Third-party risk dominates the anti-corruption compliance landscape. And for good reason – companies do not exercise significant control over their third parties, at least in comparison to company employees. I know this is obvious but from a theoretical standpoint a company has greater legal authority over the conduct of its employees in contrast to its third parties.
Relying on third parties is a two-edge sword. For companies expanding into emerging markets, employing third parties (e.g. agents and distributors) reduces the overall initial investment needed to expand into and test a new market before committing to local infrastructure and employees. It is the proverbial toe in the water approach to business expansion.
On the other hand, relying on third parties also brings with it greater risks for bribery and other improper conduct. That is where risk management has to come into play – at the initial due diligence, continuing with ongoing monitoring and robust audit procedures.
For most global companies, third-party risk management has to include has to include two basic and significant elements – I call it the two As – automation and audits.
If your company has more than a minimal presence in international markets, chief compliance officers have to ensure that their third-party screening and due diligence systems are automated. There are plenty of solutions out there in the marketplace and they are relatively affordable considering the impact of third-party misconduct. Companies can no longer rely on outmoded paper systems or electronic files maintained on Microsoft’s Sharepoint. Instead, companies have to embrace automated solutions as a basic requirement for third-party risk management.
Automation does not mean just a screening program against an open source intelligence database. Automation includes such screening, application of risk ranking formulas, elevation of high-risk third parties for additional due diligence, and documentation of all actions taken with respect to each third-party. Too many compliance officers have deluded themselves by describing their systems as automated based solely on a basic screening program – that no longer is tenable in today’s global economy and enforcement system.
Automation addresses three significant requirements for man aging third-party risks. First, an automated system is a consistent system, meaning that all third parties are subjected to a consistent screening and due diligence review. Second, an automated system maintains documents needed to prove the nature and extent of any due diligence conducted on a specific third-party. Third, an automated system creates the critical audit trail for demonstrating a company’s third-party risk management system.
The second A for third-party risk management is auditing your third parties. Depending on the overall number of risk profiles of your third parties, companies have to devote more attention to monitoring their third parties and, more importantly, auditing the third parties. A comprehensive audit will examine the amount of money spent with each third-party (i.e. how much money passed through their hands), any changes in risk profile and business operations, and the ongoing nature of company interactions with each third-party.
A comprehensive or targeted audit should be included in every annual anti-corruption compliance plan. The audits have to be conducted based on risk, available resources, and should include a variety of tactics – on site audits, remote audits, transaction testing for anomalies, and risk-based targeted reviews (e.g. by country, by nature of third-party, by scale of operation, by length of relationship).
If third-party risk management is your company’s most significant risk – by ranking and relativity, companies have to dedicate themselves to meaningful strategies to address these risks. Window dressing and paper-driven policies and procedures can no longer be justified or defended. More is needed and companies have to act to mitigate this important risk area.