Vendor Due Diligence- What You Don’t Know about Third Party Risk Can Hurt You!


Published on

Third party risk is an emerging trend across the supply chain, legal and ethics and compliance fields. Organizations are being held responsible for the actions of their third parties and processes, and record keeping must be put in place to protect against undue risk.

Veteran third-party risk experts Mike Vermillion and Randy Stephens explore trends around managing risk in the supply chain, what companies are doing correctly, where there are areas for improvement and how to manage effectively against these risks in the coming years.

They discuss:
The Compliance Landscape for Third Party and Agent Liability: FCPA, UK Bribery Act, OECD standards and recent cases of note.

The Four-Step Approach to the Risk Assessment Process and Adequate Procedures:
Identify and prioritize
Due diligence
Mitigating risks; and
Developing and implementing an ongoing process for onboarding, monitoring and training.

The Solution: Building, refining and automating the feedback loop and recordkeeping.

Presented by:
Randy Stephens, Vice President, Ethical Leadership Group,
Mike Vermillion, Senior Director, Third Party Risk Management Solutions

Published in: Business, Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Vendor Due Diligence- What You Don’t Know about Third Party Risk Can Hurt You!

  1. 1. March 2013The Use of Third Parties – WhatYou Dont Know CAN Hurt You
  2. 2. What We Are Going to Cover Who are Third Parties? Why is this a Risk? Best Practices for Managing ThirdParty Risks Due diligence Implementation Automation1
  3. 3. Business Complexity andThird Party Relationships
  5. 5. The Use of Third Parties by Business is Increasing… Economic conditions Company cutbacks Cost of third parties versus internal development Productivity Flexibility of workforce Globalization Companies need representatives all over the world Specialization Lobbying Reselling Distribution Limitation of Liability (false sense of security) 4
  6. 6. Contractor/Labor IssueSupplier/Labor IssueVendor/Data Privacy IssueContractor /Data Privacy IssueConsultant/Privacy IssueContractor/Data Privacy Issue Agent/FCPA Issue Top Ten: $800MJV & Agent/FCPA Issue Top 10: $365MAdvisor/FCPA Issue Top 10: $400MAgent/FCPA Issue Top 10: $32.3MAgent/FCPA Issue Top 10: $185MAgent/FCPA Issue Top 10: $338M5…So Are Third Party Enforcement Actions
  7. 7. Risks Associated with Workingwith Third Parties
  8. 8. Why is This a Risk? Third parties represent your companyo They may have little or no loyalty to your companyo You have less control over the actions of third parties Do you even know all of the third parties you use? What do you know about them? International laws and guidance hold you accountableo FCPA Guidance (November 2012)o Risk Based Due diligenceo Understand the business rationale for using third partieso Undertake some form of monitoring and auditing of third partieso UK Bribery Acto “Adequate Procedures”7
  9. 9. Global Anti-Corruption Case Studies
  10. 10. Best Practices for Managing ThirdParty Risk
  11. 11. Risk Assessment CommitmentPolicies,Procedures,Internal ControlsCommunicationand TrainingComplianceInfrastructureDisciplinaryGuidelinesThird PartyAccountabilityMonitoring andAuditingReview and TestingElements of an Effective Anti-Corruption Program
  12. 12. Third Party Compliance Best Practices Embed language in contractual terms specific to legal, regulatory, financial and reputationalcompliance Implement a Third-Party Policy and Third-Party Code of Conduct Identify and perform risk-adjusted Due Diligence on all business relationships Educate and train your third parties on relevant laws and regulations Require that third parties certify compliance with all laws and regulations that govern theirbusiness Provide an anonymous avenue for third parties to report potential violations of laws andregulations Document, Document, Document! Automate what you can
  13. 13. Third Party Due Diligence
  14. 14. Best Practice Approach to Third Party Due Diligence1. Pre-ScreenUnderstand and assess the inherent operational andjurisdictional risk to your organization prior to performing duediligence.2. Risk AssessmentBest-in-class screening process that provides a comprehensiveview into complete enterprise risk—financial, regulatory,reputational, and governance.3. Risk Mitigationand Action StepsDictates mitigation activities that must be taken by both the thirdparty and you.4. Ongoing MonitoringPeriodic re-screening process that identifies change in enterpriserisk, ensures information is kept current, and continuedcompliance to client policies.4. Monitor3. Mitigate2. Assess1. Pre-Screen
  15. 15. Risk Prioritization Evaluate potential risk across allbusiness relationships Size isnt necessarily best indicatorof risk Other risk driverso geographyo type of product or serviceo length of relationship1. Pre-Screen
  16. 16. Identity Risk Are they who they say they are? Do names and geographies match? Established track record? Years in business? Corporate affiliations?2. Assess
  17. 17. Reputation Risk Adverse media sourceso Newspapers & magazineso Transcriptso Trade publicationso Academic literature Multiple languages Cross-referenced with appropriatekeywords Process to minimize false positives2. Assess
  18. 18. Sanctions and Watch Lists FATF Financial Action Task Force Bank of England Consolidated List HM Treasury Investment Ban List HM Treasury Sanctions Hong Kong Monetary Authority HUD LDP Interpol Most Wanted Exclusions OSFI Consolidated List OSFI Country Offshore Financial Centers Peoples Bank of China (PBC) Primary Money Laundering Concern Primary Money Laundering Concern Jurisdictions Reserve Bank of Australia Terrorist Exclusion List UK FSA UN Consolidated List Unauthorized Banks World Bank Ineligible Firms Ireland Financial Regulator Unauthorized Firms Japan FSA Japan METI-WMD Proliferators Japan MOF Sanctions Monetary Authority of Singapore Nonproliferation Sanctions OFAC Non-SDN Entities OFAC Sanctions OFAC SDN OIG Australia Dept. of Foreign Affairs and Trade Bureau of Industry and Security Chiefs of State and Foreign Cabinet Members Commodity Futures Trading Commission Sanctions DTC Debarred Parties EU Consolidated List EPLS FBI Hijack Suspects FBI Most Wanted FBI Most Wanted Terrorists FBI Seeking Information FBI Top Ten Most Wanted~400 watch lists andsanctions listsworldwide2. Assess
  19. 19. Conflicts of Interest Risk Government ownership Do officers/directors holdgovernment position? Are officers/directors formeremployees? PEP list screen2. Assess
  20. 20. Compliance Risk Is there a commitment to ethics atthe top? Are policies in place? Do they conduct training? Any record of fines or violations?2. Assess
  21. 21. Financial Risk Cash flow Balance sheet - leverage Bankruptcy track record Contract as % of revenue2. Assess
  22. 22. Enhanced Due Diligence2. Assess Local language screen Public records check Civil and criminal litigation On-Site business verificationo Photoso In-person interviewso Document collection
  23. 23. Risk Assessment and Mitigation How will you assess risk? What constitutes a yellow flag? A redflag? Who owns risk mitigation? How will risks be resolved? Monitoring and follow-upconsiderations3. Mitigate
  24. 24. Monitoring and Re-Screening Monitor for new adverse media andsanctions lists/watch lists presence Can also monitor for material changesin financial condition What is the process to resolve analert? Risk-based approach to re-screening4. Monitor
  25. 25. Implementation
  26. 26. Keys to a Successful Implementation Sponsorship Cross functional team Appropriate resources Phased deployment Communicationo Business partnerso Third parties
  27. 27. By Function/OfficeChief compliance officerChief risk officerProcurementCorporate securityControllerCFOGeneral counselChief revenue officerBy Business ProcessEthics and Compliance• Anti-bribery and anti-corruption program• Industry/Company specific programsEnterprise Risk• GRC programSourcing• New vendor on boarding• Existing vendor monitoring• Vendor policy compliance• Code of conduct complianceSales agent management• New agent on boarding• Existing agent monitoring• Agent training• Agent policy complianceCorporate Security• Anti-fraud program• Reputation integrity programAudit and Board Reporting• Ethics and compliance auditFinancial risk management• Supply chain planningContracting• RFP process• Contracting due diligenceBy Risk TypeCompliance riskFinancial riskReputation riskOperational riskCorporate Social Responsibility riskSourcing risk26Third Party Risk Management Deployment Options
  28. 28. Consider Automating Routine Tasks to Free Up Staff Notifications Questionnaire administration Research and analysis Risk assessment Report writing Tracking Reporting and audit compliance
  29. 29. Automation Considerations Easy to deploy; low IT involvement Integration with other systems Data agnostic Due diligence flexibility Risk assessment optimization Workflow capabilities Interoperability with othercompliance tools Future functionality roadmap
  30. 30. Questions…
  31. 31. Thank You