Supplier Risk Management: Obtaining Regulatory Relief from Third Parties


Published on

Ralph Lauren, Morgan Stanley, Deferred Prosecution Agreements, Non-Prosecution Agreements – new guidance regarding third party risk from both the U.S. Department of Justice and U.K. Ministry of Justice is providing an outline for internal program structure to achieve regulatory relief when corruption is discovered.

In this webinar, we discuss the minimum threshold suggested by global regulators and how to align your program to achieve the same. We also look at how companies in many industries should explore further the risk exposure from often-ignored indirect third parties.

Finally, we touch on how to ease the burden by applying proportionate effort and budget to third-party risk remediation. New automation techniques allow for seamless process integration for the on-boarding of third parties, their on-going management, compliance data acquisition, risk assessments, and the execution of due diligence activities and reports.

Randy Stephens, JD, CCEP, is vice president of the Ethical Leadership Group, a lawyer and compliance specialist who has worked in roles with legal and compliance responsibility for over 30 years, including operations in Mexico, China and Canada. Randy has significant in-house experience leading compliance programs and working for some of the largest and most diverse public and private corporations in the United States, e.g. Home Depot, Family Dollar and US Foods.

Michael Vermillion has more than 25 years of experience successfully facilitating c-level implementation engagements across several industry groups for clients including Dun & Bradstreet, Procter & Gamble, Eli Lilly, RR Donnelley, Georgia Pacific, EDS, BellSouth, SPX and Deutsche Bank. He works closely with senior executives and boards of directors at Fortune 1000 companies to design, build, integrate and implement enterprise-wide Third Party Risk Solutions, and – using that expertise – spearheads NAVEX Global’s Third Party Risk Management Solution creation and implementation.

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Supplier Risk Management: Obtaining Regulatory Relief from Third Parties

  1. 1. Presented by Randy Stephens, JD, CCEP, & Mike VermillionThird Party Risk Management:Obtaining Regulatory Relief
  2. 2. Agenda The current 3P regulatoryenvironment Regulatory minimums for 3Pprograms Considerations for automation NAVEX Global approach Benefits of automating third partyrisk management1
  3. 3. The Use of Third Parties by Business is Increasing… Economic conditions Company cutbacks Cost of third parties versus internal development Productivity Flexibility of workforce Globalization Companies need representatives all over the world Specialization Lobbying Reselling Distribution Limitation of Liability (false sense of security) 2
  4. 4. Contractor/Labor IssueSupplier/Labor IssueVendor/Data Privacy IssueContractor /Data Privacy IssueConsultant/Privacy IssueContractor/Data Privacy Issue Agent/FCPA Issue Top Ten: $800MJV & Agent/FCPA Issue Top 10: $365MAdvisor/FCPA Issue Top 10: $400MAgent/FCPA Issue Top 10: $32.3MAgent/FCPA Issue Top 10: $185MAgent/FCPA Issue Top 10: $338M3…So Are Third Party Enforcement Actions
  5. 5. Risks Associated with Working withThird Parties4
  6. 6. Why is This a Risk?5 Third parties represent your companyo They may have little or no loyalty to yourcompanyo You have less control over the actions ofthird parties Do you even know all of the third partiesyou use? What do you know about them? International laws and guidance hold youaccountable• U.S. Foreign Corrupt Practices Act(FCPA)• UK Bribery Acto “Adequate Procedures”
  7. 7. FCPA Guidance (November 2012)“…Risk based due diligence is particularly important with third parties and willalso be considered by the U.S. Department of Justice (DOJ) and Securities andExchange Commission (SEC) in assessing the effectiveness of a company’scompliance program.Although the degree of appropriate due diligence may vary based on industry,county, size and nature of the transaction , and historical relationships withthe third-party, some guiding principles always apply.”Resource Guide to the U.S. FCPA, p. 60
  8. 8. What are the Minimum Elements toThird-Party Compliance Program?
  9. 9. FCPA Minimums1. Companies should understand thequalifications and associations ofits third party partners.The degree of scrutiny shouldincrease as red flags surface
  10. 10. FCPA Minimums2. Companies should have anunderstanding of the businessrationale for including the third-party in the transaction.Contract terms related to services to beperformedPayment termsTypical?Timing of the third-party’s introductionConfirm that work is actually beingperformed in accordance with thecontract
  11. 11. FCPA Minimums3. Companies should undertake someform of ongoing monitoring ofthird-party relationshipsUpdating due diligence periodicallyExercising audit rightsProviding periodic trainingRequesting annual compliance certificationsHave a response plan in the event of a red flag or issuee.g. Apple/FoxconProtect your Company’s reputationInvestigateTerminate?
  12. 12. FCPA Minimums4. Inform third-parties about yourcompliance program andcommitment to ethical and lawfulbusiness practices and seekassurances of reciprocalcommitmentsTraining on Code of ConductTraining of appropriate third-partyemployeesThird Party Codes of Conduct
  13. 13. Global 3P Corruption Case StudiesEli Lilly and CompanyORACLEor
  14. 14. What to Consider When Automating 3P Risk management process Scope of third parties Types of risk to manage What can and can’t be automated Focus Design factors13
  15. 15. Start with a Standard Process1. Identify/Prioritize Identify your universe of relationships and prioritize by risk.2. Risk AssessmentConduct due diligence on a risk-adjusted basis; Uncover andassess risks3. Risk Mitigationand Action StepsTake steps to mitigate risk that was uncovered.4. Ongoing MonitoringContinuous monitoring and periodic re-screening to identify riskevents, keep information current, and ensure policy complianceis in force.4. Monitor3. Mitigate2. Assess1.Identify/Prioritize
  17. 17. Identify Types of Third Party Risk to ManageIDENTITY Who are they? Who are they owned by?REPUTATION Adverse media? Sanctions lists?CONFLICTS Government ownership? Government office?COMPLIANCE Policies & training? Track record?
  18. 18. Automate Routine Tasks Notifications Questionnaire administration Document collection Research and analysis Risk assessment Report writing Monitoring
  19. 19. Automate Program Administration Deploy a standard process Centralize data store Control user permissions and access Risk mitigation follow-up Schedule rescreening Program reporting and analytics Audit compliance and support
  20. 20. What Can’t Be Automated (yet) Business rules design Complex resolution Advising internal business partners On the ground investigations
  21. 21. Primary Focus: Risk Event Management On boarding new relationships Screening existing relationships Alerts change of control new adverse media change in sanctions list presence20
  22. 22. Secondary Focus: Program Management Update third party information Annual certification/attestation Document updates21
  23. 23. Design Factors Fast deployment Flexible – support multiple businessunits, geographies, processes Easy to use Integrate with other businessprocesses Budget friendly22
  24. 24. NAVEX Global Third Party Risk Designed specifically for Third Party Risk Incorporates best practices Covers entire risk universe within budget Easy to deploy Flexible to meet program requirements23
  25. 25. Standard, Globally Deployable SaaS Platform
  26. 26. Due diligence requests are made onlineReport type selectiondetermines the type of duediligence process
  27. 27. Level OneLevel TwoLevel ThreeThird Party Risk Due Diligence LevelsLevel FourEnhanced DDRISKDUE DILIGENCE
  28. 28. Third Parties are automatically notified
  29. 29. Third Parties Complete a Questionnaire andSubmit Documents Online28
  30. 30. Additional Data is Automatically Collected fromExternal Databases29NAVEX 3P PlatformCredit Bureau DatabaseAdverse Media Database
  31. 31. Same reputation screening process as top banks Thousands global media sources Hundreds global sanctions/watch lists Analyst review Ongoing monitoring30
  32. 32. Data is Automatically Analyzed31
  33. 33. Risk is Assessed Based on Business RulesWe calculate an overall riskassessment based on aweighted average of the riskcategories
  34. 34. Reports are automatically generated33
  35. 35. The Reports are Stored and Retrieved Online34
  36. 36. Users can sort, filter and export lists for review andreporting35Click on column header to sortFilter optionsExport as CSV or XLS
  37. 37. Users can download reports or view them online36Click onreport statusTo downloador view thereport online
  38. 38. The Third Parties tab provides a list of relationships37
  39. 39. Each Third Party has a detail page with a historyof requests and reports38
  40. 40. Third party records can be created withoutordering a report39
  41. 41. Monitoring and Follow-Up We monitor every third party for: Addition to global watch lists, sanctionslists, internal debarment lists New adverse media Material changes in financial condition Alerts are screened by analyst tominimize false positive results Notifications along with supportingsource documentation are deliveredby our analysts via email40
  42. 42. Services: Pre-Screening We batch screen existingrelationships Global watch lists, sanctions lists, internaldebarment lists Adverse media PEP lists Provided as a service Third party names are loaded intoplatform Does not include a report41
  43. 43. Benefits of Third Party Risk Automation Eliminates paperwork and moves your process “out ofemail”; Everything is one place Integrate with existing processes Standardizes ethics and compliance practices acrossbusiness units and geographies Establishes a permanent audit trail of all activity On demand snapshot of all activity and status – view byregion, category, risk rating, status or date Automated data collection, analysis and reportgeneration Scalable by third party type, size and geography Data and analysis are both insightful and actionable42
  44. 44. Ethics & Compliance PlatformAd-Hoc ReportingDisclosuresThirdPartyRiskMgmt.Anti-retaliationPolicyManagementCaseManagementExpandedIntakeEmployeeAwarenessOnlineTrainingHotlineFutureApplicationADVANCED ANALYTICSADVISORYSERVICESPROFESSIONALSERVICESACCESS PORTAL
  45. 45. Thank You