Tag: 3rd parties

Categories
Compliance Week Conference Podcast

Compliance Week 2024 Speaker Preview Podcasts – Rodney Campbell on Managing 3rd Parties

In this episode of the Compliance Week 2024 Speaker Preview Podcasts series, Rodney Campbell discusses his presentation at Compliance Week 2024, “Empowering TPRM Compliance: Transformative Strategies in Third-Party Risk Management.” Some of the issues he will discuss in this podcast and his presentation are:

  • Why managing third parties is a critical element in your TPRM program
  • Leveraging your business unit to help manage third parties
  • New ideas for the compliance program from Compliance Week 2024

I hope you can join me at Compliance Week 2024. This year’s event will be held April 2-4 at The Westin Washington, DC, Downtown. The line-up for this year’s event is first-rate, with some of the top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event, offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 19th year, join 500+ compliance, ethics, legal, and audit professionals who gather to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. Compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs, among many others, to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 80+ respected cross-industry practitioners who are CEOs, CCOs, regulators, federal officials, and practitioners to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from panels on leadership, fraud detection, confronting regulatory change, abiding by cross-border rules and regulations, and the always-favorite fireside chats.
  • Bring actionable takeaways to your program from various session types, including cyber, AI, Compliance, Board obligations, data-driven compliance, and many others, for you to listen, learn, and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. As an extra benefit to listeners of this podcast, Compliance Week is offering a $200 discount on the registration price. Enter the discount code TFOX2024 for $200 off.

The Compliance Week 2024 Preview Podcast series is a production of the Compliance Podcast Network. Compliance Week is the sponsor of this series.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 17 – Policies for Third-Parties

As every compliance practitioner is well aware, third-parties still present the highest risk under the FCPA. The DOJ 2023 ECCP devotes an entire prong to third-party management. It begins with the following: A well-designed compliance program should apply risk-based due diligence to its third-party relationships.  Although the degree of appropriate due diligence may vary based on the size and nature of the company or transaction, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.
This set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance program must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party management: 1) business justification; 2) questionnaire to third-party; 3) due diligence on third-party; 4) compliance terms and conditions, including payment terms; and 5) management and oversight of third parties after contract signing.
I continually give my mantra of compliance, which is “Document, Document, and Document”. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program.

Three key takeaways:

  1. Use the full five-step process for third-party management.
  2. Make sure you have Business Development involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
Blog

Building a Stronger Culture of Compliance Through Targeted and Effective Training: Part 4-A Training Program for 3rd Parties

Welcome to a special 5 part blog post series on building a stronger culture of compliance through targeted and effective training, sponsored by Diligent. Over this series I will visit with Kunal Agrawal, Director of Customer Success at Diligent; Kevin McCoy, Customer Success Manager at Diligent; Jessica Czeczuga, a Principal Instructional Designer; Andrew Rincon, Global Accounts Management Advisor at Diligent; and David Greenberg, former CEO and Special Advisor at LRN and Director at International Seaways. Over this series, we will consider the importance of ongoing communications, the value of targeted training, training third-parties, and the role of the Board of Directors. In this Part 4, we discuss how to put together a training program for third parties with Andrew Rincon.

In today’s global business landscape, third-party compliance training are more crucial than ever. Ensuring that your organization’s distributors, vendors, and other third-party affiliates adhere to necessary regulations can minimize legal and financial risks, protect your company’s reputation, and foster a culture of ethical business practices. As compliance professionals responsible for training these third parties, it’s essential to stay informed about cutting-edge strategies and techniques for effective risk management. This blog will explore practical steps that can be implemented to improve your third-party compliance training and due diligence processes, allowing you to uphold your organization’s regulatory standards and contribute positively to the industry. Here are the steps to get Improved third-party compliance training and due diligence processes.:

1. Assess third-party risk during onboarding.

2. Utilize micro training videos for efficiency.

3. Customize training materials for specific regions.

Assess third-party risk during onboarding. Due Diligence on and assessing third-party risk is not a ‘one size fits all’ process. This critical step allows organizations to identify high-risk distributors, vendors, and other third parties that may pose potential threats to the business in terms of bribery, corruption, and other regulatory violations. By conducting a thorough risk assessment, organizations can effectively mitigate these risks and ensure that they are partnering with ethical and responsible businesses, ultimately fostering a strong culture of compliance throughout their sales or supply chain ecosystem. Moreover, such an approach is critical throughout the lifecycle of the relationship. Rincon emphasized the importance of proactive ongoing due diligence measures, such as automated screenings and monitoring, sending out attestations, and conducting regular training courses.

Effectively educating, resellers, agents distributors and other third-parties on compliance policies and expectations is critical and cannot be overstated. Providing proactive training not only helps in preventing compliance violations but also demonstrates to regulators your organization’s commitment to maintaining high ethical standards. This, in turn, can mitigate penalties in case of inadvertent violations and foster a trust-based relationship with regulatory authorities. By adopting these practices and leveraging technology to automate certain processes, organizations can ensure that they are partnering with ethical third parties, minimize their exposure to regulatory risks, and foster a strong culture of compliance across their entire network. By doing so, they not only protect their businesses from potential harm but also contribute to a more transparent and ethical global marketplace.

Utilize micro training videos for efficiency. In the field of compliance, training third parties remains a critical aspect of managing and mitigating risks associated with regulatory and legal frameworks such as the Foreign Corrupt Practices Act (FCPA). With the increasing need for efficient and effective compliance processes, it becomes essential for compliance professionals to employ innovative strategies to achieve their objectives while minimizing disruptions to business operations. By leveraging this method, companies can ensure that their distributers and internal client gatekeepers receive consistent and easily digestible information, enhancing their understanding of compliance policies and expectations.

Rincon said that by breaking down complex topics into easily understandable portions, micro training videos enable organizations to communicate the essential aspects of their compliance policies and expectations in a concise and engaging manner. Through the ability to cater to different audiences, these training resources contribute to a more comprehensive approach towards addressing third-party risk. The adoption of micro training videos as a tool for third-party compliance education serves an essential purpose for compliance professionals. By incorporating this method, companies can enhance their third-party risk management processes and ensure that their partners are aware of the applicable legal and regulatory frameworks. This leads to improved adherence to compliance policies, reduced likelihood of violations, and overall risk mitigation.

Customize training materials for specific regions. Effective third-party compliance training often involve the customization of training materials for specific regions. This ensures that the training is relevant, relatable, and impactful for third parties, taking into account regional differences, languages, and sensibilities. Customizing training materials also fosters a deeper and more nuanced understanding of the compliance policies and expectations towards each party, thereby mitigating the risks associated with inadequate understanding or implementation of compliance standards. Furthermore, cultural sensitivities and regional variations can be taken into account when designing training, ensuring a more engaging and effective learning experience for the target audience.

Rincon micro-training video shorts can be easily customized for different regions and translated into multiple languages. With such versatile tools, compliance professionals can promote clear and concise messaging to their third-party partners, thus reinforcing the importance of compliance policies and due diligence throughout the duration of the business relationship. Customizing compliance training materials for specific regions not only makes the training more effective, engaging and relevant but also supports robust risk management and streamlined third-party due diligence processes.

For compliance professionals dedicated to training third parties, the effectiveness of your compliance and due diligence processes plays a significant role in safeguarding your organization from potential risks. The steps discussed, including customizing training materials for specific regions, agents, reseller, distributors and other business parnters on compliance policies and using technology to track irregularities, can greatly enhance your efforts to ensure that your third parties meet and maintain compliance expectations. With diligent application of the guidance provided, you can foster a well-informed and compliant network of third parties, ultimately ensuring your organization’s ongoing success.

For more information go to http://diligent.com/compliancetraining.

Join us tomorrow where we review the role of the Board of Directors in a compliance regime.

Categories
Innovation in Compliance

Building a Stronger Culture of Compliance Through Targeted and Effective Training: Part 4 – A Training Program for 3rd Parties

Welcome to a special 5 part podcast series on building a stronger culture of compliance through targeted and effective training, sponsored by Diligent. Over this series, I will visit with Kunal Agrawal, Director of Customer Success at Diligent; Kevin McCoy, Customer Success Manager at Diligent; Jessica Czeczuga, Director, Compliance and Ethics at Diligent; Andrew Rincón, Client Director at Diligent; and David Greenberg, former CEO and Special Advisor at LRN and Director at International Seaways. Over this series, we will consider the importance of ongoing communications, the value of targeted training, training third parties, and the role of the Board of Directors. In this Part 4, we discuss how to put together a training program for third parties with Andrew Rincón.

Join Tom Fox in an exciting episode about building a stronger culture of compliance through targeted and effective training as he interviews Andrew Rincón. Discover how the compliance industry has evolved and how technology has significantly improved compliance programs. Find out how efficient compliance processes create goodwill for compliance professionals and make them true partners of the business with the help of technology and reliable due diligence partners. Andrew Rincón shares Diligent’s screening and monitoring options for third-party suppliers and the customized anti-bribery and anti-corruption training, available in multiple languages, also perfect for bite-sized, animated micro-learnings. Tune in to learn how to educate distributors and internal gatekeepers on compliance and useful resources for compliance professionals, only on a training program for 3rd parties.

Highlights Include:

  • The Role of Compliance with Distributors
  • Efficient Due Diligence for Distributors
  • Diligent’s Anti-Bribery and Sanctions Screening Solutions
  • Compliance Training & Internal Controls for Distributors
Notable Quotes

“And commission sales agents are certainly recognized as, if not the highest, a high risk, under the FCPA and other compliance regimes.”

“One area the thinking has evolved on, and it sounds like your career and my career, is that due diligence alone is insufficient.”

“So being as efficient as a process. And nowadays, everything moves at the speed of light.”

“But nowadays, with the amount of information that gets published every single day throughout the world, where there’s so much content out there.”

For more information, go to Diligent.com

Join us tomorrow as we conclude our series with a look at the role of the Board of Directors in a compliance program.

Categories
FCPA Compliance Report

FCPA Compliance Report – Brad Hibbert on Prevalent’s 2023 3rd Party Risk Management Report

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Today, Tom visits Brad Hibbert, COO/CSO at Prevalent, as they discuss the surprising findings of Prevalent’s annual third-party risk management study. Discover why so many organizations still rely on spreadsheets and manual processes for managing third-party risks. Brad recommends an integrated approach to third-party risk management that considers the entire lifecycle of the relationship with third parties.

The podcast highlights the top five key findings of the report, including data breaches as the top concern, security driving the program, and the increased involvement of IT in the process. Learn how to minimize cyber exposure and risks associated with third-party management by breaking down silos, automating processes, and focusing on reducing risks associated with third parties. Listen to Brad’s practical advice on how to prioritize risks and plan your risk management program and visit prevalent.net for more compliance mandates and best practices. With exciting insights and actionable advice, this podcast is a must-listen for anyone interested in managing third-party risks.

Key Highlights:

·      Prevalent’s annual third-party risk management study

·      Integrated Third Party Risk Management

·      Top Challenges for Organizations in Data Security

·      Third Party Risk Management Survey and Findings

·      Minimizing Cyber Breaches

·      Effective Response to Breaches and Third-Party Programs

·      Managing Business Risks for Compliance

Notable Quotes:

“The top concern driving third-party risk management programs is security, with 71 percent indicating it as their main priority.”

“Data breaches continue to be a top concern, with 41 percent of the respondents indicating that they were impacted by a third-party data breach in the last 12 months and had to perform some remedial activity.”

“About 70 percent reported increased involvement from the IT group, while 71 percent indicated that infosec owns the program.”

“Identifying and mitigating risks before the company is impacted.”

“Customs put together this enforcement dashboard that contains all of these statistics on how they’ve been enforcing the UFLPA.”

Resources

Brad Hibbert on LinkedIn

Prevalent

3Rd Party Risk Management Report

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

 

Categories
Innovation in Compliance

Improving Third – Party Risk Management with Paul Valente

In today’s interconnected world, businesses rely on third-party vendors for various products and services. While these partnerships bring great benefits, they also expose companies to a range of risks such as cyber threats, compliance issues, and reputational damage. In this episode, Tom Fox interviews Paul Valente, the co-founder and CEO of VISO Trust. Paul shares valuable insights into how businesses can mitigate risks posed by third-party vendors, the importance of continuous monitoring, and how VISO Trust’s platform helps companies manage risks effectively.

Paul Valente is the CEO and co-founder of VISO Trust, a company that provides automated third-party cyber risk management solutions. Prior to founding VISO Trust, Paul was the Chief Information Security Officer (CISO) at several companies, including Restoration Hardware, Lending Club, and ASAPP. He is a longtime technologist and security professional with experience in highly regulated industries.

 

You’ll hear Tom and Paul talk about:

  • Companies have more sensitive data on other companies’ infrastructure than they do internally, which increases risk and augments the need for a robust risk management strategy.
  • Boards have a duty of oversight to proactively monitor their third-party risk management programs. They should also keep abreast of emerging threats.
  • Automation is a key component in a third-party risk management solution for cybersecurity. The standard approach of using questionnaires to assess third-party security is slow, labor-intensive, and ineffective.
  • VISO Trust’s patented first-to-market Document Intelligence removes friction for vendors and provides a comprehensive risk assessment that tells customers everything they need to know to make qualified risk decisions about their third-party relationships.
  • Compliance requires auditability.
  • How VISO Trust helps companies manage risk after the contract is signed.
  • Risk management and cybersecurity data is often siloed within an organization. VISO Trust helps centralize the information by providing a dashboard where customers can have complete understanding of their overall third-party risk, and allowing them to make that data available across the organization.

 

KEY QUOTES:

“There’s companies today that have nothing internally – that are 100% cloud native. What that means typically is that there’s many copies of their data essentially with various other companies, perhaps all over the world… That just increases what we call a tax service … which just means more risk.” – Paul Valente

 

“I think [boards] need to be asking essentially what the risks are for their organization from a cybersecurity standpoint. They need to ask for those to be regularly reported on, regularly updated, and regularly tracked. …They also need to be aware themselves, both externally as well as relying on the executives within the company to keep them aware of emerging threats.” – Paul Valente

 

“…our dashboards essentially allow you to list all of your third-party relationships in one single place and easily report on the status of assessments as well as report on inherent risk.” – Paul Valente

 

Resources:

Paul Valente on LinkedIn | Twitter

VISO Trust

Categories
31 Days to More Effective Compliance Programs

Third-Parties as Compliance Innovation Partners

It is universally recognized that third parties are your highest FCPA risk. Could you turn your third party from liability under the FCPA to an innovation partner for your compliance program? This is an area that only a few compliance professionals have mined, but once again, in compliance, you are only limited by your imagination. In a Supply Chain Management Review article by Jennifer Blackhurst, Pam Manhart, and Emily Kohnke, entitled “The Five Key Components for Supply Chain Innovation,” the authors identified five components common to the most successful innovation partnerships. They are:

Don’t settle for the status quo. This means you should not settle for simply the status quo in compliance.

Hit the road to hit your metrics. To understand your compliance risk from third parties, you must get out of the ivory tower and hit the road.

Send prospectors, not auditors. While an audit clause is critical in any third-party contract, from a commercial and FCPA compliance perspective, you can establish a “point of contact as an innovation manager for your third parties.”

Show and tell. As with all relationships, trust plays an important role in third-party compliance innovation, as “Firms in successful innovations discussed a willingness to share resources and rewards and to develop their partners’ capabilities.”

Who’s running the show? This means “who is doing what, but also what each firm is bringing to the relationship regarding resources and capabilities.”

Three key takeaways:

  1. Use your third parties as innovators to assist your compliance program.
  2. Change your thinking about third parties and make them your partners.
  3. Do not settle for the status quo.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Ongoing Monitoring of 3rd Parties

One of the key themes in the Evaluation of Corporate Compliance Programs is the use of data and data analytics in a best practices compliance program. This has specific application to third-parties. In the section entitled, Risk-Tailored Resource Allocation, the following question was posed, Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Under the section entitled, Control Testing, the following question was posed, Has the company reviewed and audited its compliance program in the area relating to the misconduct? More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third parties does the company undertake? Finally, under the section entitled, Payment Systems was the following query, How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?

All of these questions make clear that the DOJ expects data analytics to be used to help detect or prevent bribery and corruption where the primary sales force used by a company is third-parties. A clear majority of FCPA violations and related enforcement actions have come from the use of third-parties. While sham contracting (i.e., using a third-party to channel the payment of a bribe) has lessened in recent years, there are related data analysis that can be performed to ascertain whether a third-party is likely performing legitimate services for your company and is not a sham. There are several more complex analytics that can be run in combination to identify suspicious third-parties, and some of the simplest can be to look for duplicate or erroneous payments. This final concept of finding patterns that can be discerned through the aggregation of huge amounts of transactions, is the next step for compliance functions. Yet data analysis does far more than simply allowing you to follow the money. It can be a part of your third-party ongoing monitoring as well by allowing you to partner the information on third-parties who might come into your company where there was no proper compliance vetting. Such capabilities are clearly where you need to be heading.

Three key takeaways:

  1. Always remember to follow the money to see where a pot of money could be created to fund a bribe.
  2. Transaction monitoring techniques around fraud monitoring translate to data analysis for compliance.
  3. Do not forget to check names against known PEP and SDN lists.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-Managing 3rd Party After the Contract is Signed

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation, and contract compliance terms and conditions. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also where the rubber meets the road of operationalizing compliance. It is also an area the DOJ specifically articulated in the 2020 Update that companies need to consider.

Managing your third parties is where the rubber meets the road in your overall third-party risk management program. You must execute this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.

Three key takeaways:

  1. Have a strategic approach to third-party risk management.
  2. Rank third parties based on a variety of factors including compliance and business performance, length of the relationship, benchmarking metrics, and KPIs for ongoing monitoring and auditing.
  3. Managing the relationship is where the real work begins.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Questionnaire

The next step in the five-step process is the questionnaire. The term ‘questionnaire’ is mentioned several times in the 2020 FCPA Resource Guide. It is generally recognized as one of the tools that a company should complete in its investigation to understand better with whom it is doing business. The questionnaire should be mandatory for any third party that desires to work with your company as it mandates the proposed business partner commit to the required information in writing before beginning the due diligence process. Remember, if a third party does not want to fill out the questionnaire or will not fill it out completely, you should not walk but run away from doing business with such a party.

One of the key requirements of any successful compliance program is that a company must make an initial assessment of a proposed third party. The size of a company does not matter, as small businesses can face significant risks and will need more extensive procedures than other businesses facing limited threats. The level of risk that companies face will also vary with the type and nature of the third parties with which they may have business relationships. For example, a company that appropriately assesses that there is no risk of bribery on the part of one group of its third parties will require nothing in the way of procedures to prevent corruption in the context of those relationships. By the same token, the bribery risks associated with reliance on a third-party agent representing a company in negotiations with foreign government officials may be assessed as significant and, accordingly, requires much more in the way of procedures to mitigate those risks.
The questionnaire fills several vital roles in your overall management of third parties. It provides key information you need to know about who you are doing business with and whether they can fulfill your commercial needs. Just as important is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, U.K. Bribery Act, or anti-corruption/anti-bribery programs generally. Lastly, the information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform.

Three key takeaways:

  1. You must have enough information to fully identify the owners, UBOs, and related parties to determine if there is foreign official involvement.
  2. All commentary on best practices compliance programs requires questionnaires.
  3. If a third party refuses to fully respond to your questionnaire, run and don’t walk away from the proposed relationship.