Tag: 3rd parties

Categories
Innovation in Compliance

Improving Third – Party Risk Management with Paul Valente

In today’s interconnected world, businesses rely on third-party vendors for various products and services. While these partnerships bring great benefits, they also expose companies to a range of risks such as cyber threats, compliance issues, and reputational damage. In this episode, Tom Fox interviews Paul Valente, the co-founder and CEO of VISO Trust. Paul shares valuable insights into how businesses can mitigate risks posed by third-party vendors, the importance of continuous monitoring, and how VISO Trust’s platform helps companies manage risks effectively.

Paul Valente is the CEO and co-founder of VISO Trust, a company that provides automated third-party cyber risk management solutions. Prior to founding VISO Trust, Paul was the Chief Information Security Officer (CISO) at several companies, including Restoration Hardware, Lending Club, and ASAPP. He is a longtime technologist and security professional with experience in highly regulated industries.

 

You’ll hear Tom and Paul talk about:

  • Companies have more sensitive data on other companies’ infrastructure than they do internally, which increases risk and augments the need for a robust risk management strategy.
  • Boards have a duty of oversight to proactively monitor their third-party risk management programs. They should also keep abreast of emerging threats.
  • Automation is a key component in a third-party risk management solution for cybersecurity. The standard approach of using questionnaires to assess third-party security is slow, labor-intensive, and ineffective.
  • VISO Trust’s patented first-to-market Document Intelligence removes friction for vendors and provides a comprehensive risk assessment that tells customers everything they need to know to make qualified risk decisions about their third-party relationships.
  • Compliance requires auditability.
  • How VISO Trust helps companies manage risk after the contract is signed.
  • Risk management and cybersecurity data is often siloed within an organization. VISO Trust helps centralize the information by providing a dashboard where customers can have complete understanding of their overall third-party risk, and allowing them to make that data available across the organization.

 

KEY QUOTES:

“There’s companies today that have nothing internally – that are 100% cloud native. What that means typically is that there’s many copies of their data essentially with various other companies, perhaps all over the world… That just increases what we call a tax service … which just means more risk.” – Paul Valente

 

“I think [boards] need to be asking essentially what the risks are for their organization from a cybersecurity standpoint. They need to ask for those to be regularly reported on, regularly updated, and regularly tracked. …They also need to be aware themselves, both externally as well as relying on the executives within the company to keep them aware of emerging threats.” – Paul Valente

 

“…our dashboards essentially allow you to list all of your third-party relationships in one single place and easily report on the status of assessments as well as report on inherent risk.” – Paul Valente

 

Resources:

Paul Valente on LinkedIn | Twitter

VISO Trust

Categories
31 Days to More Effective Compliance Programs

Third-Parties as Compliance Innovation Partners

It is universally recognized that third parties are your highest FCPA risk. Could you turn your third party from liability under the FCPA to an innovation partner for your compliance program? This is an area that only a few compliance professionals have mined, but once again, in compliance, you are only limited by your imagination. In a Supply Chain Management Review article by Jennifer Blackhurst, Pam Manhart, and Emily Kohnke, entitled “The Five Key Components for Supply Chain Innovation,” the authors identified five components common to the most successful innovation partnerships. They are:

Don’t settle for the status quo. This means you should not settle for simply the status quo in compliance.

Hit the road to hit your metrics. To understand your compliance risk from third parties, you must get out of the ivory tower and hit the road.

Send prospectors, not auditors. While an audit clause is critical in any third-party contract, from a commercial and FCPA compliance perspective, you can establish a “point of contact as an innovation manager for your third parties.”

Show and tell. As with all relationships, trust plays an important role in third-party compliance innovation, as “Firms in successful innovations discussed a willingness to share resources and rewards and to develop their partners’ capabilities.”

Who’s running the show? This means “who is doing what, but also what each firm is bringing to the relationship regarding resources and capabilities.”

Three key takeaways:

  1. Use your third parties as innovators to assist your compliance program.
  2. Change your thinking about third parties and make them your partners.
  3. Do not settle for the status quo.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Ongoing Monitoring of 3rd Parties

One of the key themes in the Evaluation of Corporate Compliance Programs is the use of data and data analytics in a best practices compliance program. This has specific application to third-parties. In the section entitled, Risk-Tailored Resource Allocation, the following question was posed, Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Under the section entitled, Control Testing, the following question was posed, Has the company reviewed and audited its compliance program in the area relating to the misconduct? More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third parties does the company undertake? Finally, under the section entitled, Payment Systems was the following query, How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?

All of these questions make clear that the DOJ expects data analytics to be used to help detect or prevent bribery and corruption where the primary sales force used by a company is third-parties. A clear majority of FCPA violations and related enforcement actions have come from the use of third-parties. While sham contracting (i.e., using a third-party to channel the payment of a bribe) has lessened in recent years, there are related data analysis that can be performed to ascertain whether a third-party is likely performing legitimate services for your company and is not a sham. There are several more complex analytics that can be run in combination to identify suspicious third-parties, and some of the simplest can be to look for duplicate or erroneous payments. This final concept of finding patterns that can be discerned through the aggregation of huge amounts of transactions, is the next step for compliance functions. Yet data analysis does far more than simply allowing you to follow the money. It can be a part of your third-party ongoing monitoring as well by allowing you to partner the information on third-parties who might come into your company where there was no proper compliance vetting. Such capabilities are clearly where you need to be heading.

Three key takeaways:

  1. Always remember to follow the money to see where a pot of money could be created to fund a bribe.
  2. Transaction monitoring techniques around fraud monitoring translate to data analysis for compliance.
  3. Do not forget to check names against known PEP and SDN lists.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-Managing 3rd Party After the Contract is Signed

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation, and contract compliance terms and conditions. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also where the rubber meets the road of operationalizing compliance. It is also an area the DOJ specifically articulated in the 2020 Update that companies need to consider.

Managing your third parties is where the rubber meets the road in your overall third-party risk management program. You must execute this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.

Three key takeaways:

  1. Have a strategic approach to third-party risk management.
  2. Rank third parties based on a variety of factors including compliance and business performance, length of the relationship, benchmarking metrics, and KPIs for ongoing monitoring and auditing.
  3. Managing the relationship is where the real work begins.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Questionnaire

The next step in the five-step process is the questionnaire. The term ‘questionnaire’ is mentioned several times in the 2020 FCPA Resource Guide. It is generally recognized as one of the tools that a company should complete in its investigation to understand better with whom it is doing business. The questionnaire should be mandatory for any third party that desires to work with your company as it mandates the proposed business partner commit to the required information in writing before beginning the due diligence process. Remember, if a third party does not want to fill out the questionnaire or will not fill it out completely, you should not walk but run away from doing business with such a party.

One of the key requirements of any successful compliance program is that a company must make an initial assessment of a proposed third party. The size of a company does not matter, as small businesses can face significant risks and will need more extensive procedures than other businesses facing limited threats. The level of risk that companies face will also vary with the type and nature of the third parties with which they may have business relationships. For example, a company that appropriately assesses that there is no risk of bribery on the part of one group of its third parties will require nothing in the way of procedures to prevent corruption in the context of those relationships. By the same token, the bribery risks associated with reliance on a third-party agent representing a company in negotiations with foreign government officials may be assessed as significant and, accordingly, requires much more in the way of procedures to mitigate those risks.
The questionnaire fills several vital roles in your overall management of third parties. It provides key information you need to know about who you are doing business with and whether they can fulfill your commercial needs. Just as important is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, U.K. Bribery Act, or anti-corruption/anti-bribery programs generally. Lastly, the information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform.

Three key takeaways:

  1. You must have enough information to fully identify the owners, UBOs, and related parties to determine if there is foreign official involvement.
  2. All commentary on best practices compliance programs requires questionnaires.
  3. If a third party refuses to fully respond to your questionnaire, run and don’t walk away from the proposed relationship.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-Business Justification

The 2023 Evaluation of Corporate Compliance Programs stated, “Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials.” This standard articulates one of the most basic tools to operationalize your compliance program and should form the basis of your third-party risk management process. Indeed, this is viewed as an internal control with the 2023 ECCP going on to pose the following question, “How does the company ensure there is an appropriate business rationale for the use of third parties?”

What should go into your business justification? At the most basic level, you should craft a document, which works for both you as the compliance practitioner and the business folks in your company, that details some basic concepts which includes the following: 1) The name and contact information for both the Relationship Manager and the proposed third party; 2) How the Relationship Manager came to know about the third party because it is a red flag if a customer or government representative points you towards a specific third party; 3) What services the third party will perform for your company, the length of time and compensation rate for the third party; and 4) An explanation of why this specific third party should be used as opposed to an existing or other third party, if such were considered. All this information should be documented and then signed by the Relationship Manager.

Remember, the purpose of the business rationale is to document the satisfactoriness of the business case to retain a third party. The business rationale should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed. This means “Document, Document, and Document.”

 Three key takeaways:

1. You should always have a business reason for using a third party which is articulated by the business folks, not compliance.

2. A Relationship Manager is the key going forward in operationalizing your compliance program through the life of the third-party relationship with your company.

3. Always remember to “Document, Document, and Document”.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – 3rd Party Risk Management Process

As every compliance practitioner knows, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. It begins with the following:
 Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is performing the work, and that its compensation is commensurate with the work provided in that industry and geographical region.   Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

This specifies that the DOJ expects an integrated approach operationalized throughout the company. This means you must have a process for the full third-party risk management life cycle. Five steps in the life cycle of third-party risk management will fulfill the DOJ requirements in the 2020 FCPA Resource Guide and the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are:

  1. Business Justification by the Business Sponsor;
  2. Questionnaire to Third-party;
  3. Due Diligence on Third-party, including triage of results;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

  1. Use the entire 5-step process for third-party management.
  2. Make sure you have business development involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Introduction and Key 2022 Enforcement Actions Involving 3rd Parties

Over the month of April, I will consider the risk management of third parties in an operationalized compliance program. As every compliance practitioner knows, third parties still present the highest risk under the FCPA. You must assess whether the company has a business rationale for needing the third party in the transaction, and the risks posed by third parties, including their reputations and relationships, if any, with foreign government officials. You should ensure that contract terms with third parties specifically describe the services to be performed, the third party performing the work, and that its compensation is commensurate with the work provided in that industry and geographical region.   Finally, you must continuously monitor the third-party relationships through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

In this introduction, I visit with Alexander Cotoia, a Regulatory and Compliance Attorney at the Volkov Law Group, to consider how recent FCPA enforcement actions point towards the use cases for a robust third-party risk management system. In 2022, most FCPA-related enforcement actions involved third parties and required organizations to reprioritize third-party risk management. In this episode, we consider case studies involving ABB Limited, GOL Airlines, and Oracle, demonstrating the importance of understanding bribery and corruption schemes, making voluntary disclosures, and reassessing third-party risk management.

3 Key Takeaways:

1. How can organizations reprioritize third-party risk management as a core compliance function?

2. How can organizations avoid FCPA violations and maximize cooperation credit?

3. How can organizations effectively assess the risks posed by potential business partners?

Check out The Compliance Handbook, 3rd edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for Business Ventures-Why Business Ventures are Different than 3rd Parties

Business ventures, whether JVs, partnerships, franchises, team agreements, strategic alliances or one of the myriad types of business relationships a U.S. company can form outside the U.S., are different than the usual risk presented by third-parties under compliance requirements such as those mandated by the FCPA. The problems for companies is that they tend to treat business venture risk the same as third-party risk. They are different and must be managed differently.

The bottom line is that may compliance practitioners have not thought through the specific risks of business ventures such as JVs, franchises, strategic alliances, teaming partner or others as opposed to sales agents or representatives on the sales side of the business. I hope that this will help facilitate a discussion that maybe people will begin to think about more of the issues, more of the risk parameters and perhaps put a better risk management strategy in place.
Three key takeaways:

  1. Business ventures bring different FCPA risks from third-parties.
  2. JVs have both external compliance risks and corporate governance risks.
  3. Use your full compliance tool kit for business ventures in managing the FCPA risk for franchises.
Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 5: Alexander Cotoia on Use Cases

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Advisory and Consulting Services; Stephanie Font, Director of the Optimizations Group; Kairi Isse, Managed Services Group Manager; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, Associate at the Volkov Law Group. In this Part 5, I visit with Alexander Cotoia, a Regulatory and Compliance Manager at the Volkov Law Group, to consider how recent FCPA enforcement actions point toward the use cases for a robust third-party risk management system.

In 2022, the overwhelming majority of FCPA-related enforcement actions involved third parties and required organizations to reprioritize third-party risk management. In this episode, we consider case studies involving ABB Limited, GOL Airlines, and Oracle, which all demonstrated the importance of understanding bribery and corruption schemes, making voluntary disclosures, and reassessing third-party risk management.

Key Highlights

·      How can organizations reprioritize third-party risk management as a core compliance function?

·      What strategies can organizations use to avoid FCPA violations and maximize cooperation credit?

·      How can organizations effectively assess the risks posed by potential business partners?

 Notable Quotes 

1.     “Don’t put yourself in a position of being uncooperative with either the SEC or DOJ. Reassess your framework for third-party risk management holistically and hone in on the nature and quality of the information that’s being collected to objectively evaluate the totality of risks posed by a potential business partner to the organization.”

2.     “You really can’t afford to be complacent, especially as we have a new emerging consideration suspecting sanctions and export controls that have become core enforcement priorities of the federal government.”

3.     “The critical question asked from a functional perspective is, is it adequate to objectively evaluate the totality of risks posed by a potential business partner to the organization?”

4.     “You have to understand that third-party risk, especially as it pertains to anti-bribery and corruption concerns, is a universal constant.”

 Resources

Alexander Cotoia on LinkedIn

Check out Diligent’s 3rd party products and services here.