Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 1: Michael Parker on Risk Mitigation

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Consulting and Advisory Services; Stephanie Font, Director, Operations Optimization Group; Kairi Isse, Group Manager of Managed Services Group, Productions; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, from the Volkov Law Group. In this Part 1, I visit with Michael Parker on the need for risk mitigation to bring a third party into a relationship with your organization.

Parker has worked in the compliance arena for six years, learning from his experience in government and tech. For a compliance program to be successful, executive leadership must also have a Board of Directors buy-in for oversight. A third-party risk management platform aims to protect the business’s assets and create a single source of truth. Through such a mechanism, third parties can be screened for anti-bribery, anti-corruption, human trafficking, and much more. The Board needs visibility to make decisions and an audit log to show activity and diligence if ever needed. It is critical for all compliance functions to stay up to date with regulations and keep their third-party platform consistently updated.

Key Highlights

  • How can a risk-based approach, coupled with a single source of truth and a robust platform, help protect business assets and comply with changing regulations?
  • What is the German Supply Chain Act, and how can companies ensure compliance related to human trafficking and human slavery?
  • How can companies use visual analytics to gain insights into their risk-based approach and show evidence of due diligence in the face of an audit?

Notable Quotes

  1. “Companies don’t do bad things; people do. And as people do, the regulatory landscape changes and can change quickly. So keeping up with those changes is critical to protecting your assets and mitigating risk.”
  2. “We need to increase our defensibility and audibility if somebody comes knocking; we can show and illustrate that we have done our due diligence to mitigate any risk of doing business with this third party.”
  3. “Companies don’t do bad things; people do.”
  4. “Put a platform in place that is robust lends itself to a number of different benefits.”

 Resources

Michael Parker on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program-Risk Mitigation

With the ever-changing landscape of regulations and laws, it is becoming increasingly difficult for companies to keep up and remain compliant. In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. Today, we consider the risk mitigation and I visit with Michael Parker, Director of Advisory and Consulting Services for Diligent, to discuss how to approach the Board of Directors around the crucial issue of third-party risk management and risk mitigation. Parker has been in the compliance industry for six years and has experience working with the Department of Homeland Security, Apple Computer, and over 300 clients in the compliance and legal space.

Parker dives into how Diligent’s platform helps companies assess risk and comply with compliance laws such as the FCPA, UK Modern Slavery Act, Uyghur Forced Labor Prevention Act and more. Join us in this five-part series to learn how Diligent’s platform can help reduce risk and ensure compliance.

Here are the steps you need to follow to also get risk mitigation:

  1. Screening – Screening for anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc.
  2. Risk-Based Approach – Evaluating the dossier of information to lead to a decision to approve or deny doing business with the third party.
  3. Documentation – Documenting activities, notes, attachments, and actions taken to show due diligence was done to mitigate risk.

Screening – Screening for anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc.

Screening is an essential first step in anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc. The process begins by collecting and inputting data into a single source of truth platform such as Diligent’s Third Party Risk Management System. This platform allows for a risk-based approach to screening, in which the compliance professional can assess the risk of doing business with a third party. This assessment includes screening for anti-bribery and anti-corruption, politically exposed persons, state owned entities, watch lists, and embargoes, as well as more recent regulations such as the German Supply Chain Act and the UK Modern Slavery Act. It also provides the ability to document and audit activities, allowing for better visibility and accountability from an internal and external perspective. Finally, the platform is constantly updated to ensure that it is compliant with any new laws or regulations that are implemented.

Risk-Based Approach – Evaluating the dossier of information to lead to a decision to approve or deny doing business with the third party.

The second step in the third-party risk management process is to take a risk-based approach in evaluating the dossier of information. This dossier typically includes the results of the screening process, any due diligence questionnaires, and any additional investigations that have been conducted. All these items should be compiled into a single source of truth and reviewed to ensure that the organization has done its due diligence in assessing the third party.

The risk-based approach should be tailored to the specific organization and its risk profile, as well as the specific third-party that they are doing business with. This evaluation should also take into consideration any changes in laws, regulations, and sanctions that may have been recently implemented. The diligence program should also be able to screen for a variety of different risks, such as anti-bribery, anti-corruption, human trafficking, politically exposed persons, state-owned entities, watchlists, and embargoes.

Once the evaluation is complete, the organization should have a clear understanding of the risks associated with doing business with the third party and can make an informed decision as to whether to approve or deny the business relationship. This risk-based approach should be documented for auditability in case of any potential future inquiries or investigations.

Documentation – Documenting activities, notes, attachments, and actions taken to show due diligence was done to mitigate risk.

Documentation is an essential part of risk mitigation and due diligence. It is important to maintain an audit trail of activities, notes, attachments, and actions taken related to third party risk management. This allows companies to easily access information and prove that they have taken the necessary steps to mitigate risk. A platform such as Diligent’s Third Party Risk Manager can be used to keep track of all the necessary documentation. All activities, notes, and attachments can be stored in a single source of truth, which provides visibility and auditability for the board. Additionally, the platform is regularly updated to ensure that it is up to date with the latest regulations and laws. This allows companies to remain compliant and mitigate risk. All these elements come together to form a dossier of information, which can be used to approve or deny business with third parties. Documentation is a key part of any risk management program and is essential for due diligence.

Over this five-part blog post series will explore reprioritizing you third-party risk management program. It is essential to properly evaluate third-party risk and to document all activities, notes, and attachments to remain compliant and mitigate risk. With the right platform and approach, companies can keep up with the ever-changing regulations and laws and protect their businesses from potential issues. With dedication and hard work, business owners can stay ahead of the curve in risk management and compliance.

For more information, check out Diligent here.

Listen to Michael Parker on the podcast series here.

Categories
Compliance Into the Weeds

Beneath the Bailout: The Collapse of Silicon Valley Bank

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject. In this episode, Matt and I explore the collapse of Silicon Valley Bank (SBV) and its outcomes. We discuss the consequences if the Federal government fails to bail out Signature Bank in New York and Silicon Valley Bank. The Dodd-Frank Act is examined, and noting that the SBV Chief Risk Officer left 8 months ago and was never replaced is a huge red flag. Will this event cause the Federal Reserve will pause interest rate hikes? Why did Libertarians from the tech industry scream for bailouts? Tom and Matt expertly unpack the complex details within the industry and provide insight and analysis into this relevant and timely industry topic.

 Key Highlights

The Impact of Silicon Bank and SBV’s Failures on the Banking Industry [02:01]

Implications of Unsold Silicon Valley Bank Assets on Taxpayers [05:04]

Challenge of Businesses Dealing with Employee Benefits under Federal Government Regulations [09:04]

Effects of Changes to the Dodd-Frank Act on Midsized Banks [12:54]

The Impact of Regulatory Ease on Business Failures [16:47]

The Reasons Behind Silicon Valley Bank’s Chief Risk Officer Quitting [20:53]

The Impact of Social Media on Interest Rate Decisions by the Federal Reserve [24:52]

 Notable Quotes:

1.     “So those loans brought in maybe 2 or 3 percent interest, but SVP had to pay out interest rates that might be more at 4 percent. That difference undermined the capital structure and the balance sheet of SVB until people started getting skittish, and then they said, Maybe I should pull my money out, which made the bank even more weak, so people got even more skittish.”

2.     “The big issue, which is why the business customer angle is important, is that under FDIC rules, a bank’s deposits are insured up to 250,000 dollars per account.”

3.     “Is it a business if you can never fail? This was not too big to fail. This was we are not going to let anybody fail.”

4.    ” You may not know where your key suppliers, customers, or key third parties are banking. Maybe you have that information. But does that mean you’re going to have to assess the financial health of those financial institutions of your customers? And know if they can pay you for your vendors or third-party suppliers. They can meet their payroll to deliver their services.”

 Resources

Matt  on LinkedIn

Tom on LinkedIn

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 1

What happens when two top compliance commentators get together? They talk compliance, of course. Join Kristy Grant-Hart and Tom Fox for their new podcast, 2 Gurus Talk Compliance! But it is not simply Kristy and Tom talking about compliance. In this podcast series, Kristy and Tom also review other top commentators in compliance. In this podcast, we will consider all things compliance, corporate ethics, ESG, governance, and whatever else is on our minds and the minds of other experts in the field. Kristy and Tom explore all of these topics with expertise and wit.

In this inaugural episode, they discuss the latest compliance trends and news, including two Supreme Court cases that have implications for the compliance profession. They also cover the Department of Justice and whistleblower trends, taking a look at Miranda and Upjohn’s warnings and increasing numbers of whistleblower reports to the SEC. They also dive into an article from the Harvard Law School Forum on corporate governance and discuss the Illinois Biometric law. Join the conversation and discover the latest on compliance and regulations with 2 Gurus Talk Compliance.

Highlights Include

The Role of In-House Attorneys in Communication Between Outside Counsel and Businesses [00:05:17]

Supreme Court Decision on the Future of the CFPB [00:09:11]

Impact of the Colorado Draft Regulation on Artificial Intelligence Compliance Programs [00:13:23]

The Benefits of Automated Data Deletion [00:17:23]

A Miranda component to corporate Upjohn Warnings [00:21:25]

The Obligation of Society to Address Climate Change [00:25:33]

The Benefits of Self-Disclosure in the DOJ Justice System [00:29:18]

The Role of the Board in Overseeing Third Parties in High-Risk Countries [00:33:14]

The Impact of Whistleblowers on the SEC [00:40:54]

White Castle’s Violation of Illinois Biometric Law [00:45:05]

Notable Quotes

  1. The DOJ is urging a federal judge to sanction Google’s parent, Alphabet, for its practice of setting employee chats to auto delete despite promising to preserve records.”
  2. “It goes beyond the specifics of this law, something you and I have talked about for several years now, that the compliance function and the CCO is well perhaps the most well-suited corporate discipline to deal with these new initiatives because it’s the basic framework of compliance that you and I have worked with for 15 years.”
  3. “Most compliance programs just don’t have good frameworks for things like AI or for big data even though we’ve been using that word for a long time.”

Resources

  1. Boards and 3rd Party Risk Oversight
  2. CO Draft AI Rules for Insurance
  3. Miranda Warnings in Corp Investigation
  4. Current whistleblowing landscape
  5. Has the stature of the CCO changed? 
  6. Analysis of the DOJ’s update to the self-disclosure program
  7. Supreme Court considering defunding the CFTC
  8. Trends in state privacy law   
  9. Litigation holds and records retention/Google/DOJ  
  10. Individuals charged – first enforcement action 2023 

Connect with Kristy Grant-Hart on LinkedIn

Spark Consulting

Connect with Tom Fox on Linkedin

Categories
Innovation in Compliance

Leveraging Technology in Third-Party Risk Management with Jag Lamba and Jared Ezzell

Jag Lamba and Jared Ezzell from Certa, join Tom Fox on the Innovation In Compliance podcast to explore the essential elements of a thriving third-party risk management program. They emphasize the significance of minimizing reliance on third-party self-disclosures by utilizing technology and data. They also highlight the importance of integrating due diligence, training, and ongoing monitoring to create a comprehensive approach to risk management. The conversation extends to payment controls, charitable donations, and the integration of the program into the overall third-party risk management lifecycle. 

Jag is the founder and CEO of Certa. Jared Ezzell is the Chief Customer Officer. Certa is a third-party lifecycle management platform for procurement, compliance, and ESG. Their no-code platform provides an easy and efficient way to digitize and manage the lifecycle of all suppliers, partners, and customers. Certa’s automated onboarding, contract lifecycle management, and ESG management eliminate the procurement bottleneck, allowing companies to onboard third parties three times faster. With their cutting-edge technology, Certa is transforming the way businesses manage their third-party relationships, ensuring compliance and sustainability at every step.

 

Here are some key points Tom, Jag, and Jared talk about:

  • Jared talks about his professional background and his role at the company Certa, their products, and their customers. 
  • The hallmark of an effective anti-bribery and anti-corruption compliance program is the concept of risk assessment.
  • Jared discusses the nine elements developed by Certa for an effective compliance program.
  • The three dimensions of a complete solution for compliance risk management are full spectrum risk management, the full life cycle of the third party, and the full spectrum of third parties.
  • A successful technology transformation project should be a modular rollout, with a focus on solving the highest pain point within three months and continuously phasing the rollout to avoid becoming overwhelmed.
  • Jag and Jared clarify that while the company doesn’t play the role of creating the documentation, they provide input and help evidence the client’s defensible positioning in support of the client’s policies.
  • Jag tells Tom that the ongoing monitoring of third-party relationships requires companies to have data sources and processes in place, have a controls framework to act on information, and automate controls to handle egregious alerts.

 

KEY QUOTE:

“The ability to systematically enforce payment controls is a key common practice in successful third-party risk management.” – Jared Ezzell

 

Resources:

Jag Lamba on LinkedIn | Twitter 

Jared Ezzell on LinkedIn 

Certa

Categories
FCPA Compliance Report

Alastair Parr on New Developments in TPRM

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this special episode, I am joined by Alastair Parr, SVP of Global Products & Delivery at Prevalent to discuss developments in third-party risk management.

In this episode we consider:

  • Why is a comprehensive 3rd risk management solution not simply a nice to have but a must to have now?
  • Why is 3rd party risk management so much critical after the pandemic and the Russian invasion of Ukraine?
  • Improving the UX for TPRM.
  • Why has simplifying the UX for TPRM eluded most providers so far?
  • How can the UX be improved so the information which is the most vital and most relevant is captured and more importantly can be actioned?
  • How can the process of obtaining TPRM information to implementing controls to manage the risk be improved?
  • How can companies automate data gathering by using a single targeted assessment by building in targeted compliance mappings for legal or regulatory requirements?
  • Other areas of compliance such as modern slavery and human trafficking?
  • Do you see continued evolution of 3rd party risk management into 2025 and beyond?

Resources

Alastair Parr on LinkedIn

Prevalent

Being a Compliance Officer is Awesome on Amazon.com

Categories
Greetings and Felicitations

Great Structures Week V: The Tacoma Narrows Bridge Failure and Preventing Failure in Your Compliance Program

Welcome to the Greetings and Felicitations, a podcast where I explore topics that might not seem directly related to compliance but influence our profession. In this special series, I consider many structural engineering concepts are apt descriptors for an anti-corruption compliance program. In this concluding episode 5, I consider the Tacoma Narrows Bridge failure and preventing failure in your compliance program. Highlights include:

  • Why and how did the Tacoma Narrows Bridge fail?
  • What are the key lessons it provides to compliance professionals?
  • Why are 3rd parties still the greatest risk to any compliance program?
  • What steps can you take to manage third parties most effectively?
  • Why is continuous monitoring key to managing risk?

Resources

 “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler from The Teaching Company.

Categories
Compliance Into the Weeds

Lessons from the Biotronik Anti-Kickback Enforcement Action

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, we take a deep dive into the recent settlement by Biotronik with the DOJ over allegations of the violation of the Anti-Kickback Statue  Highlights include:

  • Background facts.
  • Training programs as cover for bribes.
  • What is lavish entertainment?
  • What were the internal control failures?
  • Controls for high-risk payments.
  • Lessons learned for the ABC compliance professional.

Resources

Tom in the FCPA Compliance and Ethics Blog

Part 1-Background

Part 2-the Bribery Schemes and Lessons Learned

Matt in Radical Compliance

Categories
This Week in FCPA

Episode 295 – the Baseball is Back edition


MLB and the players manage to work out their differences as Tom Brady unretires. Jay and  Tom to look at some of the week’s top compliance and ethics stories in the Baseball is Back edition.

Stories

  1. Is ESG in crisis? Lawrence Heim in practicalESG.

2.     Compliance-The Single. Matt Kelly in Radical Compliance.
3.     Corporate investigations and waiver of privilege. Debevoise lawyers in Compliance and Enforcement.
4.     Fear based compliance. Mike Volkov in Corruption Crime and Compliance.
5.     A view on corruption from the front lines. Tom and Matt interview Tim Khasinov-Batirov on Compliance into the Weeds. Matt blogs in Radical Compliance.
6.     Holistic 3rd party management. Mike Volkov, Susanna Cagle and Carol Williams in Risk and Compliance Matters.
7.     What kind of person resists a bribe? Gary Drevitch in Psychology Today.
8.     Ethisphere announces 2022 WME.  Ethisphere Press Release. Erica Salmon Byrne on the FCPA Compliance Report.
9.     Are cyber whistleblowers different. Kenji Price, Scott Ferber and Mark Schreiber in CCI.
10.  If you are going to IPO, better ESG first. Bob Conlin in Forbes.com.

Podcasts and More

11.  In March on The Compliance Life, I visit with Audrey Harris, Managing Director at AMI, formerly CCO at BHP. In Part 1, she discusses her academic background and early professional career. In Episode 2, Audrey moves to the CCO chair at BHP. In Episode 3, she moves back to private practice.
12.  Tom and Megan Dougherty are back with 2 more episodes of the MCU series. Guardians of the Galaxy Part 1 and Part 2.
13.  Taxman: On the Intersection of Tax and Compliance. A 5-part series with Tracy Howell. Part 1-why compliance needs to talk to tax. Part 2-transfer pricing. Part 3-why tax needs a seat at the table. Part 4-tax and supply chain. Part 5-tax and ESG.
14.  Tom visits with Hill Country Joanne Easley on The Hill Country Podcast.

Categories
Innovation in Compliance

Right Question to the Right Person at the Right Time with Ishan Girdhar


 
Ishan Girdhar is Tom Fox’s guest in this week’s show. He is the CEO and founder of Privva, a cloud-based platform that streamlines data security to enable law firms to easily implement their own risk assessment. Tom and Ishan explore risk management in the new hybrid work era and what compliance professionals need to be thinking about in the coming years in that regard.  
 

 
The New Normal
The new hybrid work environment is here to stay. More companies are going back to the office but with fewer employees on site. This means that company leaders and compliance officers need to find a way to manage risk around virtual collaboration and communication technologies in a remote work environment. They will need to make sure that all employees are connected in a secure way. “When you have people working from home and working remotely, access to sensitive information grew exponentially… Many people have devices like Alexa or Google Home; those are devices that are recording every conversation that’s happening in your home,” Ishan cautions. Implementing policies that ensure employees aren’t working in the vicinity of these devices and making sure that companies lock-on set intervals, will go a long way in mitigating the risk that is posed from working in this environment.
 
Keep Communications Focus
Employees have to act as stewards and maintain and adhere to company policies surrounding risk and compliance. Tom asks Ishan how he keeps a communications focus in his organization, in a way that doesn’t lead to compliance fatigue. Compliance officers need to ensure that they’re actively capturing communication across their organizations, and that they have the tools to do so. “Make sure that your tech stack has the right capabilities to capture information and communication across your network,” Ishan remarks. Communicating the right ways to work with your clients and employees is also something that companies need to be thinking about. Use the right tools and the right steps to make sure your actions are in line with your internal corporate policies; the compliance departments can have access to that information if it’s required.  Make sure that the data is integrated and that all of that dialogue is time-stamped so it can be captured together. 
 
Creating Effective Cybersecurity
“Every product that technology brings to make your lives easier, better, faster, and cheaper for your clients comes with cybersecurity risk,” Ishan tells Tom. In order to mitigate cybersecurity risk, consistent training of your employees is necessary. Cybersecurity needs to be built into the culture of your organization and is a way for you to do your jobs in a timely and efficient way. Compliance professionals should be on top of what’s happening in the market with regard to new threats and risks. Have detailed policy monitoring and reporting requirements, and ensure you’re adapting your policies to the new norm. 
 
Third-Party Risk
Tom posits that third-party risk is beyond company to company, and that it’s actually the entire scope of your communication. Third-party risk is your suppliers, your partners, and your customers. Companies need to think about where their data is hidden, and where it’s going. “How is it leaving your environment? Where is it going? What’s the sensitivity of that data?” These are the questions Ishan implores leaders to think about. The biggest challenge with third-party risk management is that you have a say, but you don’t have full authority in enforcing change. It is also a two-way street in that as a company, you are also a custodian of information and you have to understand your minimum baselines, the security controls that are nonstarters for you, and what risks you’re willing to accept. If you are sending sensitive data to a third party, you have to include management and leadership as part of that conversation and process. 
 
What’s Next
Buying technology that will be sustainable going forward is one of the best ways to respond to cybersecurity risks in the coming future. Privacy is also a big challenge that companies are going to face. “Build out your budget and make sure that you have the right investments in place as you continue to grow and continue to go into the future leading up to 2025,” Ishan advises Tom and the audience. 
 
Resources
Ishan Girdhar | LinkedIn | Twitter
Privva