Vendor Due Diligence- What You Don’t Know about Third Party Risk Can Hurt You!
Upcoming SlideShare
Loading in...5
×
 

Vendor Due Diligence- What You Don’t Know about Third Party Risk Can Hurt You!

on

  • 950 views

Third party risk is an emerging trend across the supply chain, legal and ethics and compliance fields. Organizations are being held responsible for the actions of their third parties and processes, ...

Third party risk is an emerging trend across the supply chain, legal and ethics and compliance fields. Organizations are being held responsible for the actions of their third parties and processes, and record keeping must be put in place to protect against undue risk.

Veteran third-party risk experts Mike Vermillion and Randy Stephens explore trends around managing risk in the supply chain, what companies are doing correctly, where there are areas for improvement and how to manage effectively against these risks in the coming years.

They discuss:
The Compliance Landscape for Third Party and Agent Liability: FCPA, UK Bribery Act, OECD standards and recent cases of note.

The Four-Step Approach to the Risk Assessment Process and Adequate Procedures:
Identify and prioritize
Due diligence
Mitigating risks; and
Developing and implementing an ongoing process for onboarding, monitoring and training.

The Solution: Building, refining and automating the feedback loop and recordkeeping.

Presented by:
Randy Stephens, Vice President, Ethical Leadership Group,
Mike Vermillion, Senior Director, Third Party Risk Management Solutions

Statistics

Views

Total Views
950
Views on SlideShare
949
Embed Views
1

Actions

Likes
0
Downloads
40
Comments
0

1 Embed 1

https://twitter.com 1

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Vendor Due Diligence- What You Don’t Know about Third Party Risk Can Hurt You! Presentation Transcript

  • 1. March 2013The Use of Third Parties – WhatYou Dont Know CAN Hurt You
  • 2. What We Are Going to Cover Who are Third Parties? Why is this a Risk? Best Practices for Managing ThirdParty Risks Due diligence Implementation Automation1
  • 3. Business Complexity andThird Party Relationships
  • 4. 3rd Party Risk: A Complex Network of RelationshipsSource: Compliance and Ethics Leadership CouncilSUPPLIERS INEMERGINGMARKETSTEMPORARYEMPLOYEESSUBCONTRACTORSINT’LINTERMEDIARIESDOMESTICAGENCIESOFFSHORESERVICEPROVIDERSDATAVENDORSFOREIGNDISTRIBUTORSDEALERS /RESELLERSLOBBYISTSAUDITORSINT’L JOINTVENTURESPARTNERSHIPSSUPPLIERS’SUPPLIERSCONTRACTORSVENDORSDISTRIBUTORSCONSULTANTSJOINTVENTURESSUPPLIERSAGENTSYOURCORPORATIONA High Level of ComplexityCorporations need to managedivergent legal relationships acrossa multitude of partners, andstruggle to gain visibility intooften-hidden risks.
  • 5. The Use of Third Parties by Business is Increasing… Economic conditions Company cutbacks Cost of third parties versus internal development Productivity Flexibility of workforce Globalization Companies need representatives all over the world Specialization Lobbying Reselling Distribution Limitation of Liability (false sense of security) 4
  • 6. Contractor/Labor IssueSupplier/Labor IssueVendor/Data Privacy IssueContractor /Data Privacy IssueConsultant/Privacy IssueContractor/Data Privacy Issue Agent/FCPA Issue Top Ten: $800MJV & Agent/FCPA Issue Top 10: $365MAdvisor/FCPA Issue Top 10: $400MAgent/FCPA Issue Top 10: $32.3MAgent/FCPA Issue Top 10: $185MAgent/FCPA Issue Top 10: $338M5…So Are Third Party Enforcement Actions
  • 7. Risks Associated with Workingwith Third Parties
  • 8. Why is This a Risk? Third parties represent your companyo They may have little or no loyalty to your companyo You have less control over the actions of third parties Do you even know all of the third parties you use? What do you know about them? International laws and guidance hold you accountableo FCPA Guidance (November 2012)o Risk Based Due diligenceo Understand the business rationale for using third partieso Undertake some form of monitoring and auditing of third partieso UK Bribery Acto “Adequate Procedures”7
  • 9. Global Anti-Corruption Case Studies
  • 10. Best Practices for Managing ThirdParty Risk
  • 11. Risk Assessment CommitmentPolicies,Procedures,Internal ControlsCommunicationand TrainingComplianceInfrastructureDisciplinaryGuidelinesThird PartyAccountabilityMonitoring andAuditingReview and TestingElements of an Effective Anti-Corruption Program
  • 12. Third Party Compliance Best Practices Embed language in contractual terms specific to legal, regulatory, financial and reputationalcompliance Implement a Third-Party Policy and Third-Party Code of Conduct Identify and perform risk-adjusted Due Diligence on all business relationships Educate and train your third parties on relevant laws and regulations Require that third parties certify compliance with all laws and regulations that govern theirbusiness Provide an anonymous avenue for third parties to report potential violations of laws andregulations Document, Document, Document! Automate what you can
  • 13. Third Party Due Diligence
  • 14. Best Practice Approach to Third Party Due Diligence1. Pre-ScreenUnderstand and assess the inherent operational andjurisdictional risk to your organization prior to performing duediligence.2. Risk AssessmentBest-in-class screening process that provides a comprehensiveview into complete enterprise risk—financial, regulatory,reputational, and governance.3. Risk Mitigationand Action StepsDictates mitigation activities that must be taken by both the thirdparty and you.4. Ongoing MonitoringPeriodic re-screening process that identifies change in enterpriserisk, ensures information is kept current, and continuedcompliance to client policies.4. Monitor3. Mitigate2. Assess1. Pre-Screen
  • 15. Risk Prioritization Evaluate potential risk across allbusiness relationships Size isnt necessarily best indicatorof risk Other risk driverso geographyo type of product or serviceo length of relationship1. Pre-Screen
  • 16. Identity Risk Are they who they say they are? Do names and geographies match? Established track record? Years in business? Corporate affiliations?2. Assess
  • 17. Reputation Risk Adverse media sourceso Newspapers & magazineso Transcriptso Trade publicationso Academic literature Multiple languages Cross-referenced with appropriatekeywords Process to minimize false positives2. Assess
  • 18. Sanctions and Watch Lists FATF Financial Action Task Force Bank of England Consolidated List HM Treasury Investment Ban List HM Treasury Sanctions Hong Kong Monetary Authority HUD LDP Interpol Most Wanted Exclusions OSFI Consolidated List OSFI Country Offshore Financial Centers Peoples Bank of China (PBC) Primary Money Laundering Concern Primary Money Laundering Concern Jurisdictions Reserve Bank of Australia Terrorist Exclusion List UK FSA UN Consolidated List Unauthorized Banks World Bank Ineligible Firms Ireland Financial Regulator Unauthorized Firms Japan FSA Japan METI-WMD Proliferators Japan MOF Sanctions Monetary Authority of Singapore Nonproliferation Sanctions OFAC Non-SDN Entities OFAC Sanctions OFAC SDN OIG Australia Dept. of Foreign Affairs and Trade Bureau of Industry and Security Chiefs of State and Foreign Cabinet Members Commodity Futures Trading Commission Sanctions DTC Debarred Parties EU Consolidated List EPLS FBI Hijack Suspects FBI Most Wanted FBI Most Wanted Terrorists FBI Seeking Information FBI Top Ten Most Wanted~400 watch lists andsanctions listsworldwide2. Assess
  • 19. Conflicts of Interest Risk Government ownership Do officers/directors holdgovernment position? Are officers/directors formeremployees? PEP list screen2. Assess
  • 20. Compliance Risk Is there a commitment to ethics atthe top? Are policies in place? Do they conduct training? Any record of fines or violations?2. Assess
  • 21. Financial Risk Cash flow Balance sheet - leverage Bankruptcy track record Contract as % of revenue2. Assess
  • 22. Enhanced Due Diligence2. Assess Local language screen Public records check Civil and criminal litigation On-Site business verificationo Photoso In-person interviewso Document collection
  • 23. Risk Assessment and Mitigation How will you assess risk? What constitutes a yellow flag? A redflag? Who owns risk mitigation? How will risks be resolved? Monitoring and follow-upconsiderations3. Mitigate
  • 24. Monitoring and Re-Screening Monitor for new adverse media andsanctions lists/watch lists presence Can also monitor for material changesin financial condition What is the process to resolve analert? Risk-based approach to re-screening4. Monitor
  • 25. Implementation
  • 26. Keys to a Successful Implementation Sponsorship Cross functional team Appropriate resources Phased deployment Communicationo Business partnerso Third parties
  • 27. By Function/OfficeChief compliance officerChief risk officerProcurementCorporate securityControllerCFOGeneral counselChief revenue officerBy Business ProcessEthics and Compliance• Anti-bribery and anti-corruption program• Industry/Company specific programsEnterprise Risk• GRC programSourcing• New vendor on boarding• Existing vendor monitoring• Vendor policy compliance• Code of conduct complianceSales agent management• New agent on boarding• Existing agent monitoring• Agent training• Agent policy complianceCorporate Security• Anti-fraud program• Reputation integrity programAudit and Board Reporting• Ethics and compliance auditFinancial risk management• Supply chain planningContracting• RFP process• Contracting due diligenceBy Risk TypeCompliance riskFinancial riskReputation riskOperational riskCorporate Social Responsibility riskSourcing risk26Third Party Risk Management Deployment Options
  • 28. Consider Automating Routine Tasks to Free Up Staff Notifications Questionnaire administration Research and analysis Risk assessment Report writing Tracking Reporting and audit compliance
  • 29. Automation Considerations Easy to deploy; low IT involvement Integration with other systems Data agnostic Due diligence flexibility Risk assessment optimization Workflow capabilities Interoperability with othercompliance tools Future functionality roadmap
  • 30. Questions…
  • 31. Thank You