Tag: 3rd parties

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program – Key 2022 FCPA Enforcement Actions

From the Foreign Corruption Practices Act (FCPA) enforcement actions in 2022, one clear theme emerges; that is, organizations must reprioritize their third-party risk management programs. Many companies are becoming complacent in this arena, not realizing the potential consequences of not properly assessing their third-party risk management practices. I recently had the opportunity to visit with Alexander Cotoia of the Volkov Law Group to discuss importance of reprioritizing third-party risk management and how organizations can assess the effectiveness of their current practices. We review three 2022 FCPA enforcement actions to explore the importance of proper third-party risk management and how to avoid the potential consequences of not properly assessing these risks. Join us as we explore the details and implications of these enforcement actions and how organizations can reprioritize their compliance programs for the ever-changing dynamics of third-party risk management.

Here are the steps you need to follow to reprioritize your third-party risk management program.:

  1. Understand that third-party risk, especially as it pertains to anti bribery and corruption concerns, is a universal constant and still the highest risk.
  2. Reassess the framework by which third parties are evaluated and objectively evaluate the totality of risks posed by a potential business partner to the organization.
  3. Implement a risk-based approach to third party risk management.
  1. Understanding third-party risk

Understanding that third party risk, especially as it pertains to anti-bribery and corruption, is a universal constant is an important step in the risk management process. As evidenced by three key enforcement actions, ABB Limited, Oracle and GOL Airlines, organizations must evaluate the risks posed by potential business partners and ensure that the information collected is adequate to objectively assess the totality of the risks. Organizations should be aware that the DOJ requires companies to adopt a risk-based approach to third party risk management. To ensure that the organization is compliant with these regulations, they should review their existing practices and be prepared to supplement them if necessary. Additionally, organizations should be aware that they may be given credit for voluntary disclosure and cooperation efforts when faced with potential violations. This may be beneficial when determining penalties and is an important factor to consider when dealing with third party risk.

  1. Reassess your third-party framework

Reassessing the framework by which third parties are evaluated and objectively evaluating the totality of risks posed by a potential business partner to the organization is a critical step in reprioritizing your third-party risk management strategy. This should be approached holistically, focusing on the information being collected and its adequacy in objectively evaluating risks. Organizations should adopt a risk-based approach, as recommended by the DOJ, and not simply have a one size fits all approach. This approach should include due diligence, assessing the potential partner’s reputation and business practices, verifying their legitimacy and background, and understanding their country of origin and its laws. Additionally, organizations should consider the potential partner’s relationship with government officials and whether it could violate any anti-bribery or corruption laws. If any of these issues are identified, organizations should look into it further to ensure that their partner is compliant. By doing this, organizations can ensure that they are not engaging in any activities that could be deemed illegal or unethical. 

  1. Implement a risk-based approach

Implementing a risk-based approach to third party risk management is essential to any organization’s compliance program. This involves assessing the external parties on which an organization relies operationally, and identifying any risks associated with those external parties. This assessment should include evaluating their qualifications and experience to ensure they are able to meet the organization’s expectations. Additionally, organizations should consider conducting background checks on potential external parties, and assessing any potential conflicts of interest that may arise. Once potential external parties have been identified, organizations should consider conducting due diligence to ensure that the external party has not been involved in any fraud, bribery, or other criminal activities. Organizations should also consider developing contracts and compliance policies for external parties and monitoring their activities to ensure compliance. Finally, organizations should consider developing a training program for their external parties to ensure they understand the organization’s expectations and policies. By implementing a risk-based approach to third party risk management, organizations can reduce the risk of an FCPA violation and ensure their organization remains compliant.

Third-party risk management one of the most critical components of any organization’s compliance program. Organizations should take the initiative to reprioritize third-party risk management and assess the effectiveness of their current practices. Through the exploration of three enforcement actions and the introduction of the joint compliance note, this article has highlighted the importance of properly assessing third-party risk and how to best prepare for the ever-changing dynamics of third-party risk management. By implementing a risk-based approach to third party risk management, organizations can protect themselves from potential violations of the FCPA and ensure their organization remains compliant. With the right tools, processes, and dedication you can achieve the same results and protect your organization from costly fines and penalties.

For more information, on Diligent’s Third-party Risk Management solution, click here.

Listen to Alexander Cotoia on the podcast series, sponsored by Diligent here.

Check out the Volkov Law Group here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program -Reporting

Today’s business landscape is becoming increasingly complex and globally interconnected, with the average business now working with over 100 third-party vendors. While this presents a wealth of opportunities, it also brings a range of challenges for boards and GRC professionals alike when it comes to third-party risk management. I recently visited with Diligent’s Senior Vice President of Products, Adam Bailey on how to tackle these challenges and leverage third-party risk management to identify opportunities and equip boards to take risks, innovate and drive things forward. Here are the steps you need to follow to also get clarity, insight, innovation.:

  1. Understand the role of the board in oversight and provide clarity on third-party risk management.
  2. Board review Codes of Conduct.
  3. Continuous improvement view of risk management.
  4. Utilize real-time data to react to changing times.
  5. Ensure commitment to shared values and ethical cultures.

 1.Understand the role of the Board in oversight

Understanding the role of the Board in oversight and providing clarity on third-party risk management is an essential step in any risk management strategy. Obviously, the Caremark Doctrine is the leading authority which Boards must follow. But more than simply oversight to  meet a legal requirement, businesses should see the business opportunity by creating a business process which connects employees, compliance professionals, executives, and boards together in a seamless process. This connection enables a culture of continuous improvement that starts at board level and cascades down through the structures of the business. This allows two-way communication between boards and compliance professionals, so that boards can clearly communicate their risk management strategy and expectations. 

  1. Board review of Codes of Conduct

A key role for any Board is to review and refresh if needed your organization’s Code of Conduct on a regular basis. When it comes to third-party risk management this is needed to  ensure that the third parties are following the company’s established guidelines. A Board should understand the importance of third-party risk management and how to fulfill their role of oversight. There should be an enterprise-wide single source of data for every Board to ensure effective governance, risk and compliance. Boards should also be provided with dashboards to allow for continuous monitoring of third-party relationships and to provide real-time information and data to enable businesses to react to changing times. Ultimately, companies need to show that their Board is making a good faith effort to address risks by having due diligence processes in place and effective plans to monitor those processes.

  1. Continuous improvement view of risk management

A key role for any Board is to implement a continual improvement view of risk management. This shifts an organization’s focus from a one-time due diligence approach to ongoing, rigorous due diligence designed to identify risk areas and set benchmarks for improvement. This allows a Board to have a clear view of the risks involved and make informed decisions. A two-way dialogue is also important, with data flowing up to the board and actions cascading back down to the compliance team. 

  1. Utilize real-time data to react to changing times

There is probably no more important task for a Board in 2023 than responding to changing times. Obviously Covid-19 is still in front of mind, but the change political, geographic, economic and even climate changes are moving much more quickly now. For a Board to provide effective oversight, it must have access to real-time data to react to changing times. This is both from a regulatory perspective and a business/reputational perspective. All internal stakeholders should be connected with enterprise-wide single source of all nonfinancial data required for effective governance, risk, and compliance. The platform also provides real-time information and data so Boards can quickly react to changing times. Furthermore, the platform adds relevancy and context to the risk data which helps Boards make informed decisions based on the potential upside and downside of taking on certain risks.

  1. Ensure commitment to ethical values and ethical cultures

It really all does start at the top and Boards must ensure commitment to ethical values and ethical cultures. Boards should mandate that companies adopt a continual improvement view and embrace not just one and done due diligence, but ongoing monitoring and continuous improvement. Boards should mandate that organization enforce their commitment to ethical values, ethical cultures, and honest business practices. When it comes to third parties, Boards must understand the risk each third-party poses and to consider the business in question and the sort of inherent nature of the dealings with that third-party. Having a robust platform also provides real-time information and data throughout the relationship with the third-party, dashboards to monitor third-party information, and a single source of truth for all nonfinancial data. This allows for a two-way dialogue between GRC professionals and the board to ensure that the board has the clearest, most relevant, and most targeted information to inform better decisions.

For more information, on Diligent’s Third-party Risk Management solution, click here.

Listen to Adam Bailey on the podcast series here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program -Implementation and Maintenance

Are you a compliance professional tasked with managing third-party risk relationships? Are you overwhelmed with the sheer amount of data that comes with that responsibility? How do you engage in implementation and maintenance. To answer these and other questions, I recently visited with Kairi Isse, Diligent’s Managed Services Group Manager, to discuss why the step of management after the contract is signed is the most important part of the third-party risk management cycle. She discusses the importance of ongoing monitoring and why it is critical for modern companies to understand the risks posed by their third parties. We consider the uses of an AI-driven ongoing monitoring search tool, allowing a customizable, auditable way to ensure compliance and reduce risk. Join us as we explore this most critical step on the life cycle of the third-party risk management—managing the relationship after the contract is signed. Here are the steps you need to follow to manage relationships with third-parties after the contract is signed:

  1. The importance of ongoing monitoring for third party risk management to minimize risks of data breach, bribery, and fines.
  2. Design and implement an effective ongoing monitoring program that works in practice.
  3. Utilize AI-driven ongoing monitoring search tools to focus on the right data for your organization.
  4. Create an audit trail to demonstrate the company’s continuous improvement based upon ongoing monitoring.
  1. The importance of ongoing monitoring

Ongoing monitoring for third-party risk management is key to minimizing risks of data breaches, bribery, and fines. Through proper monitoring and management of third parties, companies can ensure that their vendors are not putting them in a vulnerable position. In this interconnected world, third party risk is a significant compliance threat and can cause damage to a company’s reputation, leading to potentially hefty fines and perhaps more importantly reputational damage. Utilizing an AI-driven ongoing monitoring search tool can help reduce the haystack of data and find the needle, as well as a human element to review and analyze the watch list screen results. The key is to ensure their ongoing monitoring is effective and efficient throughout the entire life cycle of their third-party relationships.

 2. Design and implementation of ongoing monitoring

Designing and implementation of ongoing monitoring that works in practice is a critical step in managing a third-party relationship after the contract is signed. Utilizing AI-driven ongoing monitoring search tools is essential for a successful third-party risk management relationship. It is important to customize the search to focus on the right data for your organization, as this will make it easier to find the needle in the haystack. An AI-driven search tool should include all the big databases and sanctions watch lists, as well as adverse media, to ensure that the third party poses no regulatory risk; all after the contract is signed. There should also be transaction monitoring which reviews the sales or other transactions by the third-party. Finally, never forget the human element, to ensure that the data is correct and validated before final decisions are made.

  1. Analyze and validate thru AI-driven search tool

To analyze and validate watch list screen results and consider only true matches for further review, utilize an AI-driven ongoing monitoring search tool that includes all the major databases, sanctions watch lists, and adverse media. You should customize usage to your company’s risk profile, industry, and regulations your organization is required to comply with. Next review the search to determine if they are true matches or false positives. This helps to reduce the amount of noise and unnecessary data, as well as provides an auditable trail for every action. These actions will help create an auditable document trail which can be presented to auditors or regulators.

  1. Continuous improvement through ongoing monitoring

The next step is continuous improvement based upon your organization’s ongoing monitoring. Here an audit trail to demonstrate the company’s maintenance of ongoing monitoring, is critical. The Fox Maxim of Document Document Document, is still alive and well in the era of AI. Moreover,

This allows your organization to customize their search to focus on the right data for their organization and industry, eliminating the noise from irrelevant data sets. Once again the human factor comes into play through the review and analysis any potential matches from the AI searches to validate true matches. All of these steps should be auditable, recording every action taken in the system, allowing a company to demonstrate their continuous improvement based upon ongoing monitoring.

Managing your third-party relationship after the contract is signed is still the most a critical step any successful third-party risk management protocol. A well-designed and implemented compliance program should include regular screening of global databases and adverse media, even after the contract is signed. Transaction monitoring should also be used to test individual sales for any issues. An AI-driven ongoing monitoring search tool that can help reduce the haystack of data and find the needle, as well as a human element to review and analyze the watch list screen results. With these steps, your organization can be confident that your third-party risk management program is effective and efficient throughout the entire life cycle of your third-party relationships.

For more information, on Diligent’s Third Party Risk Management solution, click here.

Listen to Kairi Isse on the podcast series here.

Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 1: Michael Parker on Risk Mitigation

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Consulting and Advisory Services; Stephanie Font, Director, Operations Optimization Group; Kairi Isse, Group Manager of Managed Services Group, Productions; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, from the Volkov Law Group. In this Part 1, I visit with Michael Parker on the need for risk mitigation to bring a third party into a relationship with your organization.

Parker has worked in the compliance arena for six years, learning from his experience in government and tech. For a compliance program to be successful, executive leadership must also have a Board of Directors buy-in for oversight. A third-party risk management platform aims to protect the business’s assets and create a single source of truth. Through such a mechanism, third parties can be screened for anti-bribery, anti-corruption, human trafficking, and much more. The Board needs visibility to make decisions and an audit log to show activity and diligence if ever needed. It is critical for all compliance functions to stay up to date with regulations and keep their third-party platform consistently updated.

Key Highlights

  • How can a risk-based approach, coupled with a single source of truth and a robust platform, help protect business assets and comply with changing regulations?
  • What is the German Supply Chain Act, and how can companies ensure compliance related to human trafficking and human slavery?
  • How can companies use visual analytics to gain insights into their risk-based approach and show evidence of due diligence in the face of an audit?

Notable Quotes

  1. “Companies don’t do bad things; people do. And as people do, the regulatory landscape changes and can change quickly. So keeping up with those changes is critical to protecting your assets and mitigating risk.”
  2. “We need to increase our defensibility and audibility if somebody comes knocking; we can show and illustrate that we have done our due diligence to mitigate any risk of doing business with this third party.”
  3. “Companies don’t do bad things; people do.”
  4. “Put a platform in place that is robust lends itself to a number of different benefits.”

 Resources

Michael Parker on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program-Risk Mitigation

With the ever-changing landscape of regulations and laws, it is becoming increasingly difficult for companies to keep up and remain compliant. In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. Today, we consider the risk mitigation and I visit with Michael Parker, Director of Advisory and Consulting Services for Diligent, to discuss how to approach the Board of Directors around the crucial issue of third-party risk management and risk mitigation. Parker has been in the compliance industry for six years and has experience working with the Department of Homeland Security, Apple Computer, and over 300 clients in the compliance and legal space.

Parker dives into how Diligent’s platform helps companies assess risk and comply with compliance laws such as the FCPA, UK Modern Slavery Act, Uyghur Forced Labor Prevention Act and more. Join us in this five-part series to learn how Diligent’s platform can help reduce risk and ensure compliance.

Here are the steps you need to follow to also get risk mitigation:

  1. Screening – Screening for anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc.
  2. Risk-Based Approach – Evaluating the dossier of information to lead to a decision to approve or deny doing business with the third party.
  3. Documentation – Documenting activities, notes, attachments, and actions taken to show due diligence was done to mitigate risk.

Screening – Screening for anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc.

Screening is an essential first step in anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc. The process begins by collecting and inputting data into a single source of truth platform such as Diligent’s Third Party Risk Management System. This platform allows for a risk-based approach to screening, in which the compliance professional can assess the risk of doing business with a third party. This assessment includes screening for anti-bribery and anti-corruption, politically exposed persons, state owned entities, watch lists, and embargoes, as well as more recent regulations such as the German Supply Chain Act and the UK Modern Slavery Act. It also provides the ability to document and audit activities, allowing for better visibility and accountability from an internal and external perspective. Finally, the platform is constantly updated to ensure that it is compliant with any new laws or regulations that are implemented.

Risk-Based Approach – Evaluating the dossier of information to lead to a decision to approve or deny doing business with the third party.

The second step in the third-party risk management process is to take a risk-based approach in evaluating the dossier of information. This dossier typically includes the results of the screening process, any due diligence questionnaires, and any additional investigations that have been conducted. All these items should be compiled into a single source of truth and reviewed to ensure that the organization has done its due diligence in assessing the third party.

The risk-based approach should be tailored to the specific organization and its risk profile, as well as the specific third-party that they are doing business with. This evaluation should also take into consideration any changes in laws, regulations, and sanctions that may have been recently implemented. The diligence program should also be able to screen for a variety of different risks, such as anti-bribery, anti-corruption, human trafficking, politically exposed persons, state-owned entities, watchlists, and embargoes.

Once the evaluation is complete, the organization should have a clear understanding of the risks associated with doing business with the third party and can make an informed decision as to whether to approve or deny the business relationship. This risk-based approach should be documented for auditability in case of any potential future inquiries or investigations.

Documentation – Documenting activities, notes, attachments, and actions taken to show due diligence was done to mitigate risk.

Documentation is an essential part of risk mitigation and due diligence. It is important to maintain an audit trail of activities, notes, attachments, and actions taken related to third party risk management. This allows companies to easily access information and prove that they have taken the necessary steps to mitigate risk. A platform such as Diligent’s Third Party Risk Manager can be used to keep track of all the necessary documentation. All activities, notes, and attachments can be stored in a single source of truth, which provides visibility and auditability for the board. Additionally, the platform is regularly updated to ensure that it is up to date with the latest regulations and laws. This allows companies to remain compliant and mitigate risk. All these elements come together to form a dossier of information, which can be used to approve or deny business with third parties. Documentation is a key part of any risk management program and is essential for due diligence.

Over this five-part blog post series will explore reprioritizing you third-party risk management program. It is essential to properly evaluate third-party risk and to document all activities, notes, and attachments to remain compliant and mitigate risk. With the right platform and approach, companies can keep up with the ever-changing regulations and laws and protect their businesses from potential issues. With dedication and hard work, business owners can stay ahead of the curve in risk management and compliance.

For more information, check out Diligent here.

Listen to Michael Parker on the podcast series here.

Categories
Compliance Into the Weeds

Beneath the Bailout: The Collapse of Silicon Valley Bank

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject. In this episode, Matt and I explore the collapse of Silicon Valley Bank (SBV) and its outcomes. We discuss the consequences if the Federal government fails to bail out Signature Bank in New York and Silicon Valley Bank. The Dodd-Frank Act is examined, and noting that the SBV Chief Risk Officer left 8 months ago and was never replaced is a huge red flag. Will this event cause the Federal Reserve will pause interest rate hikes? Why did Libertarians from the tech industry scream for bailouts? Tom and Matt expertly unpack the complex details within the industry and provide insight and analysis into this relevant and timely industry topic.

 Key Highlights

The Impact of Silicon Bank and SBV’s Failures on the Banking Industry [02:01]

Implications of Unsold Silicon Valley Bank Assets on Taxpayers [05:04]

Challenge of Businesses Dealing with Employee Benefits under Federal Government Regulations [09:04]

Effects of Changes to the Dodd-Frank Act on Midsized Banks [12:54]

The Impact of Regulatory Ease on Business Failures [16:47]

The Reasons Behind Silicon Valley Bank’s Chief Risk Officer Quitting [20:53]

The Impact of Social Media on Interest Rate Decisions by the Federal Reserve [24:52]

 Notable Quotes:

1.     “So those loans brought in maybe 2 or 3 percent interest, but SVP had to pay out interest rates that might be more at 4 percent. That difference undermined the capital structure and the balance sheet of SVB until people started getting skittish, and then they said, Maybe I should pull my money out, which made the bank even more weak, so people got even more skittish.”

2.     “The big issue, which is why the business customer angle is important, is that under FDIC rules, a bank’s deposits are insured up to 250,000 dollars per account.”

3.     “Is it a business if you can never fail? This was not too big to fail. This was we are not going to let anybody fail.”

4.    ” You may not know where your key suppliers, customers, or key third parties are banking. Maybe you have that information. But does that mean you’re going to have to assess the financial health of those financial institutions of your customers? And know if they can pay you for your vendors or third-party suppliers. They can meet their payroll to deliver their services.”

 Resources

Matt  on LinkedIn

Tom on LinkedIn

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 1

What happens when two top compliance commentators get together? They talk compliance, of course. Join Kristy Grant-Hart and Tom Fox for their new podcast, 2 Gurus Talk Compliance! But it is not simply Kristy and Tom talking about compliance. In this podcast series, Kristy and Tom also review other top commentators in compliance. In this podcast, we will consider all things compliance, corporate ethics, ESG, governance, and whatever else is on our minds and the minds of other experts in the field. Kristy and Tom explore all of these topics with expertise and wit.

In this inaugural episode, they discuss the latest compliance trends and news, including two Supreme Court cases that have implications for the compliance profession. They also cover the Department of Justice and whistleblower trends, taking a look at Miranda and Upjohn’s warnings and increasing numbers of whistleblower reports to the SEC. They also dive into an article from the Harvard Law School Forum on corporate governance and discuss the Illinois Biometric law. Join the conversation and discover the latest on compliance and regulations with 2 Gurus Talk Compliance.

Highlights Include

The Role of In-House Attorneys in Communication Between Outside Counsel and Businesses [00:05:17]

Supreme Court Decision on the Future of the CFPB [00:09:11]

Impact of the Colorado Draft Regulation on Artificial Intelligence Compliance Programs [00:13:23]

The Benefits of Automated Data Deletion [00:17:23]

A Miranda component to corporate Upjohn Warnings [00:21:25]

The Obligation of Society to Address Climate Change [00:25:33]

The Benefits of Self-Disclosure in the DOJ Justice System [00:29:18]

The Role of the Board in Overseeing Third Parties in High-Risk Countries [00:33:14]

The Impact of Whistleblowers on the SEC [00:40:54]

White Castle’s Violation of Illinois Biometric Law [00:45:05]

Notable Quotes

  1. The DOJ is urging a federal judge to sanction Google’s parent, Alphabet, for its practice of setting employee chats to auto delete despite promising to preserve records.”
  2. “It goes beyond the specifics of this law, something you and I have talked about for several years now, that the compliance function and the CCO is well perhaps the most well-suited corporate discipline to deal with these new initiatives because it’s the basic framework of compliance that you and I have worked with for 15 years.”
  3. “Most compliance programs just don’t have good frameworks for things like AI or for big data even though we’ve been using that word for a long time.”

Resources

  1. Boards and 3rd Party Risk Oversight
  2. CO Draft AI Rules for Insurance
  3. Miranda Warnings in Corp Investigation
  4. Current whistleblowing landscape
  5. Has the stature of the CCO changed? 
  6. Analysis of the DOJ’s update to the self-disclosure program
  7. Supreme Court considering defunding the CFTC
  8. Trends in state privacy law   
  9. Litigation holds and records retention/Google/DOJ  
  10. Individuals charged – first enforcement action 2023 

Connect with Kristy Grant-Hart on LinkedIn

Spark Consulting

Connect with Tom Fox on Linkedin

Categories
Innovation in Compliance

Leveraging Technology in Third-Party Risk Management with Jag Lamba and Jared Ezzell

Jag Lamba and Jared Ezzell from Certa, join Tom Fox on the Innovation In Compliance podcast to explore the essential elements of a thriving third-party risk management program. They emphasize the significance of minimizing reliance on third-party self-disclosures by utilizing technology and data. They also highlight the importance of integrating due diligence, training, and ongoing monitoring to create a comprehensive approach to risk management. The conversation extends to payment controls, charitable donations, and the integration of the program into the overall third-party risk management lifecycle. 

Jag is the founder and CEO of Certa. Jared Ezzell is the Chief Customer Officer. Certa is a third-party lifecycle management platform for procurement, compliance, and ESG. Their no-code platform provides an easy and efficient way to digitize and manage the lifecycle of all suppliers, partners, and customers. Certa’s automated onboarding, contract lifecycle management, and ESG management eliminate the procurement bottleneck, allowing companies to onboard third parties three times faster. With their cutting-edge technology, Certa is transforming the way businesses manage their third-party relationships, ensuring compliance and sustainability at every step.

 

Here are some key points Tom, Jag, and Jared talk about:

  • Jared talks about his professional background and his role at the company Certa, their products, and their customers. 
  • The hallmark of an effective anti-bribery and anti-corruption compliance program is the concept of risk assessment.
  • Jared discusses the nine elements developed by Certa for an effective compliance program.
  • The three dimensions of a complete solution for compliance risk management are full spectrum risk management, the full life cycle of the third party, and the full spectrum of third parties.
  • A successful technology transformation project should be a modular rollout, with a focus on solving the highest pain point within three months and continuously phasing the rollout to avoid becoming overwhelmed.
  • Jag and Jared clarify that while the company doesn’t play the role of creating the documentation, they provide input and help evidence the client’s defensible positioning in support of the client’s policies.
  • Jag tells Tom that the ongoing monitoring of third-party relationships requires companies to have data sources and processes in place, have a controls framework to act on information, and automate controls to handle egregious alerts.

 

KEY QUOTE:

“The ability to systematically enforce payment controls is a key common practice in successful third-party risk management.” – Jared Ezzell

 

Resources:

Jag Lamba on LinkedIn | Twitter 

Jared Ezzell on LinkedIn 

Certa

Categories
FCPA Compliance Report

Alastair Parr on New Developments in TPRM

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this special episode, I am joined by Alastair Parr, SVP of Global Products & Delivery at Prevalent to discuss developments in third-party risk management.

In this episode we consider:

  • Why is a comprehensive 3rd risk management solution not simply a nice to have but a must to have now?
  • Why is 3rd party risk management so much critical after the pandemic and the Russian invasion of Ukraine?
  • Improving the UX for TPRM.
  • Why has simplifying the UX for TPRM eluded most providers so far?
  • How can the UX be improved so the information which is the most vital and most relevant is captured and more importantly can be actioned?
  • How can the process of obtaining TPRM information to implementing controls to manage the risk be improved?
  • How can companies automate data gathering by using a single targeted assessment by building in targeted compliance mappings for legal or regulatory requirements?
  • Other areas of compliance such as modern slavery and human trafficking?
  • Do you see continued evolution of 3rd party risk management into 2025 and beyond?

Resources

Alastair Parr on LinkedIn

Prevalent

Being a Compliance Officer is Awesome on Amazon.com

Categories
Greetings and Felicitations

Great Structures Week V: The Tacoma Narrows Bridge Failure and Preventing Failure in Your Compliance Program

Welcome to the Greetings and Felicitations, a podcast where I explore topics that might not seem directly related to compliance but influence our profession. In this special series, I consider many structural engineering concepts are apt descriptors for an anti-corruption compliance program. In this concluding episode 5, I consider the Tacoma Narrows Bridge failure and preventing failure in your compliance program. Highlights include:

  • Why and how did the Tacoma Narrows Bridge fail?
  • What are the key lessons it provides to compliance professionals?
  • Why are 3rd parties still the greatest risk to any compliance program?
  • What steps can you take to manage third parties most effectively?
  • Why is continuous monitoring key to managing risk?

Resources

 “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler from The Teaching Company.