Consider this scenario: You evaluate a new third-party vendor operating in a high-risk country for corruption risk and other liability concerns such as environmental impact or workforce compliance. Once evaluated, the vendor becomes subject to certain controls based on the risk tier established. You monitored those controls but, six months into the relationship, beneficial ownership of the party changes and the initial risk ranking is no longer valid. The new owners have a record of human rights abuses in their factories and have been associated with bribery charges.
There was published news of the upcoming change of ownership, which you would have seen if you had been engaged in ongoing monitoring of external news sources about your third parties. If you had been collecting information from various sources about the new owners and their track record, you would have re-evaluated the third party and enhanced controls or revised your contract. But you are only evaluating changes once every two years when you ask for updated self-reporting.
In the meantime, the new owners begin using child labor and make some unusual payments to government employees. Three months later, you find that your company is the subject of news articles about how U.S. companies use abusive vendors to keep their costs low.
This scenario isn’t an unlikely “worst case” example. A recent Thomson Reuters survey report entitled “Third Party Risk: Exposing the Gaps” indicates that 62 percent of survey participants perform initial third party due diligence (usually only for defined higher risk tier parties), but only 36 percent are monitoring for changes to the risk profile once third parties are put in place.
When asked what prevents them from taking steps to detect ongoing risks, participants define several key challenges, with the most significant being lack of data and resource constraints. So, many choose to put controls in place and only update the risk assessment annually by using one external source of information, such as a database that tracks sanctions and watch lists. Others simply rely on annual self-certification renewals or audits for higher-risk parties.
Most companies start third-party risk management by doing “due diligence,” a term understood by corporate lawyers to mean verification of facts that underlie a business decision. This falls into three categories: legal, financial, and commercial. For example, in an acquisition of a company, legal due diligence involves verifying the company being acquired is currently in compliance with all laws and regulations and reviewing any pending litigation, contracts, loans, and control of assets. Financial due diligence confirms that financial information provided is correct and relies on review of earnings, debt, assets, and liabilities. Commercial due diligence may include evaluation of the market, status of competitors, and the business plan. It often feels like these inquiries go on forever, but eventually, once due diligence is completed to the buyer’s satisfaction, the transaction moves forward, typically bringing an end to the due diligence phase.
The need for continual evaluation is clear, and this includes using methods and technologies that allow us to glean knowledge about our third parties from multiple sources of information, while wisely applying limited resources to address high risks known at the start, or that develop along the way.
But there isn’t such a clear end point for due diligence when we are talking about vetting third parties who will continue to present risks even after they are brought on board. A limited annual review is not sufficient to satisfy today’s best practices and may lead to liability when risks aren’t timely identified and managed.
Principles set forth in the World Economic Forum’s Partnering Against Corruption Initiative (PACI) Good Practice Guidelines on Conducting Third Party Due Diligence call for both reasonable due diligence before entering the business relationship and ongoing due diligence “as circumstances warrant.” The Guidelines indicate that this includes review of information from the internet, databases, and media searches about the third party (as well as its owners and key employees) that may be used to verify and validate self-reported information or identify any changes in circumstances.
Automated systems for ongoing due diligence can evaluate and integrate information from a wide range of data sources about changes in legal ownership, financial activities, complex corporate relationships and partnerships, and other indicators of potential illegal or risky conduct. Regulators and prosecutors expect such ongoing tracking for high risk activities and geographies.
As use of third parties continues to grow, especially in global operations, we simply must accept that due diligence is never ending. The need for continual evaluation is clear, and this includes using methods and technologies that allow us to glean knowledge about our third parties from multiple sources of information, while wisely applying limited resources to address high risks known at the start, or that develop along the way.
An OCEG Roundtable: Continuing Third-Party Due Diligence
Switzer: Most companies today do some due diligence to confirm level of risk associated with third parties when they are onboarding a new vendor, agent, or supplier. Fewer seem to do an adequate job of maintaining ongoing due diligence or know what that should include. We’ll discuss that later issue, but let’s begin our conversation by asking what due diligence is typically done at the point of selecting a third party for onboarding? What needs to be in place for that review to be effective?
Bogdanov: Prior to the disruptive effect of data and technology, firms have long recognized that the basic building blocks of a robust third-party risk management program rest on a strong foundation of effective governance. Subject to a risk assessment that weighs a host of geopolitical, jurisdictional, market, and customer-related factors, businesses expressed their risk appetite through culture, policy, expectations of the first line of defense, and various controls. These can range from training and code of conduct, right through to specialized contractual clauses (for certain third parties), periodic audits, site visits, and much more. The idea was for firms to have taken reasonable and tangible steps to manage and mitigate the regulatory and reputational risks inherent in their third parties, though of course this practice has seen rapid disruption in recent years as these manual and labor-intensive undertakings have been complemented by the emergence of data and technology.
Castrucci: Today’s third-party due diligence demands require the collection of larger sets of information across a much larger set of people both inside the corporation and the third party. Standard questionnaires no longer apply. The information collected and analyzed must be specific to the type and dynamics of the third party itself, thus the technology must deliver highly customized questionnaires that differ from one third party to another. We are now seeing the need to have fully integrated eLearning, Code of Conduct, attestations, contract management, insurance management, data security, and privacy and more as part of the diligence process. It is also critical now to perform complete due diligence on the entire third-party base and not only your high risk third parties. The need to do more and faster is putting serious strains on the compliance department, requiring superior and effective automation.
Switzer: Part of the initial due diligence is ranking of third parties into risk tiers tied to specific levels of controls. What are most companies doing once they have put their third parties into risk tiers and begun the relationship? Is there a common practice for ongoing due diligence at all?
Castrucci: No. There is no common practice or even common agreement on what ongoing due diligence is. One company may think that periodic screening of the high-risk third parties is enough while another may require internal audits, yearly recapture of information and daily screening as a base requirement. We believe this is a critical gap in many programs and must be addressed to have a highly effective third-party diligence program. Contracts, transactions, business dynamics, requirements, global dynamics, and much more need to be monitored and analyzed continually. The third-party program must be complete, nimble to changes, and should address the entire third-party base not only the high-risk ones.
Moderator: Carole Switzer
Co-Founder & President
Director of Market Development
Customer and Third Party Risk
Chief Executive Officer
Bogdanov: Despite the lack of a clear standard around continuous monitoring, establishing a cadence and framework is easier than ever before. Through automated workflow that tracks changes in data, you are able to identify if and when there are changes to the risk profile of your third parties. It’s incredibly important, because the due diligence and risk scoring that takes place during onboarding provides a snapshot in time, whilst we know how quickly the world is changing around us. Compliance departments have limited budget and resources to work with, and historically it would have been inconceivable to monitor your entire universe of third parties. Technology and data have now made this practical and cost effective.
Switzer: Many organizations identify their highest risk third parties and then only apply any ongoing monitoring to them. Others try to monitor every third party, which can be very costly. There has to be a limit to the time and resources devoted to monitoring third parties, so how do you do better without being unreasonable?
Castrucci: It’s important to realize that the value of third-party due diligence is rapidly moving beyond compliance only. The information is providing intelligence to build superior supply chains and to define and manage highly effective sales channels. This is having a radical effect on the success of the entire business. Start by defining your processes and how you can provide value to the rest of the corporation. Then champion the additional stakeholders to get involved and to share in the costs to fully automating your third-party program. Technology is gaining in power fast, and costs are now a fraction of what they were just 2 years ago. We are now at the point in time where the third-party compliance program can be fully automated for very affordable costs.
Bogdanov: There’s a constant balancing act that a compliance department needs to manage, in striving to meet regulatory expectations and protect reputational risk, whilst also working within a limited budgetary and resource environment. It’s worth noting that data and automation capabilities are not only providing more visibility to third-party risks than ever, but are also becoming incredibly cost effective for businesses, as a means to contain resource pressures rather than exacerbate them. Onboarding, risk scoring, continuous monitoring, and tracking and evidencing compliance are increasingly streamlined, whilst remediation is simplified through high-quality, integrated data, and a significant decrease in false positives.
Switzer: The pace of technological change is staggering, especially with regard to the ability to comb through, synthesize, and use vast amounts of information. This allows for best-practice processes that we couldn’t have undertaken in the past without huge human resource application. What do you see as the best practice that will be in place 3-5 years from now? Is that something a company can accomplish today?
Bogdanov: The emergence and proliferation of big data is standard fare in the modern world of business and compliance. Businesses now have access to more and better quality data than ever befor, and can already benefit from intelligence mapping and integration of this data to form an intelligence and holistic third party risk profile. The next stage of evolution for the practice of third-party risk management will see this trend accelerate, as data continues to grow in quantity and quality, technology-powered workflows become more streamlined, and cognitive computing and artificial intelligence further improve the analysis and insight derived from data. You can already see how businesses are responding to this, with more technologists and data scientists filling compliance ranks in a field that has traditionally been dominated by legal professionals and practitioners.
Castrucci: The best practice in 3-5 years will involve newly advanced screening, monitoring, and fully automated workflow technologies. They will empower and involve the entire corporation and they will be super-powered intelligence engines that collects and instantly analyses data and continually monitor it. They will fully integrate to both internal and external sources. Social information will start to be more and more important and easier to access. They will grow to be intelligence engines that provide insight to the corporation to build and manage superior supply chains and sales channels. They will effectively address the pressing and growing needs of dealing with personal information from multiple countries within the same platform. Yes, much of this technology exists today but the automation and integration will grow rapidly to decrease the costs to achieve all the above in a much shorter cycle than can be achieved today.