Managing third-party risk – toward a systematic approach
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
The risk landscape
The cost of engaging corrupt third parties has never been higher for multinational companies. The release of the US Department of Justice’s (DOJ) so-called ‘Yates Memo’ in September of 2015 has heightened the risk for individual employees responsible for these relationships as well. The top 10 Foreign Corrupt Practices Act of 1977 (FCPA) enforcement cases in history have, without exception, centred on the use of external parties to facilitate the bribery schemes, resulting in fines and penalties of more than US$4.6 billion (and rising) since 2008. Major government anti-corruption campaigns outside of the US, the most notable being those in China and Brazil, have also zeroed in on third parties as the key mechanism for improper behaviour. The recent release of the so-called ‘Panama Papers’ information has also highlighted the widespread use of third-party shell companies for a variety of purposes, as well as the importance of understanding the beneficial owners and controllers of third parties.
The central role of third-party relationships in international corruption has not been lost on US government regulators. The need for robust third-party oversight is repeatedly highlighted in their public statements. Expectations of the DOJ and the US Securities and Exchange Commission (SEC) have been further articulated in the 2012 ‘A Resource Guide To The US Foreign Corrupt Practices Act,’ which directs companies to (i) understand the qualifications and associations of third-party partners, including business reputation and relationships, if any, with government officials; (ii) understand the business rationale for including a third party in a transaction; and (iii) monitor third-party relationships once they begin.
As any chief compliance officer or general counsel will tell you, these directives are easier said than done. Effective third-party risk management (3PRM) is burdened by myriad external and operational challenges. Externally, information availability varies widely from market to market and is in a host of languages. Global watch lists of restricted entities are in a state of continuous change. Information privacy laws are also different across (and sometimes within) jurisdictions and in some cases are quickly evolving without clear direction. And the focus on third parties is not just limited to anti-corruption compliance. Other long-standing regulatory regimes – anti-money laundering, anti-terrorist financing, trade sanctions and export controls – require that companies avoid doing business with a multitude of specific entities and individuals, or in various jurisdictions.
Within the company, 3PRM has multiple cross-disciplinary stakeholders (legal, compliance, procurement, finance, internal audit) with varying priorities and responsibilities. Relevant internal systems (ERP, purchasing, HR, operational, etc) are often both locally and globally fragmented and do not lend themselves to consolidation, transparency and monitoring. The data volume is moving beyond the point of effective manual review for large organisations that may be tracking tens to hundreds of thousands of third parties.
Clearly, the requirements of 3PRM call for a consistent, systematic approach to the problem. By design, regulators do not offer specific standards to reach their general guidelines, but instead say that these efforts need to be ‘real’ (ie, designed and executed in such a way as to genuinely confront the risk). The burden of setting the specific operational standards for adequate risk management is placed on the company, and hoping that the organisation will get it right without a coordinated strategy may be dangerously wishful thinking.
Designing the framework
What would the road map for a systematic 3PRM programme look like? The initial step is to design a conceptual framework. Since most companies already have at least some limited form of 3PRM in place, an effective method to identify improvements is to assess the exposures, map out the desired model and perform a gap analysis against current capabilities. The target model should ideally consider and address the following organising principles as a foundation:
- Consistency. With any global compliance programme, the key element is a consistent set of policies and procedures that company management can expect to occur across regions and business lines. Without a certain level of consistency, assumptions regarding programme effectiveness are not as reliable. Establishing consistency in areas such as risk rating criteria, diligence scoping based on those risk ratings, and approval/denial criteria is particularly important.
- Transparency. One of the largest obstacles to effective 3PRM programme implementation is the lack of visibility into key compliance data points. Programmes are frequently hamstrung by lack of access to the most basic information on purely administrative questions, such as: how many third parties do we actually have? What do they do? Who approved the relationship and on what basis?
- Efficiency. With any geographically diverse, high-volume business process, efficiency is vital in minimising programme cost. Variables such as manual processing and paper-based systems drive up cost without increasing effectiveness. With 3PRM, the trend is naturally turning to technology solutions for assistance, some of which we will discuss in later sections.
- Accountability. It is not unusual for a large number of stakeholders in the 3PRM process to create an environment of ‘diffused responsibility,’ wherein everyone relies on the other to take ownership of key decisions. This vulnerability can be improved by a clearer governance model and well-defined lines of review and approval. Companies are increasingly creating dedicated 3PRM functions, frequently housed within legal or compliance departments, which formalise the process and play a coordinating role among all stakeholders.
- Accessibility. As anyone who has had to respond to a regulatory investigation can attest, your compliance programme is only as good as what you can document. Increasingly, the expectation will be that a complete profile of information on the third party’s role, background and approval history should be immediately available upon request. Again, this is an area where technology solutions are playing an important role.
Making it operational
Any conceptual framework needs to be made real in the form of policies and procedures at the ground level. In this effort, the most effective 3PRM systems tend to address third parties in terms of a life cycle – tracking them from selection and onboarding, to engagement and monitoring and (if necessary) termination. Within that life cycle, there is a set of foundational risk management tasks that will inevitably be performed: (i) identification, (ii) risk stratification, (iii) diligence, (iv) monitoring and (v) documentation.
As mentioned previously, it is not unusual for companies to be unable to answer the simple question of how many third parties they are working with at any given time. This is primarily because recordkeeping related to third parties tends to be decentralised, and its content varies by region or business function. As a result, it is fragmented, making it difficult to get a complete picture. It can be further complicated by lack of clarity regarding how a ‘third party’ is actually defined. Vendors are usually an easy call. But strategic partners? Individual contractors? Charitable organisations? JV partners? A useful rule of thumb in defining a third party is to determine whether your company has direct control over the other entity’s or individual’s compliance activities. Not surprisingly, this will cast a wide net, but such a broad definition accurately reflects realities of the 3PRM risk landscape. In rolling out a next-generation global 3PRM programme, the first step is almost always to perform a third-party inventory, which can be a significant effort in itself. This is an area where a centralised 3PRM function can play an indispensable role, as arbiter in achieving consistency of third-party classifications.
Not all third parties are created equal: some require different levels of scrutiny. Performing identical risk management procedures for hundreds or thousands of third parties is an administrative and financial deterrent, causing companies to delay or limit diligence across the board. Without an effective risk rating programme, implementation efforts tend to be cost-prohibitive and, as a result, delayed or limited.
Risk stratification involves the process of applying a numerical weight to a range of relevant data points, which are then consolidated into a single overarching score. These scores are then ideally linked to a previously established level of appropriate diligence or scrutiny. This is very difficult to achieve without the application of specialised technology, specifically process workflow managers and data analytics tools (discussed below).
There are three points in the third-party life cycle where the risk rating process can and should occur – pre-diligence, diligence and monitoring. The objectives at each stage are slightly different, as are the risk rating approaches. The pre-diligence stage uses basic profile information to route the third party toward a risk-appropriate diligence scope. Diligence uses the research results to serve as a pre-approval guide regarding the overall risk profile of the third party. Monitoring is designed to use transactional behaviour to detect potential improper behaviour in third parties after they have been engaged.
There can be many relevant risk criteria in the stratification process. They range from more universal elements, such as location, industry, government exposure and watch list results, to more company-specific factors related to the third party’s specific business role and commercial terms. However, the key component of risk rating is multivariate analysis. Results are most useful when based on a variety of risk factors considered at the same time, with thoughtful weighting of each element prior to the analysis.
The heart of any 3PRM process is diligence research. With a narrow diligence scope, important potential risks can be overlooked; too broad, and you are looking at an expensive effort with little incremental value. The challenge is that the term ‘diligence’ means many things to many people, depending on the context of the relationship being considered. The first task is to define the objectives of the diligence being performed. For our purposes, the key goal of diligence is to gather enough information to adequately assess the risk of regulatory violation and fraud. This can be as simple as checking vendor names against a watch list for sanctions compliance or as complex as all-inclusive ‘deep dive’ background research on a billion-dollar acquisition target.
Regardless of the diligence scope, there are common cost drivers, such as the size of the target entity, availability of electronic information in target jurisdictions and source language. These drivers will largely determine the ability to conduct online research versus field document collection.
As mentioned previously, the challenge is to calibrate the diligence scope to the third party’s initial risk rating. A typical approach is to separate the scope into three general tiers of review. The first level is focused on ‘one question’ diligence, such as sanctions and watch-list checks. These quick scans are designed to address very narrow compliance questions and can be done completely online, almost immediately and in high volumes. The second level is the most common scope for standard vendor due diligence reviews. These procedures are also principally online-research driven reports, but add a wider range of sources such as corporate registry, media and litigation databases.
A third-level review is normally reserved for either third parties that have exhibited red flags during the first- and second-level screens or for targets of a major transaction. In third-level reviews, first- and second-level research is enhanced with more extensive procedures, such as more comprehensive local language research, physical document retrieval and source inquiries. Ideally, the diligence process consists of a number of ‘tripwires’ that prompt either an expansion of scope or termination of the diligence (or even the potential relationship). Increasingly, the results of diligence and the ensuing decisions are being captured in workflow automation tools, discussed in the next section.
As indicated in the 2012 DOJ/SEC guidance on FCPA compliance, 3PRM does not end when the contract is signed. It is equally important to monitor the activity of third parties throughout the relationship. Corrupt third parties frequently do not come with clearly questionable backgrounds at the diligence stage, so companies must regularly scan for indications of high-risk activity.
The most effective monitoring programmes combine a technological approach with a people- and culture-driven one. In terms of technology, data analytics focused on fraud and corruption risk (discussed in the next section) is becoming a standard weapon in the monitoring arsenal. Complementary to the use of analytics is the internal audit function, which uses the analytics-generated heat map of potential high-risk transactions and payees to conduct a more thorough fact-finding process.
Many companies also create a regular schedule to refresh the due diligence, where certain checks (for example, watch lists or media) are re-performed to capture any potential changes in reputation or status. That said, advances in data accessibility and diligence workflow tools are now sparking a rapid evolution from a periodic refresh diligence process to a continuous, real-time monitoring model.
Finally, the company must rely on active feedback loops from the field to help detect potential problems. Analytics and audits themselves are limited in their ability to get to the true nature of a third-party relationship, because they review historical documentation without the benefit of personal knowledge of the parties. An important part of risk monitoring is an active whistleblower hotline capability, open to both employees and vendors. Historically, whistleblower complaints have been a leading source of actionable information on compliance and fraud violations, since whistleblowers tend to be closer to the problem. Unfortunately, they can also be a vehicle for an axe grinder to undertake a corporate vendetta, so the company needs clearly established responsibilities and procedures for reviewing, prioritising and investigating these claims. On balance, most find that the benefits of an active ethics hotline outweigh the burden of maintaining it.
As was mentioned earlier, your 3PRM programme can look like ‘paper controls’ if you cannot document testing and results on a regular basis. In a global company, third-party issues should be considered inevitable, so it is wiser to anticipate those cases with robust recordkeeping practices. Countless investigations, internal and government-led, have been seriously hampered by an inability to reconstruct how a third party was introduced, approved and monitored. One should not expect to be given the benefit of the doubt when faced with this problem.
Documentation can be greatly facilitated by the creation of consistent archiving standards, designating what information is retained and where it is housed across the organisation. Wherever possible, companies should use standardised documents with limited opportunities for variation. Ideally, documents should migrate as much as possible to a virtual process facilitated by networked tools. Finally, with better documentation comes data security and privacy considerations that need to be taken into account by your legal function, as well as IT administrators.
Throughout this article, we have referred to the need to address the huge and complex effort required to administer a global 3PRM programme. Not surprisingly, the market has responded to this need with a number of IT tools designed for this purpose. While the subject is worthy of a paper of its own, we provide herein a high-level overview of the major categories of technology tools that are currently available.
The first category is data aggregation (ie, information sources that compile large amounts of disparate background data on entities and individuals into a usable, relevant summary). The capabilities of these tools are tied to the availability of electronic records. The earliest data aggregators were focused on the compilation of names from the multitude of watch lists issued by governments and multilateral organisations around the world.
Over time, data aggregators have been enhanced by the addition of public-domain media information on the target entities. Today, new platforms are going further and assembling data from harder-to-access national or regional sources around the world to offer a broader range of corporate and individual background information. The as-yet unreached ‘Holy Grail’ of these tools is a real-time, comprehensive dossier generator that provides all the information needed to make effective compliance decisions. However, as it stands, many of the data components of these aggregators, such as adverse media mentions, sanctions or shell company listings, can be selectively mined on a continual basis for near-continual sweeps against your third-party universe.
The second category addresses process workflow management. These online tools address the administrative burden of managing complex diligence programmes on a global scale. They provide a centralised mechanism for tracking the information generated at every phase of the third-party life cycle — selection and onboarding, engagement and monitoring, and termination. They also automate the standard operating procedures related to diligence, risk evaluation and approvals. The objective is to minimise process variation across markets and encourage transparency and individual accountability.
The major elements of the 3PRM process are contributors to the system – the company, the third party and the information provider. The vendor uploads self-reported background information, which is then cross-referenced by external information, while the company oversees the risk rating of the third party and decisions based on the diligence results. This platform then serves as a documentation tool, a centralised archive that can be easily accessed whenever information is required related to the third party, the diligence process or the approvals.
As these workflow tools now move from product introduction into their next major iteration, a major common goal is cross-
platform compatibility (ie, the ability for the 3PRM tool to share and move information between stakeholders across the business – for example, between procurement and compliance). A major complaint in the first generation of 3PRM platforms has been the siloed nature of the data and redundancy of processes where third-party information is collected and re-collected by multiple parties. The ultimate goal, articulated by many users, is a single, unified platform where all relevant third-party information, compliance and otherwise, is maintained in a single, one-stop ‘Third-Party Portal.’
The third category is data analytics. This is a process that uses a set of tools and techniques designed to detect risk in large pools of data. Data analytics has been developing the most quickly of all categories, due to its wide range of potential business applications. If you have been contacted by your bank regarding suspicious activity on your account, you have seen fraud detection analytics at work. Data analytics uses various combinations of hardware, software and customised algorithms to detect certain patterns (positive or negative) in data. The tools and techniques are deployed primarily for monitoring and reporting (in this context fraud and corruption risk monitoring), since they rely on large quantities of historical activity to generate meaningful results.
In the 3PRM context, data analytics has normally meant analysis of third-party payment history, as well as overlays of vendor and employee identifying information, to pinpoint third parties exhibiting high-risk patterns. Today’s data analytics models are adding new detection techniques, such as unstructured data (eg, communications) review and predictive behaviour analysis, to better anticipate future risks.
Where is this all heading? As with most technologies, you can expect these three parallel 3PRM categories to move toward convergence. Companies need to continue to streamline the number of individual systems and processes related to 3PRM, so the target is increasingly a ‘super portal’ of third-party information, linked to the company ERP system, which contains multi-sourced diligence data, workflow tracking and continuous monitoring dashboards. Those ultimately responsible for third-party risk are ultimately seeking a one-stop shop for relevant information.
The prudent way to view this relationship is to consider 3PRM technology as an enabler, not the end game. The deployment strategy for these tools should consider them an extension of, rather than a replacement for, an informed 3PRM function and front-line business. The tools allow skilled staff to cover an ever broader range of third parties in a more automated manner. But for the immediate future, your programme’s success will still hinge on the judgement of that person at a desk.
This article has recommended a systematic approach to third-party risk management that moves companies from a fragmented, improvised process to a unified programme. This is not to understate the challenge of such a transition. Even those furthest along in this process see it as a long-term, incremental effort that is constantly evolving. In actuality, there is no end state but rather a continuous process of assessing changing third-party risk and adjusting methods to address it. That said, the principles, approaches and tools discussed above should provide some guidance in making these choices as effectively as possible.