Tag: 3rd party risk management

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program -Implementation and Maintenance

Are you a compliance professional tasked with managing third-party risk relationships? Are you overwhelmed with the sheer amount of data that comes with that responsibility? How do you engage in implementation and maintenance. To answer these and other questions, I recently visited with Kairi Isse, Diligent’s Managed Services Group Manager, to discuss why the step of management after the contract is signed is the most important part of the third-party risk management cycle. She discusses the importance of ongoing monitoring and why it is critical for modern companies to understand the risks posed by their third parties. We consider the uses of an AI-driven ongoing monitoring search tool, allowing a customizable, auditable way to ensure compliance and reduce risk. Join us as we explore this most critical step on the life cycle of the third-party risk management—managing the relationship after the contract is signed. Here are the steps you need to follow to manage relationships with third-parties after the contract is signed:

  1. The importance of ongoing monitoring for third party risk management to minimize risks of data breach, bribery, and fines.
  2. Design and implement an effective ongoing monitoring program that works in practice.
  3. Utilize AI-driven ongoing monitoring search tools to focus on the right data for your organization.
  4. Create an audit trail to demonstrate the company’s continuous improvement based upon ongoing monitoring.
  1. The importance of ongoing monitoring

Ongoing monitoring for third-party risk management is key to minimizing risks of data breaches, bribery, and fines. Through proper monitoring and management of third parties, companies can ensure that their vendors are not putting them in a vulnerable position. In this interconnected world, third party risk is a significant compliance threat and can cause damage to a company’s reputation, leading to potentially hefty fines and perhaps more importantly reputational damage. Utilizing an AI-driven ongoing monitoring search tool can help reduce the haystack of data and find the needle, as well as a human element to review and analyze the watch list screen results. The key is to ensure their ongoing monitoring is effective and efficient throughout the entire life cycle of their third-party relationships.

 2. Design and implementation of ongoing monitoring

Designing and implementation of ongoing monitoring that works in practice is a critical step in managing a third-party relationship after the contract is signed. Utilizing AI-driven ongoing monitoring search tools is essential for a successful third-party risk management relationship. It is important to customize the search to focus on the right data for your organization, as this will make it easier to find the needle in the haystack. An AI-driven search tool should include all the big databases and sanctions watch lists, as well as adverse media, to ensure that the third party poses no regulatory risk; all after the contract is signed. There should also be transaction monitoring which reviews the sales or other transactions by the third-party. Finally, never forget the human element, to ensure that the data is correct and validated before final decisions are made.

  1. Analyze and validate thru AI-driven search tool

To analyze and validate watch list screen results and consider only true matches for further review, utilize an AI-driven ongoing monitoring search tool that includes all the major databases, sanctions watch lists, and adverse media. You should customize usage to your company’s risk profile, industry, and regulations your organization is required to comply with. Next review the search to determine if they are true matches or false positives. This helps to reduce the amount of noise and unnecessary data, as well as provides an auditable trail for every action. These actions will help create an auditable document trail which can be presented to auditors or regulators.

  1. Continuous improvement through ongoing monitoring

The next step is continuous improvement based upon your organization’s ongoing monitoring. Here an audit trail to demonstrate the company’s maintenance of ongoing monitoring, is critical. The Fox Maxim of Document Document Document, is still alive and well in the era of AI. Moreover,

This allows your organization to customize their search to focus on the right data for their organization and industry, eliminating the noise from irrelevant data sets. Once again the human factor comes into play through the review and analysis any potential matches from the AI searches to validate true matches. All of these steps should be auditable, recording every action taken in the system, allowing a company to demonstrate their continuous improvement based upon ongoing monitoring.

Managing your third-party relationship after the contract is signed is still the most a critical step any successful third-party risk management protocol. A well-designed and implemented compliance program should include regular screening of global databases and adverse media, even after the contract is signed. Transaction monitoring should also be used to test individual sales for any issues. An AI-driven ongoing monitoring search tool that can help reduce the haystack of data and find the needle, as well as a human element to review and analyze the watch list screen results. With these steps, your organization can be confident that your third-party risk management program is effective and efficient throughout the entire life cycle of your third-party relationships.

For more information, on Diligent’s Third Party Risk Management solution, click here.

Listen to Kairi Isse on the podcast series here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program-Risk Mitigation

With the ever-changing landscape of regulations and laws, it is becoming increasingly difficult for companies to keep up and remain compliant. In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. Today, we consider the risk mitigation and I visit with Michael Parker, Director of Advisory and Consulting Services for Diligent, to discuss how to approach the Board of Directors around the crucial issue of third-party risk management and risk mitigation. Parker has been in the compliance industry for six years and has experience working with the Department of Homeland Security, Apple Computer, and over 300 clients in the compliance and legal space.

Parker dives into how Diligent’s platform helps companies assess risk and comply with compliance laws such as the FCPA, UK Modern Slavery Act, Uyghur Forced Labor Prevention Act and more. Join us in this five-part series to learn how Diligent’s platform can help reduce risk and ensure compliance.

Here are the steps you need to follow to also get risk mitigation:

  1. Screening – Screening for anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc.
  2. Risk-Based Approach – Evaluating the dossier of information to lead to a decision to approve or deny doing business with the third party.
  3. Documentation – Documenting activities, notes, attachments, and actions taken to show due diligence was done to mitigate risk.

Screening – Screening for anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc.

Screening is an essential first step in anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc. The process begins by collecting and inputting data into a single source of truth platform such as Diligent’s Third Party Risk Management System. This platform allows for a risk-based approach to screening, in which the compliance professional can assess the risk of doing business with a third party. This assessment includes screening for anti-bribery and anti-corruption, politically exposed persons, state owned entities, watch lists, and embargoes, as well as more recent regulations such as the German Supply Chain Act and the UK Modern Slavery Act. It also provides the ability to document and audit activities, allowing for better visibility and accountability from an internal and external perspective. Finally, the platform is constantly updated to ensure that it is compliant with any new laws or regulations that are implemented.

Risk-Based Approach – Evaluating the dossier of information to lead to a decision to approve or deny doing business with the third party.

The second step in the third-party risk management process is to take a risk-based approach in evaluating the dossier of information. This dossier typically includes the results of the screening process, any due diligence questionnaires, and any additional investigations that have been conducted. All these items should be compiled into a single source of truth and reviewed to ensure that the organization has done its due diligence in assessing the third party.

The risk-based approach should be tailored to the specific organization and its risk profile, as well as the specific third-party that they are doing business with. This evaluation should also take into consideration any changes in laws, regulations, and sanctions that may have been recently implemented. The diligence program should also be able to screen for a variety of different risks, such as anti-bribery, anti-corruption, human trafficking, politically exposed persons, state-owned entities, watchlists, and embargoes.

Once the evaluation is complete, the organization should have a clear understanding of the risks associated with doing business with the third party and can make an informed decision as to whether to approve or deny the business relationship. This risk-based approach should be documented for auditability in case of any potential future inquiries or investigations.

Documentation – Documenting activities, notes, attachments, and actions taken to show due diligence was done to mitigate risk.

Documentation is an essential part of risk mitigation and due diligence. It is important to maintain an audit trail of activities, notes, attachments, and actions taken related to third party risk management. This allows companies to easily access information and prove that they have taken the necessary steps to mitigate risk. A platform such as Diligent’s Third Party Risk Manager can be used to keep track of all the necessary documentation. All activities, notes, and attachments can be stored in a single source of truth, which provides visibility and auditability for the board. Additionally, the platform is regularly updated to ensure that it is up to date with the latest regulations and laws. This allows companies to remain compliant and mitigate risk. All these elements come together to form a dossier of information, which can be used to approve or deny business with third parties. Documentation is a key part of any risk management program and is essential for due diligence.

Over this five-part blog post series will explore reprioritizing you third-party risk management program. It is essential to properly evaluate third-party risk and to document all activities, notes, and attachments to remain compliant and mitigate risk. With the right platform and approach, companies can keep up with the ever-changing regulations and laws and protect their businesses from potential issues. With dedication and hard work, business owners can stay ahead of the curve in risk management and compliance.

For more information, check out Diligent here.

Listen to Michael Parker on the podcast series here.

Categories
The ESG Report

Increasing the Speed of ESG Risk Management with Todd Boehler

 

Todd Boehler has over 25 years experience in the governance risk and compliance software space. He is currently Senior Vice President of Strategy at ProcessUnity, where he oversees third-party risk management. ProcessUnity is a company that is making good governance, risk, and compliance (GRC) practices and tools available to organizations via cloud-based, third-party risk and cybersecurity program management tools. Tom Fox welcomes Todd to this week’s episode of the ESG Report to discuss the relationship between third-party risk management and ESG. 

 

 

The Biggest Risk 

“In my opinion, third-party risk management has been the biggest risk in anti-corruption compliance,” Tom says. It’s something everyone in the company – up to the board level – has to be more consistent with. Todd agrees; it’s becoming more complex as time goes on, he adds. More businesses are outsourcing in order to compete. This brings accelerated risk. “You have to know where the risk lies inside of those [third-party] companies, otherwise you’re going to be accountable for that to your customers and your regulators and your examiners,” Todd points out. Your company needs to understand and mitigate risk prior to doing business with prospective third-party vendors. 

 

Evolving Risk

Todd runs ProcessUnity’s Partners and Alliances program and its product teams. His role involves growing the company ecosystem and investing in technology to help their clients manage risk and solve their problems more efficiently. “ESG has been an evolving risk area,” Todd tells Tom. “We help companies monitor and manage their third-party [risk] specifically, across all different areas of risk [including ESG risk].” ESG is a social mandate nowadays, he continues; more companies and regulators are acknowledging its importance. “We integrate and connect ESG data providers into our customer’s risk programs so that they can cover and understand ESG risk against their third parties,” he points out.

 

Monitoring Third-Party Risk

Tom asks Todd whether potential clients fully understand the need to monitor ESG risk and how ProcessUnity allows them to manage that risk. It depends on the maturity of the company, Todd responds. “Smaller companies that are highly regulated may be more mature than larger companies that are not so highly regulated,” he points out. It also depends on the stage they are in their roadmap, as well as how much they prioritize ESG risk against other types of risk. ProcessUnity helps them figure this out and how to grow their ESG program over time based on their specific industry. Building a culture of ESG is vital, as are sustainable procurement practices. Sustainable procurement refers to how businesses can identify and reduce the environmental impact of their supply chains. This requires monitoring third parties and ensuring that procurement practices are aligned to the ESG framework. He and Tom discuss the evolving work landscape, accelerated by the pandemic, and the accompanying increase in cybersecurity risk. The Russian invasion of Ukraine also spurred an uptick in sanctions screening. All this impacts how organizations manage third-party risk, Tom and Todd agree. “It’s an evolving world,” Todd comments, “things are changing fast, and you have to manage to the speed of change.”

 

Financial Resiliency 

Tom comments on the importance of financial resiliency of your third-party partners. If a company is not doing well financially, they may be unable to supply your products. They are more vulnerable to cyber attack because they may not be able to invest in cybersecurity, and they may be more easily persuaded to engage in bribery and corruption. Financial resiliency is a must, Todd says. Your company needs it, and your suppliers must also have it. “If your critical suppliers are having problems financially, you need to have a backup plan to be able to switch them out in dire straits,” he tells listeners. You also need to have a system to monitor those companies. Financial tracking is a good strategy here, he points out. He describes how ProcessUnity helps clients build a financial profile of their suppliers.

 

The Rise of ESG

ProcessUnity recently released a white paper, The Rise of ESG in Third-Party Risk Management. Tom asks, “What do you see as some of the key factors contributing to the relevancy of ESG on a worldwide basis?” He and Todd talk about the global push towards ESG and the corporate world’s response. A cultural shift coupled with new regulation is bringing ESG to the fore. Proper documentation of our ESG program will help you make better business decisions as well, both men agree. Your business will become more efficient and robust as well.

 

Looking Ahead

Tom asks Todd where he sees third-party risk management in ESG in 2025 and beyond. Risk professionals are thinking about and prioritizing ESG risk more, they agree. Todd adds that ESG risk attention will increase because there will be more data and more regulations. Additionally, there will be more people taking over executive positions who wish to implement ESG cultures and regulations in businesses that require ESG risk management. 

 

Resources 

Todd Boehler | LinkedIn | ProcessUnity 

The Rise of ESG in Third-Party Risk Management

 

Categories
Innovation in Compliance

Contracts as a Third-Party Risk Management Tool with Brad Hibbert


 
Tom Fox welcomes Brad Hibbert on this episode of the Innovation in Compliance Podcast. Brad is the Chief Strategy Officer of Prevalent, Inc. He joins Tom to talk about how Prevalent helps companies manage third-party risk, the importance of risk management, and what the future for risk management in the compliance world may look like. 
 

 
Managing Third-Party Risk
Tom asks Brad to explain how Prevalent helps companies manage third-party risks. “We have a SaaS platform that helps organizations identify those risks, report against those risks, and then provide remediation capabilities to reduce those risks at every stage of the vendor lifecycle,” Brad tells Tom. Risk management is no longer about just doing reactive reporting on an annual basis. Risk has to be proactively monitored, identified, and reduced on a day-to-day basis, and especially when companies are having day-to-day conversations with their third parties during contract execution. Prevalent enables its risk management platform by having different team members interact with the third parties to collaborate and reduce the risks at every stage of the vendor life cycle. 
 
A Must Have
Third-party risk management is a must-have right now, and will continue to be in the future. “What organizations are realizing is they have to move beyond the compliance check box and actually reduce the risk associated with these third parties,” Brad remarks. Compliance is one of the drivers of this, but another main factor is the pandemic. COVID has changed the way companies and businesses operate, and has also exposed their weaknesses. With the shift to the hybrid work environment, and the increase of work from home, companies have had rapidly onboard third-party risks due to the use of online platforms. The risk of cyber-attacks and information being leaked is high, so being able to manage and protect companies from that is paramount. 
 
The Contract Essentials SaaS Solution
Tom asks Brad to explain the contract essentials SaaS solution. The SaaS solution allows the company to onboard or add existing contracts. Prevalent’s platform has very strong workflow and collaboration capabilities that focus on vendor risk, which is also good for profiling current contracts to see where the risk lies. Companies can use the SaaS solution to upload their contracts, or any related documentation surrounding it to a secured file, and it allows them to collaborate with third parties outside of the corporate network.
 
The Future of Third-Party Risk Management
Brad predicts a convergence of third-party risk management and the broader third party. “We’re going to continue to focus on building solutions that are easy to use that enable data sharing between the different groups that promote efficiency, collaboration, and then risk reduction,” he says. Organizations can no longer simply rely on assessments, instead must have continuous insights play major roles at all levels of the vendor life cycle. Monitoring the financial risk, the business risk, and the cyber risk proactively to create appropriate measures is something that will continue as well. 
 
Resources
Brad Hibbert | LinkedIn | Twitter
Prevalent, Inc.
 

Categories
Compliance Into the Weeds

Log4j-the Merger of Cyber, 3rd Party and Operational Risk

 

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. This week, Matt and Tom take up the Log4j imbroglio. Some of the issues we consider:

·      Why is this matter of such importance to compliance and audit?

·      Is your IT security out-sourced? If so how do you perform 3rd party due diligence on these companies?

·       What is the intersection of 3rd party, cyber and operational risk?

·      How can you implement at 3rd party risk management program in cyber?

·      Have you audited a 3rd party in the cyber realm?

Resources
Matt in Radical Compliance

Categories
The Compliance Handbook

3rd Party Risk Management Program with Vanessa Rossi


In 2021 amid the pandemic, the risks haven’t changed, and the enforcements are still mostly related to third parties. In this new episode, compliance consultant Vanessa Rossi explains the importance of third-party risk management for companies and how they should look at program enhancement.
Key points discussed in this episode:
✔️ Socializing across the entire employee base is essential to education and training. What is the law? Why are we doing this? Is it a risk for us? And why do we have to train on this more than once? It takes teaching, messaging, and repeating to ensure that everybody on the team is on board.
✔️ Know that an effective program is the one that you’re constantly upgrading. Even in a mature company with a mature third-party risk program already in place, practitioners must continually engage in risk assessing, monitoring, and incorporating concepts going forward because there is always room for improvement.
✔️ There are a lot of tech solutions out there that you should always be considering. If your program is not evolving, it’s not changing, with the company facing numerous risks every day.
✔️ Collaboration and compliance cross so many different departments. In addition to working with the business sponsor of the third party and with the legal team, there’s Internal Audit and more departments to collaborate with. Socializing and collaboration are soft skills that you need.
✔️Don’t take your eye off the Third Party Management Bill. You’ve got to continue with your due diligence procedures. The beginning of the pandemic put a wet blanket on everything, but you need to continue with your third-party management elements. It is difficult, but you shouldn’t stop doing it because, if anything, engaging with third parties got riskier in specific sectors and certain types of third parties.
About Thomas Fox:
Thomas Fox, the Compliance Evangelist®, is one of the leading writers, thinkers, and commentators on anti-bribery and anti-corruption compliance. In this latest edition of The Compliance Handbook, he continues to arm seasoned compliance professionals and those new to the realm with the practical, actionable guidance and tools needed to design, create, implement and continually enhance a best practices compliance program.
The “Nuts and Bolts” for Creating a Comprehensive Compliance Plan 
This chapter of this unique work lays out a succinct yet thorough one-month approach to operationalizing a company’s compliance regimen. Beginning with a section on what 2020 brought to the compliance landscape, each chapter methodically outlines best practices for everything from establishing policies, procedures, and internal controls, to assessing risk, training, handling investigations, and more. Each day ends with three key takeaways you can implement at little or no cost.
Understanding Compliance Responsibility Across the Organization
The Compliance Handbook also takes a close look at all professionals’ roles with compliance responsibility, from Compliance Officers and Boards of Directors to Human Resources, to Internal Audit and Internal Controls and Communications and Training professionals.
In-Depth Treatment of Hot Topics and Trends
The Handbook provides an in-depth look at the latest thinking and trends for the full range of critical compliance topics, including:
• Compliance and business ventures
• Third-party risk management
• The Board’s Role in Compliance
• Continuous improvement
• Compliance innovation
• And much more
Order your copy OR copies of The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. Save 25% off.
http://www.lexisnexis.com/fox25