Tag: 3rd party risk management

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Business Rationale in the 3rd Party Risk Management Process

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with bite-sized, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week, we are reviewing the third-party risk management process. Today, we take up the Business Rationale.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – The Third-Party Risk Management Process

Welcome to “Compliance Tip of the Day,” the podcast that brings you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, our goal is to provide you with concise, actionable tips to help you stay ahead in your compliance efforts. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

This week, we will review the third-party risk management process. Today, we outline the process and explain how to implement it.

For more information on this topic, refer to The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, 6th edition, recently released by LexisNexis. It is available here.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – Leveraging AI for Real-Time Third-Party Risk Management

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, Tom Fox considers the advantages of using AI for third-party risk management.

For more on embedded compliance, check out my new book, Upping Your Game: How Compliance and Risk Management Move to 2030 and Beyond, available from Amazon.com

 

Categories
Blog

Lessons on Managing 3rd Parties from Star Trek: The Omega Glory

Last month, I wrote a blog post on the tone at the top, exemplified in Star Trek’s Original Series episode, Devil in the Dark. Based on the response, some passionate Star Trek fans are out there. I decided to write a series of blog posts exploring Star Trek: The Original Series episodes as guides to the Hallmarks of an Effective Compliance program set out in the FCPA Resources Guide, 2nd edition. Today, I will continue my two-week series by looking at the following hallmarks of an effective compliance program laid out by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in the FCPA Resources Guide, 2nd edition. Today, we look at lessons learned on managing third parties from The Omega Glory episode.

Trust, verification, and alignment with core values are paramount in third-party management. These principles are crucial in today’s complex business environment, where organizations rely on external partners to achieve their objectives. Interestingly, these concepts are vividly illustrated in an unlikely source: the classic Star Trek episode The Omega Glory. This episode provides a fascinating backdrop for exploring the intricacies of third-party management. Today, we dive into the narrative and draw valuable lessons for managing third-party relationships.

In The Omega Glory,  Captain James Kirk and his crew encounter a planet named Omega IV, where two factions, the Yangs and the Kohms, are locked in a perpetual conflict. The Yangs parallel the American patriots of the Revolutionary War, while the Kohms resemble the communists. The Enterprise crew discovers that a Starfleet officer, Captain Ron Tracey, has violated the Prime Directive, the Federation’s core principle of non-interference, by intervening in the planet’s internal affairs to gain immortality from the planet’s unique properties. Tracey’s actions cause chaos and disrupt the natural progression of Omega IV’s societies. In the end, Captain Kirk is forced to confront Tracey and restore balance, emphasizing the need for adherence to principles and respect for the natural order.

Lesson 1: The Importance of Adhering to Your Core Values

One of the primary lessons from The Omega Glory is the significance of adhering to core values and principles. In the episode, Captain Tracey abandons the Prime Directive to pursue personal gain, resulting in disastrous consequences. This mirrors real-world scenarios where third-party relationships can be compromised when organizations or individuals prioritize short-term gains over long-term values and ethical standards.

Organizations must ensure their partners share and adhere to the same core values when engaging with third parties. Establishing clear guidelines and ethical standards is essential for maintaining alignment and preventing deviations that could harm the organization’s reputation and objectives. Regular audits and assessments help verify that third parties operate by these values.

Lesson 2: The Necessity of Due Diligence and Verification

Captain Tracey’s actions underscore the importance of due diligence and verification. He assumed that the planet’s properties could provide eternal life without fully understanding the implications of his interference. This assumption led to unintended consequences and endangered his crew and the planet’s inhabitants.

Due diligence is a critical component of third-party management. Organizations must thoroughly assess potential partners to evaluate their capabilities, integrity, and compatibility with organizational goals. Verification processes, such as background checks, financial audits, and compliance assessments, ensure that third parties meet the required standards. Regular monitoring and ongoing evaluations help maintain transparency and accountability in the relationship.

Lesson 3: The Dangers of Unchecked Authority

Most compliance professionals rarely see unchecked power from third parties, yet this episode provides important insight for compliance professionals. Captain Tracey exercises unchecked authority, disregarding Starfleet regulations and the ethical implications of his actions. His uncontrolled power leads to chaos and conflict, highlighting the dangers of allowing individuals or entities to operate without oversight.

Unchecked authority in third-party management can lead to breaches of trust, legal violations, and reputational damage. Organizations must establish clear governance structures and oversight mechanisms to ensure third parties operate within defined boundaries. Implementing robust contractual agreements, performance metrics, and reporting frameworks can help maintain control and mitigate risks associated with third-party relationships.

Lesson 4: The Role of Communication and Collaboration

Throughout the episode, communication breakdowns contribute to misunderstandings and conflicts. Captain Kirk ultimately resolves the situation by facilitating dialogue and collaboration between the Yangs and the Kohms, emphasizing the importance of open communication in resolving disputes and achieving mutual understanding.

Effective communication is a cornerstone of successful third-party management. Organizations should establish open lines of communication with their partners, fostering a collaborative environment that encourages feedback, transparency, and problem-solving. Regular meetings, status updates, and joint planning sessions help align objectives and address potential issues before they escalate. This will also help manage the commercial relationship after the contract is signed.

Lesson 5: The Need for Flexibility and Adaptability

The episode highlights the need for flexibility and adaptability in complex situations. Captain Kirk’s ability to adapt to changing circumstances and devise innovative solutions is crucial in resolving the conflict and restoring balance. Third-party relationships often involve dynamic and evolving challenges. Organizations must remain flexible and adaptable to changing circumstances, such as shifts in market conditions, regulatory requirements, or technological advancements. Developing contingency plans, embracing innovation, and fostering a culture of continuous improvement can help organizations navigate uncertainties and maintain successful third-party relationships.

Third-party relationships also mandate ongoing monitoring from a data analytics perspective. Compliance may need to conduct additional investigation if there are significant changes in the volume of goods sold by a third party or the amount of commissions paid to a particular third-party agent, region, or business unit. However, third parties must understand and receive a steady diet of communication and training on the need to do business ethically and in compliance with your company’s values.

The Omega Glory serves as a compelling training vehicle for the complexities and challenges of third-party management. The episode’s themes of adherence to core values, due diligence, oversight, communication, and adaptability provide valuable insights for organizations seeking to optimize their third-party relationships. By learning from Captain Kirk’s experiences on Omega IV, businesses can enhance their third-party management practices, mitigate risks, and achieve sustainable success in an interconnected world.

In conclusion, organizations must prioritize trust, verification, business justification, and alignment with core values in their third-party management strategies. By adhering to these principles and drawing lessons from unconventional sources like Star Trek, businesses can navigate the complexities of modern partnerships and achieve their strategic objectives with integrity and success.

Join us tomorrow as we consider the lessons on ongoing monitoring and continuous improvement of Spectre of the Gun Ultimate.

Categories
Great Women in Compliance

Great Women in Compliance – Sabrina Segal on Reimagining Risk Management

Welcome to the Great Women in Compliance Podcast. How can we reimagine risk management? In this episode, Hemma Lomax visits Sabrina Segal, a seasoned third-sector integrity risk and compliance advisor with a legal background. Sabrina is currently in Rwanda as part of an international development and humanitarian assistance team. She hosts Tolerable Risk, a podcast about integrity and compliance in the third sector.

Sabrina shares her perspective on compliance and risk management in the third sector, which is inherently high-risk, largely due to its operation in areas where the private sector may not see value and where government regulation has failed. Sabrina believes that traditional approaches to risk management, which are quantitative-heavy and designed for industries like finance and oil and gas, are unsuitable for the third sector, requiring a more accessible qualitative approach for diverse stakeholders. Drawing from an array of global experiences, Sabrina emphasizes the need for bespoke approaches tailored to the specific needs and constraints of small and medium-sized charities and nonprofits. Sabrina has developed an objective-centered risk management approach for the third sector based on work from her mentor, Timothy Leech. Objective-centered risk management focuses on facilitating the achievement of organizational objectives, collaborating to identify threats and opportunities, and directly influencing decision-making. Sabrina’s compliance and risk management work is designed to improve organizations’ overall programming and impact in the third sector. Still, it has many applications in the private sector and corporate compliance.

Key Highlights:

  • Tolerable Risk Podcast on Tailored Risk Management for Nonprofits

  • Navigating High-Risk Environments: Third Sector Compliance

  • Objective-Driven Risk Analysis and Decision-Making

  • Comprehensive Risk Management Strategy with Active Monitoring

  • The Importance of Involving Stakeholders in Risk Management

  • Quantitative tools and trust in data for risk management

  • Advocacy and Inclusion in Restorative Justice

Resources:

Join the Great Women in Compliance community on LinkedIn here.

Categories
FCPA Compliance Report

FCPA Compliance Report – Brad Hibbert on Prevalent’s 2023 3rd Party Risk Management Report

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Today, Tom visits Brad Hibbert, COO/CSO at Prevalent, as they discuss the surprising findings of Prevalent’s annual third-party risk management study. Discover why so many organizations still rely on spreadsheets and manual processes for managing third-party risks. Brad recommends an integrated approach to third-party risk management that considers the entire lifecycle of the relationship with third parties.

The podcast highlights the top five key findings of the report, including data breaches as the top concern, security driving the program, and the increased involvement of IT in the process. Learn how to minimize cyber exposure and risks associated with third-party management by breaking down silos, automating processes, and focusing on reducing risks associated with third parties. Listen to Brad’s practical advice on how to prioritize risks and plan your risk management program and visit prevalent.net for more compliance mandates and best practices. With exciting insights and actionable advice, this podcast is a must-listen for anyone interested in managing third-party risks.

Key Highlights:

·      Prevalent’s annual third-party risk management study

·      Integrated Third Party Risk Management

·      Top Challenges for Organizations in Data Security

·      Third Party Risk Management Survey and Findings

·      Minimizing Cyber Breaches

·      Effective Response to Breaches and Third-Party Programs

·      Managing Business Risks for Compliance

Notable Quotes:

“The top concern driving third-party risk management programs is security, with 71 percent indicating it as their main priority.”

“Data breaches continue to be a top concern, with 41 percent of the respondents indicating that they were impacted by a third-party data breach in the last 12 months and had to perform some remedial activity.”

“About 70 percent reported increased involvement from the IT group, while 71 percent indicated that infosec owns the program.”

“Identifying and mitigating risks before the company is impacted.”

“Customs put together this enforcement dashboard that contains all of these statistics on how they’ve been enforcing the UFLPA.”

Resources

Brad Hibbert on LinkedIn

Prevalent

3Rd Party Risk Management Report

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

 

Categories
Innovation in Compliance

Improving Third – Party Risk Management with Paul Valente

In today’s interconnected world, businesses rely on third-party vendors for various products and services. While these partnerships bring great benefits, they also expose companies to a range of risks such as cyber threats, compliance issues, and reputational damage. In this episode, Tom Fox interviews Paul Valente, the co-founder and CEO of VISO Trust. Paul shares valuable insights into how businesses can mitigate risks posed by third-party vendors, the importance of continuous monitoring, and how VISO Trust’s platform helps companies manage risks effectively.

Paul Valente is the CEO and co-founder of VISO Trust, a company that provides automated third-party cyber risk management solutions. Prior to founding VISO Trust, Paul was the Chief Information Security Officer (CISO) at several companies, including Restoration Hardware, Lending Club, and ASAPP. He is a longtime technologist and security professional with experience in highly regulated industries.

 

You’ll hear Tom and Paul talk about:

  • Companies have more sensitive data on other companies’ infrastructure than they do internally, which increases risk and augments the need for a robust risk management strategy.
  • Boards have a duty of oversight to proactively monitor their third-party risk management programs. They should also keep abreast of emerging threats.
  • Automation is a key component in a third-party risk management solution for cybersecurity. The standard approach of using questionnaires to assess third-party security is slow, labor-intensive, and ineffective.
  • VISO Trust’s patented first-to-market Document Intelligence removes friction for vendors and provides a comprehensive risk assessment that tells customers everything they need to know to make qualified risk decisions about their third-party relationships.
  • Compliance requires auditability.
  • How VISO Trust helps companies manage risk after the contract is signed.
  • Risk management and cybersecurity data is often siloed within an organization. VISO Trust helps centralize the information by providing a dashboard where customers can have complete understanding of their overall third-party risk, and allowing them to make that data available across the organization.

 

KEY QUOTES:

“There’s companies today that have nothing internally – that are 100% cloud native. What that means typically is that there’s many copies of their data essentially with various other companies, perhaps all over the world… That just increases what we call a tax service … which just means more risk.” – Paul Valente

 

“I think [boards] need to be asking essentially what the risks are for their organization from a cybersecurity standpoint. They need to ask for those to be regularly reported on, regularly updated, and regularly tracked. …They also need to be aware themselves, both externally as well as relying on the executives within the company to keep them aware of emerging threats.” – Paul Valente

 

“…our dashboards essentially allow you to list all of your third-party relationships in one single place and easily report on the status of assessments as well as report on inherent risk.” – Paul Valente

 

Resources:

Paul Valente on LinkedIn | Twitter

VISO Trust

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – 3rd Party Risk Management Process

As every compliance practitioner knows, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. It begins with the following:
 Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is performing the work, and that its compensation is commensurate with the work provided in that industry and geographical region.   Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

This specifies that the DOJ expects an integrated approach operationalized throughout the company. This means you must have a process for the full third-party risk management life cycle. Five steps in the life cycle of third-party risk management will fulfill the DOJ requirements in the 2020 FCPA Resource Guide and the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are:

  1. Business Justification by the Business Sponsor;
  2. Questionnaire to Third-party;
  3. Due Diligence on Third-party, including triage of results;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

  1. Use the entire 5-step process for third-party management.
  2. Make sure you have business development involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives.
Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 5: Alexander Cotoia on Use Cases

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Advisory and Consulting Services; Stephanie Font, Director of the Optimizations Group; Kairi Isse, Managed Services Group Manager; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, Associate at the Volkov Law Group. In this Part 5, I visit with Alexander Cotoia, a Regulatory and Compliance Manager at the Volkov Law Group, to consider how recent FCPA enforcement actions point toward the use cases for a robust third-party risk management system.

In 2022, the overwhelming majority of FCPA-related enforcement actions involved third parties and required organizations to reprioritize third-party risk management. In this episode, we consider case studies involving ABB Limited, GOL Airlines, and Oracle, which all demonstrated the importance of understanding bribery and corruption schemes, making voluntary disclosures, and reassessing third-party risk management.

Key Highlights

·      How can organizations reprioritize third-party risk management as a core compliance function?

·      What strategies can organizations use to avoid FCPA violations and maximize cooperation credit?

·      How can organizations effectively assess the risks posed by potential business partners?

 Notable Quotes 

1.     “Don’t put yourself in a position of being uncooperative with either the SEC or DOJ. Reassess your framework for third-party risk management holistically and hone in on the nature and quality of the information that’s being collected to objectively evaluate the totality of risks posed by a potential business partner to the organization.”

2.     “You really can’t afford to be complacent, especially as we have a new emerging consideration suspecting sanctions and export controls that have become core enforcement priorities of the federal government.”

3.     “The critical question asked from a functional perspective is, is it adequate to objectively evaluate the totality of risks posed by a potential business partner to the organization?”

4.     “You have to understand that third-party risk, especially as it pertains to anti-bribery and corruption concerns, is a universal constant.”

 Resources

Alexander Cotoia on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program -Reporting

Today’s business landscape is becoming increasingly complex and globally interconnected, with the average business now working with over 100 third-party vendors. While this presents a wealth of opportunities, it also brings a range of challenges for boards and GRC professionals alike when it comes to third-party risk management. I recently visited with Diligent’s Senior Vice President of Products, Adam Bailey on how to tackle these challenges and leverage third-party risk management to identify opportunities and equip boards to take risks, innovate and drive things forward. Here are the steps you need to follow to also get clarity, insight, innovation.:

  1. Understand the role of the board in oversight and provide clarity on third-party risk management.
  2. Board review Codes of Conduct.
  3. Continuous improvement view of risk management.
  4. Utilize real-time data to react to changing times.
  5. Ensure commitment to shared values and ethical cultures.

 1.Understand the role of the Board in oversight

Understanding the role of the Board in oversight and providing clarity on third-party risk management is an essential step in any risk management strategy. Obviously, the Caremark Doctrine is the leading authority which Boards must follow. But more than simply oversight to  meet a legal requirement, businesses should see the business opportunity by creating a business process which connects employees, compliance professionals, executives, and boards together in a seamless process. This connection enables a culture of continuous improvement that starts at board level and cascades down through the structures of the business. This allows two-way communication between boards and compliance professionals, so that boards can clearly communicate their risk management strategy and expectations. 

  1. Board review of Codes of Conduct

A key role for any Board is to review and refresh if needed your organization’s Code of Conduct on a regular basis. When it comes to third-party risk management this is needed to  ensure that the third parties are following the company’s established guidelines. A Board should understand the importance of third-party risk management and how to fulfill their role of oversight. There should be an enterprise-wide single source of data for every Board to ensure effective governance, risk and compliance. Boards should also be provided with dashboards to allow for continuous monitoring of third-party relationships and to provide real-time information and data to enable businesses to react to changing times. Ultimately, companies need to show that their Board is making a good faith effort to address risks by having due diligence processes in place and effective plans to monitor those processes.

  1. Continuous improvement view of risk management

A key role for any Board is to implement a continual improvement view of risk management. This shifts an organization’s focus from a one-time due diligence approach to ongoing, rigorous due diligence designed to identify risk areas and set benchmarks for improvement. This allows a Board to have a clear view of the risks involved and make informed decisions. A two-way dialogue is also important, with data flowing up to the board and actions cascading back down to the compliance team. 

  1. Utilize real-time data to react to changing times

There is probably no more important task for a Board in 2023 than responding to changing times. Obviously Covid-19 is still in front of mind, but the change political, geographic, economic and even climate changes are moving much more quickly now. For a Board to provide effective oversight, it must have access to real-time data to react to changing times. This is both from a regulatory perspective and a business/reputational perspective. All internal stakeholders should be connected with enterprise-wide single source of all nonfinancial data required for effective governance, risk, and compliance. The platform also provides real-time information and data so Boards can quickly react to changing times. Furthermore, the platform adds relevancy and context to the risk data which helps Boards make informed decisions based on the potential upside and downside of taking on certain risks.

  1. Ensure commitment to ethical values and ethical cultures

It really all does start at the top and Boards must ensure commitment to ethical values and ethical cultures. Boards should mandate that companies adopt a continual improvement view and embrace not just one and done due diligence, but ongoing monitoring and continuous improvement. Boards should mandate that organization enforce their commitment to ethical values, ethical cultures, and honest business practices. When it comes to third parties, Boards must understand the risk each third-party poses and to consider the business in question and the sort of inherent nature of the dealings with that third-party. Having a robust platform also provides real-time information and data throughout the relationship with the third-party, dashboards to monitor third-party information, and a single source of truth for all nonfinancial data. This allows for a two-way dialogue between GRC professionals and the board to ensure that the board has the clearest, most relevant, and most targeted information to inform better decisions.

For more information, on Diligent’s Third-party Risk Management solution, click here.

Listen to Adam Bailey on the podcast series here.