assess
Local language screen
Public records check
Civil and criminal litigation
On-Site business verification
o Photos
o In-person interviews
o Document collection
Risk Assessment and Mitigation
How will you assess risk?
What constitutes a yellow flag? A red
flag?
Who owns risk mitigation?
How will risks be resolved?
Monitoring and follow-up
considerations
3. Mitigate
Monitoring and Re-Screening
Monitor for new adverse media and
sanctions lists/watch lists presence
Can also monitor for material changes
in financial condition
What is the process to resolve an
alert?
Risk-based approach to re-screening
4. Monitor
Implementation
Keys to a Successful Implementation
Sponsorship
Cross functional team
Appropriate resources
Phased deployment
Communication
o Business partners
o Third parties
By Function/Office
Chief compliance officer
Chief risk officer
Procurement
Corporate security
Controller
CFO
General counsel
Chief revenue officer
By Business Process
Ethics and Compliance • Anti-bribery and anti-corruption program • Industry/Company specific programs
Enterprise Risk • GRC program
Sourcing • New vendor on boarding • Existing vendor monitoring • Vendor policy compliance • Code of conduct compliance
Sales agent management • New agent on boarding • Existing agent monitoring • Agent training • Agent policy compliance
Corporate Security • Anti-fraud program • Reputation integrity program
Audit and Board Reporting • Ethics and compliance audit
Financial risk management • Supply chain planning
Contracting • RFP process • Contracting due diligence
By Risk Type
Compliance risk
Financial risk
Reputation risk
Operational risk
Corporate Social Responsibility risk
Sourcing risk
26
Third Party Risk Management Deployment Options
Consider Automating Routine Tasks to Free Up Staff
Notifications
Questionnaire administration
Research and analysis
Risk assessment
Report writing
Tracking
Reporting and audit compliance
Automation Considerations
Easy to deploy; low IT involvement
Integration with other systems
Data agnostic
Due diligence flexibility
Risk assessment optimization
Workflow capabilities
Interoperability with other
compliance tools
Future functionality roadmap
Questions…
Thank You