Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-Business Justification

The 2023 Evaluation of Corporate Compliance Programs stated, “Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials.” This standard articulates one of the most basic tools to operationalize your compliance program and should form the basis of your third-party risk management process. Indeed, this is viewed as an internal control with the 2023 ECCP going on to pose the following question, “How does the company ensure there is an appropriate business rationale for the use of third parties?”

What should go into your business justification? At the most basic level, you should craft a document, which works for both you as the compliance practitioner and the business folks in your company, that details some basic concepts which includes the following: 1) The name and contact information for both the Relationship Manager and the proposed third party; 2) How the Relationship Manager came to know about the third party because it is a red flag if a customer or government representative points you towards a specific third party; 3) What services the third party will perform for your company, the length of time and compensation rate for the third party; and 4) An explanation of why this specific third party should be used as opposed to an existing or other third party, if such were considered. All this information should be documented and then signed by the Relationship Manager.

Remember, the purpose of the business rationale is to document the satisfactoriness of the business case to retain a third party. The business rationale should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed. This means “Document, Document, and Document.”

 Three key takeaways:

1. You should always have a business reason for using a third party which is articulated by the business folks, not compliance.

2. A Relationship Manager is the key going forward in operationalizing your compliance program through the life of the third-party relationship with your company.

3. Always remember to “Document, Document, and Document”.

Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 1: Michael Parker on Risk Mitigation

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Consulting and Advisory Services; Stephanie Font, Director, Operations Optimization Group; Kairi Isse, Group Manager of Managed Services Group, Productions; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, from the Volkov Law Group. In this Part 1, I visit with Michael Parker on the need for risk mitigation to bring a third party into a relationship with your organization.

Parker has worked in the compliance arena for six years, learning from his experience in government and tech. For a compliance program to be successful, executive leadership must also have a Board of Directors buy-in for oversight. A third-party risk management platform aims to protect the business’s assets and create a single source of truth. Through such a mechanism, third parties can be screened for anti-bribery, anti-corruption, human trafficking, and much more. The Board needs visibility to make decisions and an audit log to show activity and diligence if ever needed. It is critical for all compliance functions to stay up to date with regulations and keep their third-party platform consistently updated.

Key Highlights

  • How can a risk-based approach, coupled with a single source of truth and a robust platform, help protect business assets and comply with changing regulations?
  • What is the German Supply Chain Act, and how can companies ensure compliance related to human trafficking and human slavery?
  • How can companies use visual analytics to gain insights into their risk-based approach and show evidence of due diligence in the face of an audit?

Notable Quotes

  1. “Companies don’t do bad things; people do. And as people do, the regulatory landscape changes and can change quickly. So keeping up with those changes is critical to protecting your assets and mitigating risk.”
  2. “We need to increase our defensibility and audibility if somebody comes knocking; we can show and illustrate that we have done our due diligence to mitigate any risk of doing business with this third party.”
  3. “Companies don’t do bad things; people do.”
  4. “Put a platform in place that is robust lends itself to a number of different benefits.”

 Resources

Michael Parker on LinkedIn

Check out Diligent’s 3rd party products and services here.