Third-Party Risk Programs Should Focus on Offense, not Defense

Just 43 percent of organizations surveyed in NAVEX Global’s 2016 Ethics & Compliance Third Party Risk Management Report said they evaluated third parties before engaging with them—down from 68 percent in 2015.

In the worst case, they are just hoping to “get lucky.”

That was one of the more troubling findings in this year’s report, and a central point of my presentation on bribery and corruption with Matt Kelly, CEO of Radical Compliance, at NAVEX Global’s Ethics & Compliance Virtual Conference. Given the rise in use of third parties—driven by economic conditions, productivity, globalization, specializations and (perceived) limitations on liability—and the increasing enforcement and coordination from regulators in the US, Europe and elsewhere, stronger due diligence seems clearly called for. This is particularly true in light of recent allegations against multinational firms in developing markets, where cutting deals with local officials in many cases is still considered the norm.

On Demand: Ethics & Compliance Virtual Conference

It’s hard to say exactly why organizations are falling behind in this critical area. It could be that those responsible for third-party due diligence for varying types of third parties in all corners of the globe is complicated, and organizations are struggling to find a starting point. It’s also possible that they’re waiting for more regulatory guidance. In the worst case, they are just hoping to “get lucky.”

But none of these are good excuses, and waiting is not a good idea. Once an organization engages with a third party, potential liability attaches.

The good news is that there’s already some strong guidance from regulators. In 2012, the U.S. Securities and Exchange Commission and the Department of Justice released this guide to the Foreign Corrupt Practices Act. And just this fall, the International Organization for Standardization released ISO 37001, a new standard on anti-bribery management systems.

Read More: ISO 37001: Answers to the 5 Questions We’ve Heard Most About the Standard

Neither set of recommendations presupposes one-size-fits-all standards. Basically, organizations should tailor a risk-based, reasonable program around the following actions:

  • Understand the qualifications and associations of third parties
  • Understand the business rationale for including third parties
  • Include some form of ongoing monitoring of third-party relationships
  • Communicate the organization’s commitment to ethical business practices

These guideposts are especially important given the change in tenor from Washington and other regulatory authorities in recent years. In the Yates Memo, regulators have said they will seek greater accountability from individuals who perpetrate wrongdoing while also seeking more resources for enforcement. But they’ve also shown willingness to reward organizations that provide greater cooperation.

Read More: 4 Questions About the Yates Memo’s First Year

None of this bodes well for organizations looking to lie low and avoid discovery. Instead, it should be a further wakeup call to be as prepared as reasonably necessary and possible.Foreign enforcement organizations around the world are also increasing their efforts. The United Kingdom Serious Fraud Office has increased sanctions, stronger enforcement is appearing in Italy, Mexico and Argentina, and France’s Sapin II anti-corruption law arrived this fall. All of this comes with heightened coordination among regulators, and the U.S. DOJ and SEC Division of Enforcement’s work to expand “its efforts to obtain evidence of potential wrongdoing from around the globe.”

Automation appears to be a clear way to improve all aspects of compliance when it comes to identifying and preventing bribery and corruption conducted on behalf of an organization by its third parties. Our recent third-party survey report found that respondents who used an automated system rated their programs higher in areas ranging from compliance with laws and regulations to screening and monitoring of third parties to documenting processes and protocols. 

Download Benchmark Report: 2016 Ethics & Compliance Third Party Risk Management Report

That’s not to say the human element isn’t still valuable, as automation can have its limits. When automating your third-party programs, you should map out the risk management process, determine the scope of the work your organization does with third parties and determine what can and can’t be automated and where hands-on review and decision making by individuals is best utilized.

Big picture, organizations should review existing laws and guidance, set clear policies on anti-bribery and corruption, put them in writing and communicate them with their own employees and the employees of third parties.

Never forget that compliance programs should first be seen as a benefit to an organization. The approach to program design and management should not be only about avoiding regulatory enforcement or reducing fines when an organization is indicted by regulators but it should also focus on the clear business reasons for managing third party risk.

Read More: If Things Have to Be Risky for Your Third-Party Risk Management Program to be Valuable, You’re Doing It Wrong

Our third party risk management software, RiskRate, works around the clock so you don’t have to, transforming third party due diligence. Get a customized demo to see how it will work for you. 

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

The Element of Surprise Keeps Things Honest
A CCO Perspective on Artificial Intelligence

5 Key Takeaways from My Long List of Regulatory Changes Shared at ECVC2016

The world of compliance is in a rapidly evolving regulatory environment. From the U.S. Department of Labor’s new heightened salary requirements for exempt status, to the Equal Employment Opportunity Commission’s new EEO-1 reporting requirements, to the growing state and city “ban-the-box” laws, there are a lot of things to pay attention to.
Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

New Compliance Regulations for France and Italy Demonstrate the Growing Convergence of Anti-Corruption and Whistleblowing Standards in Europe

The French anti-corruption and whistleblower protection law, Sapin II, was passed last month and an updated piece of Italian whistleblowing legislation for banks is currently under discussion in the form of Bill proposal no. 2208. These regulations will have implications for your firm if you do business in France or Italy. In partnership with Baker & McKenzie, we have prepared a legal brief that summarises the fundamental features of both laws and the next steps to take for organisations to achieve compliance best practices.
Next Post Previous/Next Article Chevron Icon of a previous/next arrow.