Tag: 3rd parties

Categories
Innovation in Compliance

Right Question to the Right Person at the Right Time with Ishan Girdhar


 
Ishan Girdhar is Tom Fox’s guest in this week’s show. He is the CEO and founder of Privva, a cloud-based platform that streamlines data security to enable law firms to easily implement their own risk assessment. Tom and Ishan explore risk management in the new hybrid work era and what compliance professionals need to be thinking about in the coming years in that regard.  
 

 
The New Normal
The new hybrid work environment is here to stay. More companies are going back to the office but with fewer employees on site. This means that company leaders and compliance officers need to find a way to manage risk around virtual collaboration and communication technologies in a remote work environment. They will need to make sure that all employees are connected in a secure way. “When you have people working from home and working remotely, access to sensitive information grew exponentially… Many people have devices like Alexa or Google Home; those are devices that are recording every conversation that’s happening in your home,” Ishan cautions. Implementing policies that ensure employees aren’t working in the vicinity of these devices and making sure that companies lock-on set intervals, will go a long way in mitigating the risk that is posed from working in this environment.
 
Keep Communications Focus
Employees have to act as stewards and maintain and adhere to company policies surrounding risk and compliance. Tom asks Ishan how he keeps a communications focus in his organization, in a way that doesn’t lead to compliance fatigue. Compliance officers need to ensure that they’re actively capturing communication across their organizations, and that they have the tools to do so. “Make sure that your tech stack has the right capabilities to capture information and communication across your network,” Ishan remarks. Communicating the right ways to work with your clients and employees is also something that companies need to be thinking about. Use the right tools and the right steps to make sure your actions are in line with your internal corporate policies; the compliance departments can have access to that information if it’s required.  Make sure that the data is integrated and that all of that dialogue is time-stamped so it can be captured together. 
 
Creating Effective Cybersecurity
“Every product that technology brings to make your lives easier, better, faster, and cheaper for your clients comes with cybersecurity risk,” Ishan tells Tom. In order to mitigate cybersecurity risk, consistent training of your employees is necessary. Cybersecurity needs to be built into the culture of your organization and is a way for you to do your jobs in a timely and efficient way. Compliance professionals should be on top of what’s happening in the market with regard to new threats and risks. Have detailed policy monitoring and reporting requirements, and ensure you’re adapting your policies to the new norm. 
 
Third-Party Risk
Tom posits that third-party risk is beyond company to company, and that it’s actually the entire scope of your communication. Third-party risk is your suppliers, your partners, and your customers. Companies need to think about where their data is hidden, and where it’s going. “How is it leaving your environment? Where is it going? What’s the sensitivity of that data?” These are the questions Ishan implores leaders to think about. The biggest challenge with third-party risk management is that you have a say, but you don’t have full authority in enforcing change. It is also a two-way street in that as a company, you are also a custodian of information and you have to understand your minimum baselines, the security controls that are nonstarters for you, and what risks you’re willing to accept. If you are sending sensitive data to a third party, you have to include management and leadership as part of that conversation and process. 
 
What’s Next
Buying technology that will be sustainable going forward is one of the best ways to respond to cybersecurity risks in the coming future. Privacy is also a big challenge that companies are going to face. “Build out your budget and make sure that you have the right investments in place as you continue to grow and continue to go into the future leading up to 2025,” Ishan advises Tom and the audience. 
 
Resources
Ishan Girdhar | LinkedIn | Twitter
Privva
 

Categories
FCPA Compliance Report

Charles Thomas on the Current State of 3rd Party Risk Solutions


In this Episode of the FCPA Compliance Report, I am joined by Charles Thomas Market Planning Director for LexisNexis Risk Solutions. In this episode we take a look at the current state of risk areas around third parties, the convergence of risk solutions and future developments in 3rd party risk solutions.
Highlights include:

  1. What are the top issues clients have faced over the past 12 months?
  2. What are the key trends in international ABC enforcement?
  3. What is the convergence of compliance, mixing ABC with supply chain, procurement, sanctions and other regimes?
  4. What is the increased focus on third parties and the risks posed by such relationships?

Resources 
Charles Thomas on LinkedIn
LexisNexis Risk Solutions

Categories
The Compliance Handbook

Third Parties with Kristy Grant Hart


Third parties are still perceived as the most prominent high risk for companies. Other than bribery and corruption — modern slavery/human trafficking, data privacy, information and cybersecurity, anti-money laundering, and other areas are requiring third-party integrated risk assessment and planning. Compliance and data privacy law thought leader Kristy Grant-Hart, CEO of Spark Compliance Consulting, offers an innovative approach and inspiring perspective in this conversation.
Major takeaways discussed in the episode:

  • Bribery and Corruption: This remains the most significant problem since the general business population’s perception that what a third party does on your behalf isn’t your problem. Because some countries have laws like that, this built the sensibility that “if I didn’t do it, then it doesn’t matter.”
  • Due Diligence Integration: Every company is different; however, it is crucial to apply a comprehensive and consistent approach to conducting due diligence in all categories in appointing and maintaining relationships with third parties.
  • Scoping: By defining the degree of risk to be reviewed and identifying the highest probable risk scenario, this will be based on the quantitative things that we know, like the CPI score, like the Trafficking in-person report. That’s where you try to start so that you’re looking at the right risk with the right tools.
  • Digital Assets: Many parts of the business are not working together to have that third-party onboarding. The problem is that they don’t want to work together necessarily. Using various technology-enabled solutions for your clients will enable you to clearly and effectively see across the entire risk spectrum.

The “Nuts and Bolts” for Creating a Comprehensive Compliance Plan 
The first chapter of this unique work lays out a succinct yet thorough 31-day approach to operationalizing a company’s compliance regimen. Beginning with a section on what 2020 brought to the compliance landscape, the chapter methodically outlines best practices for everything from establishing policies, procedures, and internal controls, to assessing risk, training, handling investigations, and more. Each day ends with three key takeaways you can implement at little or no cost.
Understanding Compliance Responsibility Across the Organization
The Compliance Handbook also takes a close look at all professionals’ roles with compliance responsibility, from Compliance Officers and Boards of Directors to Human Resources, to Internal Audit and Internal Controls and Communications and Training professionals.
In-Depth Treatment of Hot Topics and Trends
The Handbook provides an in-depth look at the latest thinking and trends for the full range of critical compliance topics, including:
• Compliance and business ventures
• Third-party risk management
• The Board’s Role in Compliance
• Continuous improvement
• Compliance innovation
• And much more
Order your copy OR copies of The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. Save 25% off.
http://www.lexisnexis.com/fox25

Categories
31 Days to More Effective Compliance Programs

Day 17 | Managing your third parties


The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizingcompliance. It is also an area the DOJ specifically articulated in the 2020 Update that companies need to consider.
Managing your third-parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.
Three key takeaways:

  1. Have a strategic approach to third-party risk management.
  2. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing.
  3. Managing the relationship is where the real work begins.
Categories
31 Days to More Effective Compliance Programs

Day 16 | The third-party risk management process


As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. It begins with the following:
Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in  that  industry  and  geographical  region.    Prosecutors  should  further  assess  whether  the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.
This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:

  1. Business Justification by the Business Sponsor;
  2. Questionnaire to Third-party;
  3. Due Diligence on Third-party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

  1. Use the full 5-step process for third party management.
  2. Make sure you have business development involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives.
Categories
31 Days to More Effective Compliance Programs

Use of Data to Manage Third-Parties


In today’s edition of 31 Days to a More Effective Compliance Program, I am joined by Vin DiCianni, founder of Affiliated Monitors. Vin provides insights into how the use of data can facilitate the management of third-parties after the contract is signed.
3 Key Takeaways

  1. the process of collecting data cleans up much risk and provides cost savings.
  2. More reliable data about third-parties will facilitate their more effective management.
  3. Using data to management third-parties will further operationalize your compliance program.
Categories
31 Days to More Effective Compliance Programs

Third-Party Risk Expansion


What is third-party risk expansion and why is it a risk in compliance? Historically, people talked about simply an entity outside of your organization as a third party. However, that definition is broadening, to mean really that entity with which your company works. Obviously, this can be a supplier or vendor, it can be a service provider, a customer, a joint-venture (JV) partner and/or an intercompany affiliate. A broader view could include intercompany affiliates as third parties, even though many people would see them as just being another entity inside of a business. As the definition of third parties expands, this only makes life more complicated for anyone trying to do third party risk assessments and then the tiering just creates an exponential change.
Previously, a tier one supplier was a direct counterparties to your organization, directly through the sales channel. Next a tier two was one that your company’s tier one counterparty is working through. This means for risk managers assessing the various risks now have to go deeper and deeper. One way to do so is through trying to understand the connection between tiers one, two, three, four and so on. The problem is there are many risks that companies do not manage this risk because they cannot identify which companies are taking risks, alleged on their behalf. One of the most difficult issues for compliance professionals and risk managers is trying to get their arms around how to handle this issue.
You should begin with mapping out and understanding the third-parties whose exposure needs to be assessed by your organization. Obviously, this includes both direct and indirect third-parties but in terms of the tiering, the best way for anyone to understand the risk is to have really good communication with their tier one third-parties to be able to discuss the risks to both businesses.
Three key takeaways:

  1. Has your third-party risk management program expanded with your third-parties?
  2. Why is transparency a key for third-party risk management?
  3. What is the financial health of your third-parties?
Categories
31 Days to More Effective Compliance Programs

Third-party risk management ROI


One area that has bedeviled CCOs and compliance practitioners is how to determine the ROI for your compliance program regarding third-parties. While it is still clear that third-parties are the greatest risk in FCPA enforcement actions, senior management often wants to know what is the monetary benefit to the company for this type of risk management.
When you couple the request for ROI with the 2020 Update, it may seem like a doubly daunting task. However, the requirement for operationalization of your compliance program actually lends itself to formulating ROI around the risk management of third-parties. This is because if you move third-party compliance into the organization as a business process, with a technological solution, the ROI becomes not only clearer but easier to calculate going forward.
Three key takeaways:

  1. Why is it important to demonstrate ROI on your third-party risk management program?
  2. Determining ROI helps to demonstrate operationalizing your compliance program.
  3. Determining third-party management program ROI can help to tear down compliance siloes.
Categories
31 Days to More Effective Compliance Programs

Managing third-parties


The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the lifecycle management of third-parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance.
The key is to have a strategic approach to how you structure and manage your third-party relationships during the full lifecycle of the contract. This may mean more closely partnering with your third-parties to help manage the anti-corruption compliance risk. It would certainly lead towards enabling your company to manage the bribery and corruption risk while optimizing the performance of your third-parties.
Three key takeaways:

  1. Have a strategic approach to third-party risk management.
  2. Keep track of the financial stability of your third-parties.
  3. Rank third-parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-3rd Party Compliance Terms and Conditions

The 2020 Resource Guide stated, “In addition to considering a company’s due diligence on third parties, DOJ and SEC also assess whether the company has informed third parties of the company’s compliance program and commitment to ethical and lawful business practices and, where appropriate, whether it has sought assurances from third parties, through certifications and otherwise, of reciprocal commitments. These can be meaningful ways to mitigate third-party risk.”

You should incorporate appropriate compliance terms and conditions into in every contract with third-parties. I would suggest that you prepare a template, which can be used as a starting point for your negotiations. The advantages of such a template are several and they include: (1) the contract language is tested against real events; (2) the contract language assists the company in managing its compliance risks; (3) the contract language fits into a series of related contracts; (4) the contract language is straight-forward to administer; and (5) the contract language helps to manage the expectations of both contracting parties regarding anti-bribery and anti-corruption.

Many do not believe that they will be able to get the third-party to agree to such compliance terms and conditions. I have found that while it may not be easy, it is relatively simple to get a third-party to agree to these or similar terms and conditions. One approach to take is that they are not negotiable. When faced with such a position on non-commercial terms many third-parties will not fight such a position. There is some flexibility, but the DOJ will require the minimum compliance terms and conditions. But the best position I have found is that if a third-party agrees with these terms and conditions, they can then use that as a market differentiator.

Three key takeaways:

  1. Compliance terms and conditions are mandatory for any best practices compliance program.
  2. A key clause is the right to audit clause.
  3. Third-parties can favor robust compliance terms and conditions as a market differentiator.