Democratized Due Diligence Will Judge Your Third Parties, even if You Don’t

Ethics and compliance officers already know data analytics can be a powerful thing. Now we have a fresh example of how the ingredients of a data analytics program – data, interpretation tools, and questions people want to answer – can drag awkward ethical questions into the light.

Compliance officers should tread carefully, since Secret Neighborhoods also shows how data analytics might push a conversation about corporate conduct ahead of the organization’s ability to answer.

The example is Secret Neighborhoods, an online program developed by Global Witness, an anti-corruption nonprofit based in London. Global Witness studied the records of property ownership in London, and identified all properties owned by companies based in overseas tax havens — a red flag for possible money laundering. Then it compiled those questionable properties into an online searchable map — enter your address, and you can discover how many “secret properties” are in your neighborhood.

Now, let’s not kid ourselves: the Secret Neighborhoods website is intended foremost to build a following for Global Witness. It only tells you how many secret properties are in your vicinity not who those businesses actually are.

Still, this is only an early example of what’s to come with third-party risk, data analytics, and new transparency regulations coming into force across Europe. Compliance officers should tread carefully, since Secret Neighborhoods also shows how data analytics might push a conversation about corporate conduct ahead of the organization’s ability to answer.

When Algorithms & Public Registers Collide

The first part of this change is driven by data. And amendments to the European Union’s Fourth Anti-Money Laundering Directive will make much more data available for public consumption.

Those amendments require all corporations to disclose their beneficial owners in a publicly available register. Until now, countries could restrict access to those registers to law enforcement only.

The second part of the change is driven by technology: collecting and indexing publicly available data is now a breeze. Governments, companies, nonprofits, hackers, or even persons with good coding skills and some free time can now build data scraping applications to collect information, put it in a database, and study it.

This brings us to the most important part of this change: Now that people can ask more questions, with more precision, people will ask those questions.

Call it democratized due diligence; anyone, anywhere, will be able to perform due diligence on any third party — including your company’s third parties.

Those efforts won’t necessarily lead others to discover misconduct in your own organization, but they could uncover misconduct among your third parties. That, in turn, might lead regulators, customers, business partners, or the public to question your company’s judgment for associating with the offending third party.

Imagine, for example, that someone walks out of your company with a complete list of third parties on a thumb drive and then puts them on a database for all the world to see. The world now has the opportunityto make judgments about your firm based on the company you keep.

This already happened once. We called it the Panama Papers.

In other words, the more technology enables democratized due diligence — and really, the technology is just getting started here — the more it increases your company’s reputation risk.

Using Metrics to Improve Your Third-Party Risk Management Program

The Compliance Response

All of this is going to shift due diligence from a compliance obligation to a strategic imperative.

Compliance officers can use that to their advantage, of course, as they work to secure more resources for a strong compliance function. They will also need to work with boards to answer a basic question: what is the company’s tolerance for reputation risk caused by third parties.

that sounds a lot like establishing core values and alerting third parties that you expect them to adhere to those values.

What does that mean in practical terms? We can start by remembering that “risk tolerance” is just another way of saying “acceptable variation from a performance goal.” Boards will need to spell out their “performance goals” for third parties’ behavior. To me, that sounds a lot like establishing core values and alerting third parties that you expect them to adhere to those values.

Second, compliance officers will need to find effective ways to enforce those standards on third parties. You will need smart ways to perform due diligence before onboarding a third party, and smart ways to monitor them after the onboarding happens.

Again, that’s not a new concept unto itself. The urgency for better due diligence and oversight, however, has never been higher. Companies will simply face too many ways for others to analyze their third parties and start asking pointed questions.

In our modern social media age, those questions will come fast, and may not necessarily be fair. The simplest way to knock them down will be to perform effective due diligence, avoid risky third parties, and not face those pointed questions in the first place.

Calculate your due diligence program’s ROI. Plug your organization’s information into the Third-Party Risk Management ROI Calculator to see your results.  

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

Whether We Like It or Not, There Is a Different Culture at the Top

The C-suite operates in its own distinct culture, and traditional ethics and compliance efforts may not be effective with this critical risk group. Leaders must recognize the unique characteristics of their executive-level subculture to ensure that efforts meet the C-suite challenge and are applied and enforced at the top of the organization.
Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Supreme Court Rules on Whistleblower Protection Case: Don’t Lose Focus on What Really Drives External Reporting

There will be a lot of discussion in the compliance and legal press about what the Supreme Court's ruling on Dodd-Frank’s anti-retaliation provision means for organizations and their compliance programs. However we can't lose sight of what the ruling is really highlighting: the importance of organizational culture and preventing retaliation from occurring in the first place. Let's discuss.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.