NAVEX provides a comprehensive suite of compliance solutions, including policy management solutions, training solutions, hotline and incident management resources, third party risk applications and advisory services.
This is a major differentiator for NAVEX Global. We not just a training vendor; we are a trusted partner that has the resources and capabilities to support the entirety of your compliance program. Today, we’re going to focus on your training program, but I’d welcome the opportunity to discuss any of these other solutions with you when appropriate.
Nonetheless, all of these are relevant to today’s discussion on training, as each provides insights into the challenges facing our clients, allowing us to produce the very best in training.
For example, we work with companies every day on developing and defining policies and Codes – which helps us keep a tab on emerging risks.
As the world’s largest third-party ethics hotline provider, we have unique insights into the issues your employees are identifying as problems.
And our advisory services teams work everyday on benchmarking and needs analysis – helping us understand where the gaps in knowledge are.
Included in our solutions is our award winning client support, implementation and professional services.
Note cyber security up near the top
Respondents indicated… In the last two years, non-compliance with laws and regulations – often a top concern among compliance and legal officers – is not as important as the program protecting the organization from harm. Cyber security is a top concern for those in several key industries including finance and healthcare. This is not surprising, given the high number of recent cyber security breaches and the impact they’ve made in these industries.
Understanding the objectives of your third party risk management program is a critical first step in deciding where to focus your resources and efforts. While almost all programs will have multiple objectives, only so much can be accomplished. Therefore, prioritizing objectives can inform next steps.
To accomplish these top objectives every organization that uses third parties should have a clear, written policy on the use of and business conduct of these third parties. This policy, along with the controls designed inform third parties of what’s expected of them, should be shared within the organization and with the third parties.
The comparison of the 2015 and 2016 results show a somewhat surprising move of conflicts of interest to the top concern, slightly overtaking the perennial front runner, bribery and corruption. It may be a reflection of the risk assessments made by the 2016 respondents or a maturing of the third party programs to the point where they are beginning to address new, yet troublesome concerns which are not as readily solved.
Complexity, training and information management continue to be challenges while a lack of resources and processes continue to frustrate reductions to these concerns. As with 2015, we see only around one-third of survey respondents reacting to these challenges with additional resources.
The top two approaches to third party due diligence are a risk-based approach (47%) and evaluating third parties before engaging with them (43%). Close to one-third (31%) of organizations conduct due diligence only after an issue arises, while 13% rarely conduct and 4% do not conduct due diligence at all.
While the relative frequency of approaches has remained the same, it is noteworthy that fewer organizations are assessing all third parties before engagement or employing a risk-based approach.
More respondents see their programs as complying with laws and regulations over how well they screen third parties. Very few see their programs as monitoring third parties adequately. It is interesting that while companies may feel like they are complying, they’re not confident that they’re actually covering their bases.
Don’t we have 2015 data too??
Organizations discover “red flags” or other potentially negative third party information through multiple channels. Most common is through internal due diligence monitoring (55%).
Programs are more likely to have identified red flags through internal due diligence monitoring (71%), a third party due diligence provider report (36%), or during a re-assessment or agreement while considering an expansion of relationship (33%).
The percentage of programs that evaluate third parties before they are engaged significantly decreased (35%) from 2015. This means more programs may be taking a risk by evaluating third parties after they have already been engaged and after liability has already occurred. Also concerning is the increase in the percentage of programs in which no due diligence is conducted (13%). This is not what was intended by a risk-based evaluation.
The largest number of respondents do not use any form of automated system to manage any element of their programs. This may be manageable with a very small number of third parties, who are primarily domestically based or in some cases have long tenures with the organizations.
Using internal resources to attempt this, such as using Google-type searches or questionnaires, could result in critical issues or red flags being missed. Performing these searches manually is difficult enough, but operationalizing them for continuous alert-monitoring is nearly impossible.
Some respondents in this category recognize the value on automation but they told NAVEX Global that they may have resisted the move to an automated system because of concerns about costs or concerns around siloed ownership of the program where there is no strong champion for program advancement. The findings on ROI and effectiveness ratings which follow could offer these program respondents ammunition for further consideration of automation.
Reactive: We address issues as they arise, but do not have a formal program in place.
Basic: We do initial screening of some high risk or key third parties at the start of our engagement, but don’t dig into their own partnerships or continuously monitor third party engagements. We are adopting a set of processes and capabilities.
Maturing: We do initial screening of all of our third parties at the start of our engagements with them, but don’t monitor them beyond those initial screenings, OR we screen the majority of our third parties and maintain a structured monitoring program on them (once a year, once every two years). We are operationalizing our third party program.
Advanced: We screen and continuously monitor all of our third parties. We use an automated system to help manage these processes, and we measure performance to allow us to continuously optimize our program. We conduct enhanced levels of due diligence for higher risk third parties. Our third party systems integrate with other operational systems (such as Finance, Procurement, Legal, etc.).
Organizations with Maturing / Advanced programs are much more likely to use automated systems than those with Reactive / Basic programs.
While not surprising, the combination of these two is a trend that we expect to see in coming years, especially as organizations expand their third party engagements and legal and regulatory risks increase.
Automation is almost a given to effectively manage the thousands or tens of thousands of third parties headquartered and deployed around the globe, to ensure risk-based due diligence, obtaining and tracking certifications, managing documentation and continuous monitoring recommended by The Resource Guide and others.
More importantly, it identifies the RIGHT red flags. Fewer false positives, more accurate, consistent and centralized reporting.
Here are some additional resources from NAVEX Global - if you download the slides, these links will be live and you can click to go to these resources. Also, if you hover over the icons in your console below, you’d find links to some of these resources as well.