Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 3: Kairi Isse on Implementation and Maintenance

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, I will visit with Michael Parker, the Director of Consulting and Advisory Services; Stephanie Font, Director, Operations Optimization Group; Kairi Isse, Group Manager of Managed Services Group, Productions; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, Regulatory Compliance Manager from the Volkov Law Group. In this Part 3, I visited with Kairi Isse on the implementation of your third-party risk management program after the contract is executed.

Learning about the risk posed by third-party vendors to a company’s compliance program can be an eye-opening experience. However, through an AI-based ongoing monitoring search tool with customizable features and auditable trails, for third-party risk management, an organization can ensure that their compliance programs are effective and reduce their risks of fines and reputational damage during the implementation stage after a contract is executed.

Key Highlights

·      How can modern companies effectively manage third-party risk and protect their reputation?

·      What are the best ways to monitor third parties in a stable vendor ecosystem?

·      How can AI and machine learning make third-party management more efficient and effective?

Notable Quotes 

1.     “The key to this effective risk management is truly the follow-up, the ongoing follow-up to ensure that all the controls are in place and, if needed, are changed.”

2.     “The key to effective risk management is the ongoing follow-up to ensure all the controls are in place and, if needed, are changed.”

3.     “It’s not the most data; it’s the right data.”

4.     “Everything is audited in there; there are audits for the third-party profiles, and there are audits for each case.”

 Resources

Kairi Isse on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program -Implementation and Maintenance

Are you a compliance professional tasked with managing third-party risk relationships? Are you overwhelmed with the sheer amount of data that comes with that responsibility? How do you engage in implementation and maintenance. To answer these and other questions, I recently visited with Kairi Isse, Diligent’s Managed Services Group Manager, to discuss why the step of management after the contract is signed is the most important part of the third-party risk management cycle. She discusses the importance of ongoing monitoring and why it is critical for modern companies to understand the risks posed by their third parties. We consider the uses of an AI-driven ongoing monitoring search tool, allowing a customizable, auditable way to ensure compliance and reduce risk. Join us as we explore this most critical step on the life cycle of the third-party risk management—managing the relationship after the contract is signed. Here are the steps you need to follow to manage relationships with third-parties after the contract is signed:

  1. The importance of ongoing monitoring for third party risk management to minimize risks of data breach, bribery, and fines.
  2. Design and implement an effective ongoing monitoring program that works in practice.
  3. Utilize AI-driven ongoing monitoring search tools to focus on the right data for your organization.
  4. Create an audit trail to demonstrate the company’s continuous improvement based upon ongoing monitoring.
  1. The importance of ongoing monitoring

Ongoing monitoring for third-party risk management is key to minimizing risks of data breaches, bribery, and fines. Through proper monitoring and management of third parties, companies can ensure that their vendors are not putting them in a vulnerable position. In this interconnected world, third party risk is a significant compliance threat and can cause damage to a company’s reputation, leading to potentially hefty fines and perhaps more importantly reputational damage. Utilizing an AI-driven ongoing monitoring search tool can help reduce the haystack of data and find the needle, as well as a human element to review and analyze the watch list screen results. The key is to ensure their ongoing monitoring is effective and efficient throughout the entire life cycle of their third-party relationships.

 2. Design and implementation of ongoing monitoring

Designing and implementation of ongoing monitoring that works in practice is a critical step in managing a third-party relationship after the contract is signed. Utilizing AI-driven ongoing monitoring search tools is essential for a successful third-party risk management relationship. It is important to customize the search to focus on the right data for your organization, as this will make it easier to find the needle in the haystack. An AI-driven search tool should include all the big databases and sanctions watch lists, as well as adverse media, to ensure that the third party poses no regulatory risk; all after the contract is signed. There should also be transaction monitoring which reviews the sales or other transactions by the third-party. Finally, never forget the human element, to ensure that the data is correct and validated before final decisions are made.

  1. Analyze and validate thru AI-driven search tool

To analyze and validate watch list screen results and consider only true matches for further review, utilize an AI-driven ongoing monitoring search tool that includes all the major databases, sanctions watch lists, and adverse media. You should customize usage to your company’s risk profile, industry, and regulations your organization is required to comply with. Next review the search to determine if they are true matches or false positives. This helps to reduce the amount of noise and unnecessary data, as well as provides an auditable trail for every action. These actions will help create an auditable document trail which can be presented to auditors or regulators.

  1. Continuous improvement through ongoing monitoring

The next step is continuous improvement based upon your organization’s ongoing monitoring. Here an audit trail to demonstrate the company’s maintenance of ongoing monitoring, is critical. The Fox Maxim of Document Document Document, is still alive and well in the era of AI. Moreover,

This allows your organization to customize their search to focus on the right data for their organization and industry, eliminating the noise from irrelevant data sets. Once again the human factor comes into play through the review and analysis any potential matches from the AI searches to validate true matches. All of these steps should be auditable, recording every action taken in the system, allowing a company to demonstrate their continuous improvement based upon ongoing monitoring.

Managing your third-party relationship after the contract is signed is still the most a critical step any successful third-party risk management protocol. A well-designed and implemented compliance program should include regular screening of global databases and adverse media, even after the contract is signed. Transaction monitoring should also be used to test individual sales for any issues. An AI-driven ongoing monitoring search tool that can help reduce the haystack of data and find the needle, as well as a human element to review and analyze the watch list screen results. With these steps, your organization can be confident that your third-party risk management program is effective and efficient throughout the entire life cycle of your third-party relationships.

For more information, on Diligent’s Third Party Risk Management solution, click here.

Listen to Kairi Isse on the podcast series here.

Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 2: Stephanie Font on Questionnaires and Due Diligence

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Consulting and Advisory Services; Stephanie Font, Director, Operations Optimization Group; Kairi Isse, Group Manager of Managed Services Group, Productions; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, Regulatory Compliance Manager from the Volkov Law Group. In this Part 2, I visit with Stephanie Font on the need for evaluation of potential third-party through questionnaires and determination of the necessary due diligence investigations to comply with regulations while navigating using questionnaires to uncover the truth.

What is the importance of understanding regulations and risk factors when creating questionnaires to help with due diligence? Through understanding the risk model and what specific regulations the company needs to comply with, creating effective questionnaires to help with due diligence can become easier. Stephanie also found out that having a due diligence risk management system can automate some of the processes and help flag any potential risk factors. With the help of questionnaires and due diligence, Stephanie was able to learn how to effectively document and investigate potential third parties.

Key Highlights

  • How questionnaires can be used to comply with regulations and inform a risk model.
  • How due diligence investigations can help to uncover risk factors in a potential third party.
  • How a third-party risk management system can automate parts of the process.

 Notable Quotes

 1.     “Knowing what you’re trying to comply with and thinking of those questions that are going to get you there is probably the top thing.”

2.     “Don’t lose your common sense and listen if your gut tells you something’s wrong.”

3.     “Documentation is key to creating an internal audit trail and having something to show to regulators.”

4.     “Know your own risk model and build the risk model into the system to flag any potential risk factors.”

 Resources

Stephanie Font on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program-Questionnaire and Due Diligence

Are you considering a third-party questionnaire for your organization? With so much debate around what should be asked, and how detailed you should be, it can be hard to know where to start. In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. Today, we consider the third-party questionnaire and I am joined by Stephanie Font, the director of the Operations Optimization Group at Diligent as we discuss third party questionnaires and due diligence investigations.

With so much debate around what should be asked in your questionnaire and how detailed your questionnaire should be, it can be hard to know where to start. It is important that every compliance professional understand your risk profile to all crafting of the right due diligence process to ensure compliance. Here are the steps you need to follow to also get compliance and  risk.:

  1. Questionnaire: Gathering basic information about the third party and what regulations need to be complied with.
  2. Due Diligence Investigation: Investigating the third party based on their answers to the questionnaire and other risk factors.
  3. Documenting: Keeping records of the due diligence investigations to be used in the future.

Questionnaire: Gathering basic information about the third party and what regulations need to be complied with.

The first step to managing third parties is to create a questionnaire to gather basic information about the third party and what regulations need to be complied with. When creating the questionnaire, it is important to understand the organization’s risk model and what it is trying to achieve. The questionnaire should be tailored to the specific risk factors the organization is trying to address, as well as the regulations that need to be complied with. Questions should include items such as the size of the company, where they do business, and the type of relationship they have. Additionally, the questionnaire should ask questions that will alert to any potential risk factors, such as if they do business in a highly sanctioned country. Once the questionnaire is sent and responses are received, the answers can be used to inform the next step of the due diligence process. Your third-party risk management system should automate some of the process by flagging risk factors and indicating what level of investigation is needed. Lastly, it is important to document the process and create an audit trail that can be used for various reasons, such as compliance and internal review.

Due Diligence Investigation: Investigating the third party based on their answers to the questionnaire and other risk factors.

The second step of third-party due diligence is the due diligence investigation. This step involves investigating the third party based on their answers to the questionnaire and other risk factors. The best approach to this investigation is to first understand the company’s risk and what it is trying to accomplish. This allows the company to create a risk model and tailor the questionnaire to fit their needs. The questionnaire should include questions about the size of the company, where it does business, and other risk factors that may arise. After the questionnaire is complete, the next step is to assess the risk factors and determine the appropriate level of investigation needed. This could range from a baseline screening for sanctions list and other global databases to an enhanced due diligence investigation which involves boots on the ground to ask questions about the company’s reputation and verify a manufacturing site. Additionally, it is important to document the process to create an audit trail for internal stakeholders and regulators. This process should be tracked in a third-party risk management system to ensure everything is done correctly.

Documenting: Keeping records of the due diligence investigations to be used in the future.

Documenting is an important step in the due diligence process, as it helps to create an audit trail of the activities and decisions that were taken. When it comes to due diligence, it is important to keep records of all investigations that were conducted, as these records can be used in the future to defend any decisions that were taken. This allows for all the necessary information to be stored in a secure location and can even track any changes or updates to the investigations over time. Additionally, the system can be used to flag any potential risks that come up in the investigations, and it can also automate the process of deciding which type of investigation is necessary based on the risk model. Finally, it is important to keep all documents related to the due diligence process, such as the questionnaire, investigation reports, and any other relevant documents, to create an audit trail and ensure that all compliance regulations are met.

Third party due diligence is a crucial part of any compliance program. A thorough questionnaire and a detailed due diligence investigation can help organizations to mitigate risk and ensure compliance with applicable regulations. Additionally, it is important to document the process, as this creates an audit trail that can be used in the future. With the right tools and processes in place, organizations of any size can successfully manage third party risk and create a robust compliance program. With the right information and guidance, you too can create a successful third-party due diligence process for your organization.

For more information, on Diligent’s Third Party Risk Management solution, click here.

Listen to Stephanie Font on the podcast series here.

Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 1: Michael Parker on Risk Mitigation

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Consulting and Advisory Services; Stephanie Font, Director, Operations Optimization Group; Kairi Isse, Group Manager of Managed Services Group, Productions; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, from the Volkov Law Group. In this Part 1, I visit with Michael Parker on the need for risk mitigation to bring a third party into a relationship with your organization.

Parker has worked in the compliance arena for six years, learning from his experience in government and tech. For a compliance program to be successful, executive leadership must also have a Board of Directors buy-in for oversight. A third-party risk management platform aims to protect the business’s assets and create a single source of truth. Through such a mechanism, third parties can be screened for anti-bribery, anti-corruption, human trafficking, and much more. The Board needs visibility to make decisions and an audit log to show activity and diligence if ever needed. It is critical for all compliance functions to stay up to date with regulations and keep their third-party platform consistently updated.

Key Highlights

  • How can a risk-based approach, coupled with a single source of truth and a robust platform, help protect business assets and comply with changing regulations?
  • What is the German Supply Chain Act, and how can companies ensure compliance related to human trafficking and human slavery?
  • How can companies use visual analytics to gain insights into their risk-based approach and show evidence of due diligence in the face of an audit?

Notable Quotes

  1. “Companies don’t do bad things; people do. And as people do, the regulatory landscape changes and can change quickly. So keeping up with those changes is critical to protecting your assets and mitigating risk.”
  2. “We need to increase our defensibility and audibility if somebody comes knocking; we can show and illustrate that we have done our due diligence to mitigate any risk of doing business with this third party.”
  3. “Companies don’t do bad things; people do.”
  4. “Put a platform in place that is robust lends itself to a number of different benefits.”

 Resources

Michael Parker on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program-Risk Mitigation

With the ever-changing landscape of regulations and laws, it is becoming increasingly difficult for companies to keep up and remain compliant. In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. Today, we consider the risk mitigation and I visit with Michael Parker, Director of Advisory and Consulting Services for Diligent, to discuss how to approach the Board of Directors around the crucial issue of third-party risk management and risk mitigation. Parker has been in the compliance industry for six years and has experience working with the Department of Homeland Security, Apple Computer, and over 300 clients in the compliance and legal space.

Parker dives into how Diligent’s platform helps companies assess risk and comply with compliance laws such as the FCPA, UK Modern Slavery Act, Uyghur Forced Labor Prevention Act and more. Join us in this five-part series to learn how Diligent’s platform can help reduce risk and ensure compliance.

Here are the steps you need to follow to also get risk mitigation:

  1. Screening – Screening for anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc.
  2. Risk-Based Approach – Evaluating the dossier of information to lead to a decision to approve or deny doing business with the third party.
  3. Documentation – Documenting activities, notes, attachments, and actions taken to show due diligence was done to mitigate risk.

Screening – Screening for anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc.

Screening is an essential first step in anti-bribery and anticorruption, politically exposed persons, state owned entities, watch lists, embargoes, etc. The process begins by collecting and inputting data into a single source of truth platform such as Diligent’s Third Party Risk Management System. This platform allows for a risk-based approach to screening, in which the compliance professional can assess the risk of doing business with a third party. This assessment includes screening for anti-bribery and anti-corruption, politically exposed persons, state owned entities, watch lists, and embargoes, as well as more recent regulations such as the German Supply Chain Act and the UK Modern Slavery Act. It also provides the ability to document and audit activities, allowing for better visibility and accountability from an internal and external perspective. Finally, the platform is constantly updated to ensure that it is compliant with any new laws or regulations that are implemented.

Risk-Based Approach – Evaluating the dossier of information to lead to a decision to approve or deny doing business with the third party.

The second step in the third-party risk management process is to take a risk-based approach in evaluating the dossier of information. This dossier typically includes the results of the screening process, any due diligence questionnaires, and any additional investigations that have been conducted. All these items should be compiled into a single source of truth and reviewed to ensure that the organization has done its due diligence in assessing the third party.

The risk-based approach should be tailored to the specific organization and its risk profile, as well as the specific third-party that they are doing business with. This evaluation should also take into consideration any changes in laws, regulations, and sanctions that may have been recently implemented. The diligence program should also be able to screen for a variety of different risks, such as anti-bribery, anti-corruption, human trafficking, politically exposed persons, state-owned entities, watchlists, and embargoes.

Once the evaluation is complete, the organization should have a clear understanding of the risks associated with doing business with the third party and can make an informed decision as to whether to approve or deny the business relationship. This risk-based approach should be documented for auditability in case of any potential future inquiries or investigations.

Documentation – Documenting activities, notes, attachments, and actions taken to show due diligence was done to mitigate risk.

Documentation is an essential part of risk mitigation and due diligence. It is important to maintain an audit trail of activities, notes, attachments, and actions taken related to third party risk management. This allows companies to easily access information and prove that they have taken the necessary steps to mitigate risk. A platform such as Diligent’s Third Party Risk Manager can be used to keep track of all the necessary documentation. All activities, notes, and attachments can be stored in a single source of truth, which provides visibility and auditability for the board. Additionally, the platform is regularly updated to ensure that it is up to date with the latest regulations and laws. This allows companies to remain compliant and mitigate risk. All these elements come together to form a dossier of information, which can be used to approve or deny business with third parties. Documentation is a key part of any risk management program and is essential for due diligence.

Over this five-part blog post series will explore reprioritizing you third-party risk management program. It is essential to properly evaluate third-party risk and to document all activities, notes, and attachments to remain compliant and mitigate risk. With the right platform and approach, companies can keep up with the ever-changing regulations and laws and protect their businesses from potential issues. With dedication and hard work, business owners can stay ahead of the curve in risk management and compliance.

For more information, check out Diligent here.

Listen to Michael Parker on the podcast series here.

Categories
The ESG Report

ESG – From the Board to the Front Line with Dan Zitting


Dan Zitting, CEO of Galvanize (now Diligent), is back on this week’s episode of the ESG Report. He and Tom Fox check in about the progress of his company’s M&A with Diligent, reporting on ESG to the board, and ESG trends for 2022.

Becoming Diligent
Dan tells Tom how Galvanize’s M&A with Diligent is progressing. “We’ve had a big year,” he says. Galvanize being part of Diligent means that they can now bring a truly integrated GRC solution from the board to the front line. “We are working really hard on technology capability that brings what GRC professionals do directly into the boardroom,” Dan remarks. “…We’re creating the ability to say, ‘Hey, alongside that board book sits information dashboards and information and analytics about how other areas of governance and risk and compliance in the front line are working’.” Real-time reporting on ESG will help the board engage in governance more proactively, he comments. 
Tom asks how the acquisition strengthens Galvanize. We have the opportunity to elevate our work all the way to the boardroom, Dan responds. Also, Diligent’s global scale means that Galvanize now has access to more resources and a bigger client market. 
The Proactive Approach
What are some of the key changes you’ve seen in the GRC space, Tom asks Dan. 2021 has accelerated progress toward an integrated risk management approach, he replies. Global pressure to take ESG seriously has also spurred this on. Both Tom and Dan agree that companies need to be nimble enough to pivot in anticipation of rapid change. “Traditional approaches just don’t work,” Dan points out. “If the way we’re going to evaluate these events is by auditing past history or looking at how we complied with controls in the past, it’s just not good enough anymore.” The better, more proactive approach to risk management involves using leading indicators rather than historical auditing activity. He describes how an automated GRC platform can help companies achieve this goal. We encourage our clients to think about creating structures and systems rather than just focusing on the software as the solution, he tells Tom.
Reporting to the Board and ESG Trends
“Particularly on ESG topics, the board is looking for the answers to simple questions,” Dan advises. Keep your report to just 5 points and their relevant benchmarks. Currently, two hot topics boards want to know about are carbon emissions and gender diversity. Dan believes the conversation will expand to other issues in the coming years, and that we’ll see ESG becoming more important throughout the organization. “I think a lot of organizations are going to be setting up a sustainability function that will ultimately have responsibility for doing that kind of accounting. We should be concentrating on that and then in turn connecting it to standards and compliance programs which is exactly what we know how to do as GRC professionals,” he remarks.
Dan shares his view on ESG trends for 2022 and beyond. The rapidly increasing pay rate for GRC professionals is a sign of how important and necessary this role has become. Boards and audit committees are also asking more questions and looking for guidance on ESG. That’s a good indication of what’s to come, Dan says.
Resources
Dan Zitting on LinkedIn | Twitter
Diligent Institute