Cross-border overview: managing third-party risk toward a systematic approach
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
The risk landscape
The cost of engaging corrupt third parties has never been higher for multinational companies. The top 10 FCPA enforcement cases in history have, without exception, centred on the use of external parties to facilitate the bribery schemes, resulting in fines and penalties of more than US$3.6 billion and counting since 2008. Major government anti-corruption campaigns outside of the US, the most notable being China and Brazil, have also zeroed in on third parties as the key mechanism.
The central role of third-party relationships in international corruption has not been lost on US government regulators. The need for robust third-party oversight is repeatedly highlighted in their public statements. Expectations of the US Department of Justice and Securities and Exchange Commission have been further articulated in the 2012 A Resource Guide to the US Foreign Corrupt Practices Act, which directs companies to: (i) understand the qualifications and associations of third-party partners, including business reputation and relationships, if any, with government officials; (ii) understand the business rationale for including a third party in a transaction; and (iii) monitor third-party relationships once they begin.
As any chief compliance officer or general counsel will tell you: these directives are easier said than done. Effective third-party risk management (3PRM) is burdened by a myriad of external and operational challenges. Externally, information availability varies widely from market to market and is in a host of languages. Global watch lists of restricted entities are in a state of continuous change. Information privacy laws are also different across (and sometimes within) jurisdictions and in some cases are quickly evolving without clear direction. And the focus on third parties is not just limited to anti-corruption compliance. Other long-standing regulatory regimes — anti-money laundering, anti-terrorist financing, trade sanctions and export controls — require that companies avoid doing business with a multitude of specific entities, individuals and jurisdictions.
Within the company, 3PRM has multiple cross-disciplinary stakeholders with varying priorities (legal, compliance, procurement, finance, internal audit) and responsibilities. Relevant internal systems (ERP, purchasing, HR, operational, etc) are often both locally and globally fragmented and do not lend themselves to consolidation, transparency and monitoring. For large organisations tracking tens to hundreds of thousands of third parties, the data volume is moving beyond the point of effective manual review.
Clearly, the requirements of 3PRM call for a consistent, systematic approach to the problem. By design, regulators do not offer specific standards to reach their general guidelines, but say that these efforts need to be ‘real,’ namely designed and executed in such a way as to genuinely confront the risk. The burden of setting the specific operational standards for adequate risk management is placed on the company, and hoping that the organisation will get it right without coordinated management may be perilously wishful thinking.
Designing the framework
What would the road map for a systematic 3PRM programme look like? The initial step is to design a conceptual framework. Since most companies already have at least some limited form of 3PRM in place, an effective method to identify improvements is to map out the desired model and perform a gap analysis against current capabilities. The target model should ideally consider and address the following organising principles as a foundation:
- Consistency: With any global compliance programme, the key element is a consistent set of standards and procedures that the company can expect to apply across regions and business lines. Without a certain level of consistency, assumptions regarding programme effectiveness are not as reliable. Establishing consistency in certain areas, including risk rating criteria, diligence scoping based on those risk ratings and approval/denial criteria, is particularly important.
- Transparency: One of the largest obstacles to effective 3PRM programme implementation is the lack of visibility into key compliance data points. Programmes are frequently hamstrung by lack of access to the most basic information on purely administrative questions such as: How many third parties do we actually have? What do they do? Who approved the relationship and on what basis?
- Efficiency: With any geographically diverse, high-volume business process, efficiency is vital in minimising programme cost. Variables like manual processing and paper-based systems drive up cost without increasing effectiveness. With 3PRM, the trend is naturally turning to technological solutions for assistance, some of which we will discuss in later sections.
- Accountability: It is not unusual for a large number of stakeholders in the 3PRM process to create an environment of ‘diffused responsibility’, wherein everyone relies on the other to take ownership of key decisions. This is a vulnerability and can be improved by a clearer governance model, as well as well-defined lines of review and approval. Companies are increasingly creating dedicated 3PRM functions, frequently housed within legal or compliance departments, which formalise the process and play a coordinating role for all stakeholders.
- Accessibility: As anyone who has had to respond to a regulatory investigation can attest, your compliance programme is only as good as what you can document. Increasingly, the expectation will be that a complete set of information on the third party’s role, background and approval history should be immediately available upon request. Again, this is an area where technology solutions are playing an important role.
Making it operational
Any conceptual framework needs to be made real in the form of policies and procedures at the ground level. In this effort, the most effective 3PRM systems tend to address third parties in terms of a life cycle — tracking them from selection, to onboarding, then to monitoring and (if necessary) closing. Within that life cycle, there is a set of foundational risk management tasks that will inevitably be performed: identification, risk stratification, diligence, monitoring and documentation.
As mentioned previously, it is not unusual for companies to be unable to answer the simple question of how many third parties they are working with at any given time. This is primarily because record-keeping related to third parties tends to be decentralised and its content varies by region or business function. As a result, it is fragmented when the time comes to get a complete picture. But it can also be affected by lack of clarity regarding how a ‘third party’ is actually defined. Vendors are an easy call. But strategic partners? Individual contractors? Charitable organisations? JV partners? A useful rule of thumb in defining a third party is to determine whether the company has direct control over the entity or individual’s compliance activities. Not surprisingly, this will cast a wide net, but such a broad definition accurately reflects realities of the 3PRM risk landscape. In rolling out a next generation global 3PRM programme, the first step is almost always to perform a third-party inventory, which can be a significant effort in itself. This is an area where a centralised 3PRM function can play an indispensable role, as arbiter of third-party classifications.
Not all third parties are created equal, and as such require different levels of scrutiny. Performing identical risk-management procedures for hundreds to tens of thousands of third parties is an administrative and financial non-starter, and the problem has frequently caused companies to delay diligence across the board. Without effective risk rating, programme implementation effort tends to be wasteful and ineffective.
Risk stratification involves the process of applying a numerical weight to a range of relevant data points, which are then consolidated into a single overarching score. These scores are then ideally linked to a previously established appropriate level of diligence or scrutiny. This is very difficult to achieve without the application of specialised technology, specifically process workflow managers and data analytics tools (discussed below).
There are three points in the third-party life cycle where the risk rating process can and should occur — pre-diligence, diligence and monitoring. The objectives at each stage are slightly different, as are the risk-rating approaches. At the pre-diligence stage it uses basic profile information to route the third party toward a risk-appropriate diligence scope. During diligence, it uses the research results to serve as a pre-approval guide regarding the overall risk profile of the third party. In monitoring, it is designed to use transactional behaviour to detect potential improper behaviour in third parties after they have been engaged.
There can be many relevant risk criteria in the stratification process. They range from more universal elements such as location, industry, government exposure and watch-list results, to more company-specific factors related to the third party’s specific business role and commercial terms. The key component of risk rating, though, is multivariate analysis. Results are most useful when based on a variety of risk factors considered at the same time, with thoughtful weighting of each element prior to the analysis.
The heart of any 3PRM process is diligence research. With a narrow diligence scope, important potential risks can be overlooked; too broad and you are looking at an expensive effort with little incremental value. The challenge is that the term ‘diligence’ means many things to many people, depending on the context of the relationship being considered. The first task is to define the objectives of the diligence being performed. For our purposes, the primary goals of diligence are to gather enough information to adequately assess the risk of regulatory violation and fraud. This can be as simple as checking vendor names against a watch list for sanctions compliance or as complex as all-inclusive ‘deep dive’ background research on a billion-dollar acquisition target.
Regardless of the diligence scope, there are common cost drivers, such as the size of the target entity, availability of electronic information in target jurisdictions and source language. These drivers will largely determine the ability to conduct online research as opposed to field document collection.
As mentioned previously, the challenge is to calibrate the diligence scope to the third party’s initial risk rating. A typical approach is to separate the scope into three general tiers of review. The first level is focused on ‘one question’ diligence, such as sanctions and watch-list checks. These quick scans are designed to address very narrow compliance questions and can be carried out completely online, almost immediately and in high volumes. The second level is the most common scope for standard vendor due diligence reviews. These procedures are also principally online research-driven reports but add a wider range of sources such as corporate registry, media and litigation databases.
A third-level review is normally reserved for either third parties that have exhibited red flags during the first- and second-level screens, or for targets of a major transaction. In third-level reviews, first- and second-level research is enhanced with more extensive procedures, such as more comprehensive local language research, physical document retrieval and source enquiries. Ideally, the diligence process consists of a number of ‘tripwires’ that prompt either an expansion of scope or termination of the diligence (and the potential relationship). Increasingly, the results of diligence and the resulting decisions are being captured in workflow automation tools, discussed in the next section.
As indicated in the 2012 DOJ/SEC guidance on FCPA compliance, 3PRM does not end when the contract is signed. It is equally important to monitor the activity of third parties throughout the relationship. Corrupt third parties frequently do not come with clearly questionable backgrounds at the diligence stage, so companies must regularly scan for indications of high risk activity.
Most effective monitoring programmes combine a technological approach with a people and culture-driven one. In terms of technology, data analytics focused on fraud and corruption risk (discussed in the next section) is becoming a standard weapon in the monitoring arsenal. Complementary to the use of analytics is the internal audit function, which uses the analytics-generated heat map of potential high risk transactions and payees to conduct a more thorough fact finding process. Many companies also create a regular schedule to refresh the due diligence, where certain checks (for example, watch lists or media) are re-performed to capture any potential changes in reputation or status.
Finally, the company must rely on active feedback loops from the field to help detect potential problems. Analytics and audits are themselves limited in their ability to get to the true nature of a third-party relationship, because they review historical documentation without the benefit of personal knowledge of the parties. An important part of risk monitoring is an active whistleblower hotline capability, open to both employees and vendors. Historically, whistleblower complaints have been a leading source of actionable information on compliance and fraud violations, since whistleblowers tend to be closer to the problem. Unfortunately, they can also be a vehicle for many an axe grinder and for undertaking a corporate vendetta, so the company needs clearly established responsibilities and procedures for reviewing, prioritising and investigating these claims. On balance, most find that the benefits of an active ethics hotline outweigh the burden of maintaining it.
As was mentioned earlier, your 3PRM programme can look like ‘paper controls’ if you cannot document it on a granular level. In a global company, third-party issues should be considered an inevitability, so it is wiser to anticipate those cases with robust record-keeping. Countless investigations, internal and government-led, have been seriously hampered by an inability to reconstruct how a third party was introduced, approved and monitored. One should not expect to be given the benefit of the doubt when faced with this problem.
Documentation can be greatly facilitated by the creation of consistent archiving standards, designating what information is retained and where it is housed across the organisation. Wherever possible, companies should use standardised documents with limited opportunities for variation. Ideally, documents should migrate as much as possible to a virtual process facilitated by networked tools. Finally, with better documentation comes data security and privacy considerations that need to be taken into account by your legal function as well as IT administrators.
Throughout this article we have referenced the need to address the huge and complex effort required to administer a global 3PRM programme. Not surprisingly, the market has responded to this need with a number of IT tools designed for this purpose. While the subject is worthy of a paper of its own, we provide herein an overview of the major categories of technology tools that are currently available.
The first category is data aggregation, namely information sources that compile large amounts of disparate background data on entities and individuals into a usable, relevant summary. The capabilities of these tools are tied to the availability of electronic records. The earliest data aggregators were focused on the compilation of names from the multitude of watch lists issued by governments and multilateral organisations around the world.
Over time, data aggregators have been enhanced by the addition of public domain media information on the target entities. Today, new platforms are going further and assembling data from harder-to-access national or regional sources around the world to offer a broader range of corporate and individual background information. The as yet unreached Holy Grail of these tools is a real-time, comprehensive dossier generator that provides all the information needed to make effective compliance decisions.
The second category addresses process workflow management. These online tools address the administrative burden of managing complex diligence programmes on a global scale. They provide a centralised mechanism for tracking the information generated at every phase of the third-party life cycle – onboarding, engagement and monitoring and termination. They also automate the standard operating procedures related to diligence, risk evaluation and approvals. The objective is to minimise process variation across markets and encourage transparency and individual accountability.
The major elements of the 3PRM process are contributors to the system – the company, the third party and the information provider. The vendor uploads self-reported background information, which is then cross-referenced by external information, while the company oversees the risk rating of the third party and decisions based on the diligence results. This platform then serves as a documentation tool, a centralised archive that can be easily accessed whenever information on the third party, diligence process or approvals is required.
The third is data analytics. This suite of tools and techniques, designed to detect risk in large pools of data, has been developing the most quickly of all categories, due to its wide range of potential business applications. If you have been contacted by your bank regarding suspicious activity on your account, you have seen fraud detection analytics at work. Data analytics refers to various combinations of hardware, software and customised algorithms designed to detect certain patterns (positive or negative) in data. They are deployed primarily as monitoring and reporting tools (in this context fraud and corruption risk monitoring), since they rely on large quantities of historical activity to generate meaningful results.
In the 3PRM context, data analytics has normally meant analysis of third-party payment history, as well as overlays of vendor and employee identifying information, to pinpoint third parties exhibiting high risk patterns. Today’s data analytics models are adding new detection techniques, such as unstructured data (eg, communications) review and predictive behaviour analysis to better anticipate future risks.
Where is this all heading? As with most technologies, you can expect these three parallel 3PRM categories to move toward convergence. Companies need to continue to streamline the number of individual systems and processes related to 3PRM, so the target is increasingly a ‘super portal’ of third-party information, linked to the company ERP system, which contains multi-sourced diligence data, workflow tracking and continuous monitoring dashboards. Those ultimately responsible for third-party risk are ultimately seeking a one-stop shop for relevant information.
The prudent way to view this relationship is to consider 3PRM technology as an enabler, not the end game. The deployment strategy for these tools should consider them an extension of, rather than a replacement for, an informed 3PRM function and front-line business. The tools allow skilled staff to cover an ever broader range of third parties in a more automated manner. But for the immediate future, your programme’s success will still hinge on the judgement of that person at a desk.
To recap, this article has recommended a systematic approach to third-party risk management that moves companies from a fragmented, improvised process to a unified programme. This is not to understate the challenge of such as transition. Even those furthest along in this process see it as a long-term, incremental effort that is constantly evolving. In actuality, there is no end state but rather a continuous process of assessing continuously changing third-party risk and adjusting methods to address it. That said, the principles, approaches and tools discussed above should provide some guidance in making these choices as effectively as possible.