Categories
Blog

Lessons on Managing 3rd Parties from Star Trek: The Omega Glory

Last month, I wrote a blog post on the tone at the top, exemplified in Star Trek’s Original Series episode, Devil in the Dark. Based on the response, some passionate Star Trek fans are out there. I decided to write a series of blog posts exploring Star Trek: The Original Series episodes as guides to the Hallmarks of an Effective Compliance program set out in the FCPA Resources Guide, 2nd edition. Today, I will continue my two-week series by looking at the following hallmarks of an effective compliance program laid out by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in the FCPA Resources Guide, 2nd edition. Today, we look at lessons learned on managing third parties from The Omega Glory episode.

Trust, verification, and alignment with core values are paramount in third-party management. These principles are crucial in today’s complex business environment, where organizations rely on external partners to achieve their objectives. Interestingly, these concepts are vividly illustrated in an unlikely source: the classic Star Trek episode The Omega Glory. This episode provides a fascinating backdrop for exploring the intricacies of third-party management. Today, we dive into the narrative and draw valuable lessons for managing third-party relationships.

In The Omega Glory,  Captain James Kirk and his crew encounter a planet named Omega IV, where two factions, the Yangs and the Kohms, are locked in a perpetual conflict. The Yangs parallel the American patriots of the Revolutionary War, while the Kohms resemble the communists. The Enterprise crew discovers that a Starfleet officer, Captain Ron Tracey, has violated the Prime Directive, the Federation’s core principle of non-interference, by intervening in the planet’s internal affairs to gain immortality from the planet’s unique properties. Tracey’s actions cause chaos and disrupt the natural progression of Omega IV’s societies. In the end, Captain Kirk is forced to confront Tracey and restore balance, emphasizing the need for adherence to principles and respect for the natural order.

Lesson 1: The Importance of Adhering to Your Core Values

One of the primary lessons from The Omega Glory is the significance of adhering to core values and principles. In the episode, Captain Tracey abandons the Prime Directive to pursue personal gain, resulting in disastrous consequences. This mirrors real-world scenarios where third-party relationships can be compromised when organizations or individuals prioritize short-term gains over long-term values and ethical standards.

Organizations must ensure their partners share and adhere to the same core values when engaging with third parties. Establishing clear guidelines and ethical standards is essential for maintaining alignment and preventing deviations that could harm the organization’s reputation and objectives. Regular audits and assessments help verify that third parties operate by these values.

Lesson 2: The Necessity of Due Diligence and Verification

Captain Tracey’s actions underscore the importance of due diligence and verification. He assumed that the planet’s properties could provide eternal life without fully understanding the implications of his interference. This assumption led to unintended consequences and endangered his crew and the planet’s inhabitants.

Due diligence is a critical component of third-party management. Organizations must thoroughly assess potential partners to evaluate their capabilities, integrity, and compatibility with organizational goals. Verification processes, such as background checks, financial audits, and compliance assessments, ensure that third parties meet the required standards. Regular monitoring and ongoing evaluations help maintain transparency and accountability in the relationship.

Lesson 3: The Dangers of Unchecked Authority

Most compliance professionals rarely see unchecked power from third parties, yet this episode provides important insight for compliance professionals. Captain Tracey exercises unchecked authority, disregarding Starfleet regulations and the ethical implications of his actions. His uncontrolled power leads to chaos and conflict, highlighting the dangers of allowing individuals or entities to operate without oversight.

Unchecked authority in third-party management can lead to breaches of trust, legal violations, and reputational damage. Organizations must establish clear governance structures and oversight mechanisms to ensure third parties operate within defined boundaries. Implementing robust contractual agreements, performance metrics, and reporting frameworks can help maintain control and mitigate risks associated with third-party relationships.

Lesson 4: The Role of Communication and Collaboration

Throughout the episode, communication breakdowns contribute to misunderstandings and conflicts. Captain Kirk ultimately resolves the situation by facilitating dialogue and collaboration between the Yangs and the Kohms, emphasizing the importance of open communication in resolving disputes and achieving mutual understanding.

Effective communication is a cornerstone of successful third-party management. Organizations should establish open lines of communication with their partners, fostering a collaborative environment that encourages feedback, transparency, and problem-solving. Regular meetings, status updates, and joint planning sessions help align objectives and address potential issues before they escalate. This will also help manage the commercial relationship after the contract is signed.

Lesson 5: The Need for Flexibility and Adaptability

The episode highlights the need for flexibility and adaptability in complex situations. Captain Kirk’s ability to adapt to changing circumstances and devise innovative solutions is crucial in resolving the conflict and restoring balance. Third-party relationships often involve dynamic and evolving challenges. Organizations must remain flexible and adaptable to changing circumstances, such as shifts in market conditions, regulatory requirements, or technological advancements. Developing contingency plans, embracing innovation, and fostering a culture of continuous improvement can help organizations navigate uncertainties and maintain successful third-party relationships.

Third-party relationships also mandate ongoing monitoring from a data analytics perspective. Compliance may need to conduct additional investigation if there are significant changes in the volume of goods sold by a third party or the amount of commissions paid to a particular third-party agent, region, or business unit. However, third parties must understand and receive a steady diet of communication and training on the need to do business ethically and in compliance with your company’s values.

The Omega Glory serves as a compelling training vehicle for the complexities and challenges of third-party management. The episode’s themes of adherence to core values, due diligence, oversight, communication, and adaptability provide valuable insights for organizations seeking to optimize their third-party relationships. By learning from Captain Kirk’s experiences on Omega IV, businesses can enhance their third-party management practices, mitigate risks, and achieve sustainable success in an interconnected world.

In conclusion, organizations must prioritize trust, verification, business justification, and alignment with core values in their third-party management strategies. By adhering to these principles and drawing lessons from unconventional sources like Star Trek, businesses can navigate the complexities of modern partnerships and achieve their strategic objectives with integrity and success.

Join us tomorrow as we consider the lessons on ongoing monitoring and continuous improvement of Spectre of the Gun Ultimate.

Categories
Great Women in Compliance

Great Women in Compliance – Sabrina Segal on Reimagining Risk Management

Welcome to the Great Women in Compliance Podcast. How can we reimagine risk management? In this episode, Hemma Lomax visits Sabrina Segal, a seasoned third-sector integrity risk and compliance advisor with a legal background. Sabrina is currently in Rwanda as part of an international development and humanitarian assistance team. She hosts Tolerable Risk, a podcast about integrity and compliance in the third sector.

Sabrina shares her perspective on compliance and risk management in the third sector, which is inherently high-risk, largely due to its operation in areas where the private sector may not see value and where government regulation has failed. Sabrina believes that traditional approaches to risk management, which are quantitative-heavy and designed for industries like finance and oil and gas, are unsuitable for the third sector, requiring a more accessible qualitative approach for diverse stakeholders. Drawing from an array of global experiences, Sabrina emphasizes the need for bespoke approaches tailored to the specific needs and constraints of small and medium-sized charities and nonprofits. Sabrina has developed an objective-centered risk management approach for the third sector based on work from her mentor, Timothy Leech. Objective-centered risk management focuses on facilitating the achievement of organizational objectives, collaborating to identify threats and opportunities, and directly influencing decision-making. Sabrina’s compliance and risk management work is designed to improve organizations’ overall programming and impact in the third sector. Still, it has many applications in the private sector and corporate compliance.

Key Highlights:

  • Tolerable Risk Podcast on Tailored Risk Management for Nonprofits

  • Navigating High-Risk Environments: Third Sector Compliance

  • Objective-Driven Risk Analysis and Decision-Making

  • Comprehensive Risk Management Strategy with Active Monitoring

  • The Importance of Involving Stakeholders in Risk Management

  • Quantitative tools and trust in data for risk management

  • Advocacy and Inclusion in Restorative Justice

Resources:

Join the Great Women in Compliance community on LinkedIn here.

Categories
FCPA Compliance Report

FCPA Compliance Report – Brad Hibbert on Prevalent’s 2023 3rd Party Risk Management Report

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Today, Tom visits Brad Hibbert, COO/CSO at Prevalent, as they discuss the surprising findings of Prevalent’s annual third-party risk management study. Discover why so many organizations still rely on spreadsheets and manual processes for managing third-party risks. Brad recommends an integrated approach to third-party risk management that considers the entire lifecycle of the relationship with third parties.

The podcast highlights the top five key findings of the report, including data breaches as the top concern, security driving the program, and the increased involvement of IT in the process. Learn how to minimize cyber exposure and risks associated with third-party management by breaking down silos, automating processes, and focusing on reducing risks associated with third parties. Listen to Brad’s practical advice on how to prioritize risks and plan your risk management program and visit prevalent.net for more compliance mandates and best practices. With exciting insights and actionable advice, this podcast is a must-listen for anyone interested in managing third-party risks.

Key Highlights:

·      Prevalent’s annual third-party risk management study

·      Integrated Third Party Risk Management

·      Top Challenges for Organizations in Data Security

·      Third Party Risk Management Survey and Findings

·      Minimizing Cyber Breaches

·      Effective Response to Breaches and Third-Party Programs

·      Managing Business Risks for Compliance

Notable Quotes:

“The top concern driving third-party risk management programs is security, with 71 percent indicating it as their main priority.”

“Data breaches continue to be a top concern, with 41 percent of the respondents indicating that they were impacted by a third-party data breach in the last 12 months and had to perform some remedial activity.”

“About 70 percent reported increased involvement from the IT group, while 71 percent indicated that infosec owns the program.”

“Identifying and mitigating risks before the company is impacted.”

“Customs put together this enforcement dashboard that contains all of these statistics on how they’ve been enforcing the UFLPA.”

Resources

Brad Hibbert on LinkedIn

Prevalent

3Rd Party Risk Management Report

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

 

Categories
Innovation in Compliance

Improving Third – Party Risk Management with Paul Valente

In today’s interconnected world, businesses rely on third-party vendors for various products and services. While these partnerships bring great benefits, they also expose companies to a range of risks such as cyber threats, compliance issues, and reputational damage. In this episode, Tom Fox interviews Paul Valente, the co-founder and CEO of VISO Trust. Paul shares valuable insights into how businesses can mitigate risks posed by third-party vendors, the importance of continuous monitoring, and how VISO Trust’s platform helps companies manage risks effectively.

Paul Valente is the CEO and co-founder of VISO Trust, a company that provides automated third-party cyber risk management solutions. Prior to founding VISO Trust, Paul was the Chief Information Security Officer (CISO) at several companies, including Restoration Hardware, Lending Club, and ASAPP. He is a longtime technologist and security professional with experience in highly regulated industries.

 

You’ll hear Tom and Paul talk about:

  • Companies have more sensitive data on other companies’ infrastructure than they do internally, which increases risk and augments the need for a robust risk management strategy.
  • Boards have a duty of oversight to proactively monitor their third-party risk management programs. They should also keep abreast of emerging threats.
  • Automation is a key component in a third-party risk management solution for cybersecurity. The standard approach of using questionnaires to assess third-party security is slow, labor-intensive, and ineffective.
  • VISO Trust’s patented first-to-market Document Intelligence removes friction for vendors and provides a comprehensive risk assessment that tells customers everything they need to know to make qualified risk decisions about their third-party relationships.
  • Compliance requires auditability.
  • How VISO Trust helps companies manage risk after the contract is signed.
  • Risk management and cybersecurity data is often siloed within an organization. VISO Trust helps centralize the information by providing a dashboard where customers can have complete understanding of their overall third-party risk, and allowing them to make that data available across the organization.

 

KEY QUOTES:

“There’s companies today that have nothing internally – that are 100% cloud native. What that means typically is that there’s many copies of their data essentially with various other companies, perhaps all over the world… That just increases what we call a tax service … which just means more risk.” – Paul Valente

 

“I think [boards] need to be asking essentially what the risks are for their organization from a cybersecurity standpoint. They need to ask for those to be regularly reported on, regularly updated, and regularly tracked. …They also need to be aware themselves, both externally as well as relying on the executives within the company to keep them aware of emerging threats.” – Paul Valente

 

“…our dashboards essentially allow you to list all of your third-party relationships in one single place and easily report on the status of assessments as well as report on inherent risk.” – Paul Valente

 

Resources:

Paul Valente on LinkedIn | Twitter

VISO Trust

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – 3rd Party Risk Management Process

As every compliance practitioner knows, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. It begins with the following:
 Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is performing the work, and that its compensation is commensurate with the work provided in that industry and geographical region.   Prosecutors should further assess whether the company engaged in ongoing monitoring of the third-party relationships through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

This specifies that the DOJ expects an integrated approach operationalized throughout the company. This means you must have a process for the full third-party risk management life cycle. Five steps in the life cycle of third-party risk management will fulfill the DOJ requirements in the 2020 FCPA Resource Guide and the Hallmarks of an Effective Compliance Program. The five steps in the lifecycle of third-party management are:

  1. Business Justification by the Business Sponsor;
  2. Questionnaire to Third-party;
  3. Due Diligence on Third-party, including triage of results;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

  1. Use the entire 5-step process for third-party management.
  2. Make sure you have business development involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives.
Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 5: Alexander Cotoia on Use Cases

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Advisory and Consulting Services; Stephanie Font, Director of the Optimizations Group; Kairi Isse, Managed Services Group Manager; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, Associate at the Volkov Law Group. In this Part 5, I visit with Alexander Cotoia, a Regulatory and Compliance Manager at the Volkov Law Group, to consider how recent FCPA enforcement actions point toward the use cases for a robust third-party risk management system.

In 2022, the overwhelming majority of FCPA-related enforcement actions involved third parties and required organizations to reprioritize third-party risk management. In this episode, we consider case studies involving ABB Limited, GOL Airlines, and Oracle, which all demonstrated the importance of understanding bribery and corruption schemes, making voluntary disclosures, and reassessing third-party risk management.

Key Highlights

·      How can organizations reprioritize third-party risk management as a core compliance function?

·      What strategies can organizations use to avoid FCPA violations and maximize cooperation credit?

·      How can organizations effectively assess the risks posed by potential business partners?

 Notable Quotes 

1.     “Don’t put yourself in a position of being uncooperative with either the SEC or DOJ. Reassess your framework for third-party risk management holistically and hone in on the nature and quality of the information that’s being collected to objectively evaluate the totality of risks posed by a potential business partner to the organization.”

2.     “You really can’t afford to be complacent, especially as we have a new emerging consideration suspecting sanctions and export controls that have become core enforcement priorities of the federal government.”

3.     “The critical question asked from a functional perspective is, is it adequate to objectively evaluate the totality of risks posed by a potential business partner to the organization?”

4.     “You have to understand that third-party risk, especially as it pertains to anti-bribery and corruption concerns, is a universal constant.”

 Resources

Alexander Cotoia on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program -Reporting

Today’s business landscape is becoming increasingly complex and globally interconnected, with the average business now working with over 100 third-party vendors. While this presents a wealth of opportunities, it also brings a range of challenges for boards and GRC professionals alike when it comes to third-party risk management. I recently visited with Diligent’s Senior Vice President of Products, Adam Bailey on how to tackle these challenges and leverage third-party risk management to identify opportunities and equip boards to take risks, innovate and drive things forward. Here are the steps you need to follow to also get clarity, insight, innovation.:

  1. Understand the role of the board in oversight and provide clarity on third-party risk management.
  2. Board review Codes of Conduct.
  3. Continuous improvement view of risk management.
  4. Utilize real-time data to react to changing times.
  5. Ensure commitment to shared values and ethical cultures.

 1.Understand the role of the Board in oversight

Understanding the role of the Board in oversight and providing clarity on third-party risk management is an essential step in any risk management strategy. Obviously, the Caremark Doctrine is the leading authority which Boards must follow. But more than simply oversight to  meet a legal requirement, businesses should see the business opportunity by creating a business process which connects employees, compliance professionals, executives, and boards together in a seamless process. This connection enables a culture of continuous improvement that starts at board level and cascades down through the structures of the business. This allows two-way communication between boards and compliance professionals, so that boards can clearly communicate their risk management strategy and expectations. 

  1. Board review of Codes of Conduct

A key role for any Board is to review and refresh if needed your organization’s Code of Conduct on a regular basis. When it comes to third-party risk management this is needed to  ensure that the third parties are following the company’s established guidelines. A Board should understand the importance of third-party risk management and how to fulfill their role of oversight. There should be an enterprise-wide single source of data for every Board to ensure effective governance, risk and compliance. Boards should also be provided with dashboards to allow for continuous monitoring of third-party relationships and to provide real-time information and data to enable businesses to react to changing times. Ultimately, companies need to show that their Board is making a good faith effort to address risks by having due diligence processes in place and effective plans to monitor those processes.

  1. Continuous improvement view of risk management

A key role for any Board is to implement a continual improvement view of risk management. This shifts an organization’s focus from a one-time due diligence approach to ongoing, rigorous due diligence designed to identify risk areas and set benchmarks for improvement. This allows a Board to have a clear view of the risks involved and make informed decisions. A two-way dialogue is also important, with data flowing up to the board and actions cascading back down to the compliance team. 

  1. Utilize real-time data to react to changing times

There is probably no more important task for a Board in 2023 than responding to changing times. Obviously Covid-19 is still in front of mind, but the change political, geographic, economic and even climate changes are moving much more quickly now. For a Board to provide effective oversight, it must have access to real-time data to react to changing times. This is both from a regulatory perspective and a business/reputational perspective. All internal stakeholders should be connected with enterprise-wide single source of all nonfinancial data required for effective governance, risk, and compliance. The platform also provides real-time information and data so Boards can quickly react to changing times. Furthermore, the platform adds relevancy and context to the risk data which helps Boards make informed decisions based on the potential upside and downside of taking on certain risks.

  1. Ensure commitment to ethical values and ethical cultures

It really all does start at the top and Boards must ensure commitment to ethical values and ethical cultures. Boards should mandate that companies adopt a continual improvement view and embrace not just one and done due diligence, but ongoing monitoring and continuous improvement. Boards should mandate that organization enforce their commitment to ethical values, ethical cultures, and honest business practices. When it comes to third parties, Boards must understand the risk each third-party poses and to consider the business in question and the sort of inherent nature of the dealings with that third-party. Having a robust platform also provides real-time information and data throughout the relationship with the third-party, dashboards to monitor third-party information, and a single source of truth for all nonfinancial data. This allows for a two-way dialogue between GRC professionals and the board to ensure that the board has the clearest, most relevant, and most targeted information to inform better decisions.

For more information, on Diligent’s Third-party Risk Management solution, click here.

Listen to Adam Bailey on the podcast series here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program -Implementation and Maintenance

Are you a compliance professional tasked with managing third-party risk relationships? Are you overwhelmed with the sheer amount of data that comes with that responsibility? How do you engage in implementation and maintenance. To answer these and other questions, I recently visited with Kairi Isse, Diligent’s Managed Services Group Manager, to discuss why the step of management after the contract is signed is the most important part of the third-party risk management cycle. She discusses the importance of ongoing monitoring and why it is critical for modern companies to understand the risks posed by their third parties. We consider the uses of an AI-driven ongoing monitoring search tool, allowing a customizable, auditable way to ensure compliance and reduce risk. Join us as we explore this most critical step on the life cycle of the third-party risk management—managing the relationship after the contract is signed. Here are the steps you need to follow to manage relationships with third-parties after the contract is signed:

  1. The importance of ongoing monitoring for third party risk management to minimize risks of data breach, bribery, and fines.
  2. Design and implement an effective ongoing monitoring program that works in practice.
  3. Utilize AI-driven ongoing monitoring search tools to focus on the right data for your organization.
  4. Create an audit trail to demonstrate the company’s continuous improvement based upon ongoing monitoring.
  1. The importance of ongoing monitoring

Ongoing monitoring for third-party risk management is key to minimizing risks of data breaches, bribery, and fines. Through proper monitoring and management of third parties, companies can ensure that their vendors are not putting them in a vulnerable position. In this interconnected world, third party risk is a significant compliance threat and can cause damage to a company’s reputation, leading to potentially hefty fines and perhaps more importantly reputational damage. Utilizing an AI-driven ongoing monitoring search tool can help reduce the haystack of data and find the needle, as well as a human element to review and analyze the watch list screen results. The key is to ensure their ongoing monitoring is effective and efficient throughout the entire life cycle of their third-party relationships.

 2. Design and implementation of ongoing monitoring

Designing and implementation of ongoing monitoring that works in practice is a critical step in managing a third-party relationship after the contract is signed. Utilizing AI-driven ongoing monitoring search tools is essential for a successful third-party risk management relationship. It is important to customize the search to focus on the right data for your organization, as this will make it easier to find the needle in the haystack. An AI-driven search tool should include all the big databases and sanctions watch lists, as well as adverse media, to ensure that the third party poses no regulatory risk; all after the contract is signed. There should also be transaction monitoring which reviews the sales or other transactions by the third-party. Finally, never forget the human element, to ensure that the data is correct and validated before final decisions are made.

  1. Analyze and validate thru AI-driven search tool

To analyze and validate watch list screen results and consider only true matches for further review, utilize an AI-driven ongoing monitoring search tool that includes all the major databases, sanctions watch lists, and adverse media. You should customize usage to your company’s risk profile, industry, and regulations your organization is required to comply with. Next review the search to determine if they are true matches or false positives. This helps to reduce the amount of noise and unnecessary data, as well as provides an auditable trail for every action. These actions will help create an auditable document trail which can be presented to auditors or regulators.

  1. Continuous improvement through ongoing monitoring

The next step is continuous improvement based upon your organization’s ongoing monitoring. Here an audit trail to demonstrate the company’s maintenance of ongoing monitoring, is critical. The Fox Maxim of Document Document Document, is still alive and well in the era of AI. Moreover,

This allows your organization to customize their search to focus on the right data for their organization and industry, eliminating the noise from irrelevant data sets. Once again the human factor comes into play through the review and analysis any potential matches from the AI searches to validate true matches. All of these steps should be auditable, recording every action taken in the system, allowing a company to demonstrate their continuous improvement based upon ongoing monitoring.

Managing your third-party relationship after the contract is signed is still the most a critical step any successful third-party risk management protocol. A well-designed and implemented compliance program should include regular screening of global databases and adverse media, even after the contract is signed. Transaction monitoring should also be used to test individual sales for any issues. An AI-driven ongoing monitoring search tool that can help reduce the haystack of data and find the needle, as well as a human element to review and analyze the watch list screen results. With these steps, your organization can be confident that your third-party risk management program is effective and efficient throughout the entire life cycle of your third-party relationships.

For more information, on Diligent’s Third Party Risk Management solution, click here.

Listen to Kairi Isse on the podcast series here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program-Risk Mitigation

With the ever-changing landscape of regulations and laws, it is becoming increasingly difficult for companies to keep up and remain compliant. In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. Today, we consider the risk mitigation and I visit with Michael Parker, Director of Advisory and Consulting Services for Diligent, to discuss how to approach the Board of Directors around the crucial issue of third-party risk management and risk mitigation. Parker has been in the compliance industry for six years and has experience working with the Department of Homeland Security, Apple Computer, and over 300 clients in the compliance and legal space.

Parker dives into how Diligent’s platform helps companies assess risk and comply with compliance laws such as the FCPA, UK Modern Slavery Act, Uyghur Forced Labor Prevention Act and more. Join us in this five-part series to learn how Diligent’s platform can help reduce risk and ensure compliance.

Here are the steps you need to follow to also get risk mitigation:

  1. Screening – Screening for anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc.
  2. Risk-Based Approach – Evaluating the dossier of information to lead to a decision to approve or deny doing business with the third party.
  3. Documentation – Documenting activities, notes, attachments, and actions taken to show due diligence was done to mitigate risk.

Screening – Screening for anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc.

Screening is an essential first step in anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc. The process begins by collecting and inputting data into a single source of truth platform such as Diligent’s Third Party Risk Management System. This platform allows for a risk-based approach to screening, in which the compliance professional can assess the risk of doing business with a third party. This assessment includes screening for anti-bribery and anti-corruption, politically exposed persons, state owned entities, watch lists, and embargoes, as well as more recent regulations such as the German Supply Chain Act and the UK Modern Slavery Act. It also provides the ability to document and audit activities, allowing for better visibility and accountability from an internal and external perspective. Finally, the platform is constantly updated to ensure that it is compliant with any new laws or regulations that are implemented.

Risk-Based Approach – Evaluating the dossier of information to lead to a decision to approve or deny doing business with the third party.

The second step in the third-party risk management process is to take a risk-based approach in evaluating the dossier of information. This dossier typically includes the results of the screening process, any due diligence questionnaires, and any additional investigations that have been conducted. All these items should be compiled into a single source of truth and reviewed to ensure that the organization has done its due diligence in assessing the third party.

The risk-based approach should be tailored to the specific organization and its risk profile, as well as the specific third-party that they are doing business with. This evaluation should also take into consideration any changes in laws, regulations, and sanctions that may have been recently implemented. The diligence program should also be able to screen for a variety of different risks, such as anti-bribery, anti-corruption, human trafficking, politically exposed persons, state-owned entities, watchlists, and embargoes.

Once the evaluation is complete, the organization should have a clear understanding of the risks associated with doing business with the third party and can make an informed decision as to whether to approve or deny the business relationship. This risk-based approach should be documented for auditability in case of any potential future inquiries or investigations.

Documentation – Documenting activities, notes, attachments, and actions taken to show due diligence was done to mitigate risk.

Documentation is an essential part of risk mitigation and due diligence. It is important to maintain an audit trail of activities, notes, attachments, and actions taken related to third party risk management. This allows companies to easily access information and prove that they have taken the necessary steps to mitigate risk. A platform such as Diligent’s Third Party Risk Manager can be used to keep track of all the necessary documentation. All activities, notes, and attachments can be stored in a single source of truth, which provides visibility and auditability for the board. Additionally, the platform is regularly updated to ensure that it is up to date with the latest regulations and laws. This allows companies to remain compliant and mitigate risk. All these elements come together to form a dossier of information, which can be used to approve or deny business with third parties. Documentation is a key part of any risk management program and is essential for due diligence.

Over this five-part blog post series will explore reprioritizing you third-party risk management program. It is essential to properly evaluate third-party risk and to document all activities, notes, and attachments to remain compliant and mitigate risk. With the right platform and approach, companies can keep up with the ever-changing regulations and laws and protect their businesses from potential issues. With dedication and hard work, business owners can stay ahead of the curve in risk management and compliance.

For more information, check out Diligent here.

Listen to Michael Parker on the podcast series here.

Categories
The ESG Report

Increasing the Speed of ESG Risk Management with Todd Boehler

 

Todd Boehler has over 25 years experience in the governance risk and compliance software space. He is currently Senior Vice President of Strategy at ProcessUnity, where he oversees third-party risk management. ProcessUnity is a company that is making good governance, risk, and compliance (GRC) practices and tools available to organizations via cloud-based, third-party risk and cybersecurity program management tools. Tom Fox welcomes Todd to this week’s episode of the ESG Report to discuss the relationship between third-party risk management and ESG. 

 

 

The Biggest Risk 

“In my opinion, third-party risk management has been the biggest risk in anti-corruption compliance,” Tom says. It’s something everyone in the company – up to the board level – has to be more consistent with. Todd agrees; it’s becoming more complex as time goes on, he adds. More businesses are outsourcing in order to compete. This brings accelerated risk. “You have to know where the risk lies inside of those [third-party] companies, otherwise you’re going to be accountable for that to your customers and your regulators and your examiners,” Todd points out. Your company needs to understand and mitigate risk prior to doing business with prospective third-party vendors. 

 

Evolving Risk

Todd runs ProcessUnity’s Partners and Alliances program and its product teams. His role involves growing the company ecosystem and investing in technology to help their clients manage risk and solve their problems more efficiently. “ESG has been an evolving risk area,” Todd tells Tom. “We help companies monitor and manage their third-party [risk] specifically, across all different areas of risk [including ESG risk].” ESG is a social mandate nowadays, he continues; more companies and regulators are acknowledging its importance. “We integrate and connect ESG data providers into our customer’s risk programs so that they can cover and understand ESG risk against their third parties,” he points out.

 

Monitoring Third-Party Risk

Tom asks Todd whether potential clients fully understand the need to monitor ESG risk and how ProcessUnity allows them to manage that risk. It depends on the maturity of the company, Todd responds. “Smaller companies that are highly regulated may be more mature than larger companies that are not so highly regulated,” he points out. It also depends on the stage they are in their roadmap, as well as how much they prioritize ESG risk against other types of risk. ProcessUnity helps them figure this out and how to grow their ESG program over time based on their specific industry. Building a culture of ESG is vital, as are sustainable procurement practices. Sustainable procurement refers to how businesses can identify and reduce the environmental impact of their supply chains. This requires monitoring third parties and ensuring that procurement practices are aligned to the ESG framework. He and Tom discuss the evolving work landscape, accelerated by the pandemic, and the accompanying increase in cybersecurity risk. The Russian invasion of Ukraine also spurred an uptick in sanctions screening. All this impacts how organizations manage third-party risk, Tom and Todd agree. “It’s an evolving world,” Todd comments, “things are changing fast, and you have to manage to the speed of change.”

 

Financial Resiliency 

Tom comments on the importance of financial resiliency of your third-party partners. If a company is not doing well financially, they may be unable to supply your products. They are more vulnerable to cyber attack because they may not be able to invest in cybersecurity, and they may be more easily persuaded to engage in bribery and corruption. Financial resiliency is a must, Todd says. Your company needs it, and your suppliers must also have it. “If your critical suppliers are having problems financially, you need to have a backup plan to be able to switch them out in dire straits,” he tells listeners. You also need to have a system to monitor those companies. Financial tracking is a good strategy here, he points out. He describes how ProcessUnity helps clients build a financial profile of their suppliers.

 

The Rise of ESG

ProcessUnity recently released a white paper, The Rise of ESG in Third-Party Risk Management. Tom asks, “What do you see as some of the key factors contributing to the relevancy of ESG on a worldwide basis?” He and Todd talk about the global push towards ESG and the corporate world’s response. A cultural shift coupled with new regulation is bringing ESG to the fore. Proper documentation of our ESG program will help you make better business decisions as well, both men agree. Your business will become more efficient and robust as well.

 

Looking Ahead

Tom asks Todd where he sees third-party risk management in ESG in 2025 and beyond. Risk professionals are thinking about and prioritizing ESG risk more, they agree. Todd adds that ESG risk attention will increase because there will be more data and more regulations. Additionally, there will be more people taking over executive positions who wish to implement ESG cultures and regulations in businesses that require ESG risk management. 

 

Resources 

Todd Boehler | LinkedIn | ProcessUnity 

The Rise of ESG in Third-Party Risk Management