This document provides guidance for compliance officers on managing third-party risk. It discusses increasing regulations and enforcement, common third-party risks businesses face, challenges that keep compliance officers awake at night, and provides a five-step process for risk rating and conducting due diligence on third parties. It also discusses challenges with traditional disconnected approaches to third-party management and introduces a partnership between Control Risks and GAN Integrity that provides an automated platform and suite of tools to help compliance teams more efficiently manage third-party risk.

1. A Compliance
Officer’s Guide to
Third-Party
Risk Management

2. Table of contents
1. Foreword
2. Context:
increasingly demanding regulations
and aggressive enforcement
3. Risks:
concrete third-party risks that businesses face
4. Symptoms:
things that keep us awake at night
5. Guidance:
risk rating your third parties
6. Challenges:
disconnected approach to
third-party management
7. Solution:
Control Risks and GAN Integrity
vantage

3. Control Risks and GAN Integrity are
pleased to present A Compliance
Officer’s Guide to Third-Party
Risk Management. It has been
created for compliance professionals
who want to implement a risk based
approach to third-party due diligence.
The guide starts with an overview of the
regulatory environment, then touches on the
compliance issues keeping us awake at night. It
then focuses on risk rating third parties who are
critical to the success of your business.
Most organizations rely on laborious manual
processes, juggle multiple vendors and lack
sufficient local insight to mitigate risk. There’s
a better way. Read on to learn more.
1. Foreword
1 2
vantage

4. 2. Context:
increasingly
demanding
regulations
and aggressive
enforcement
3 4
vantage

5. Significant risks and increasingly demanding regulations
Reputational Risk
Modern Slavery
Trade Sanctions Tax Evasion PEP Risk
Environmental Risk Corruption
5 6
vantage

6. The global anti-corruption framework
Apply to you
01 Global reach
Global anti-corruption laws can apply to companies and individuals both
within and outside your jurisdiction.
Direct and indirect bribery applies
Companies need to take care in managing third-party
relationships. Most enforcement cases involve third parties.
Bribery and facilitation payments
Those who offer or pay bribes, financial or other, are in breach.
Facilitation payments also breach some regulations.
Aggressive enforcement
Large fines, imprisonment of directors.
Prevention is more cost effective and may be used as a defence.
Your
third parties
02
Know
your stuff
03
Prevention
is essential
04
7 8
vantage

7. Compliance
is critical,
not optional

8. 3. Risks:
concrete
third-party risks
that businesses
face
11 12
vantage

9. Production
Sourcing
Logistics and
cross borders
Joint venture
Distributors
Shops
Joint venture
Logistics
Environmental
risk
Sanctions
risk
Modern slavery
in supply chain
Reputational
risk
Corruption
An example: setting up operations for ACME corp
13 14
vantage

10. No business can
afford to be
caught napping

11. 4. Symptoms:
things that keep
us awake at night
17 18
vantage

12. Am I allowed to do
business with that
third party?
Am I confident that
this third party is in
good standing and will
not create a legal or
reputational liability?
Can I explain and
document my decision
if something bad
happens?
?
19 20
vantage

13. How can we
identify hidden
or unknown
compliance risks?

14. A risk based approach
to third-party due
diligence:
The method by
which compliance
professionals can
determine what level
of due diligence to
complete and how
much resource to
commit, based upon
the level of risk posed
by a third party.
Number
of
vendors
Risk rating
Low High
Risk tolerance
D
i
s
t
r
i
b
u
t
i
o
n
o
f
b
u
d
g
e
t
Screening only
How do we allocate appropriate compliance
resource for the number and variety of third
parties we work with?
23 24
vantage

15. 5. Guidance:
risk rating your
third parties
25 26
vantage

16. Risk rating:
develop a process to identify the risk rating
of every third party you do business with
Risk Rating
Third-Party
Profile
Exposure
Risk
27 28
vantage

17. With the
right strategy,
compliance
is a piece
of cake

18. Step 1
Screen all third parties:
can we do business with them?
31 32
vantage

19. Perform initial due diligence by screening all existing and
potential clients, agents and business partners. Check all
third parties against key risk categories such as:
Government, Regulatory,
Disciplinary Lists
400+ lists: global sanctions,
securities exchange actions,
fugitives, exclusions, fraud warnings,
debarment, disciplinary actions, law
enforcement etc.
Adverse Media and
Press Coverage
100K+ sources & 2.5B+ articles: daily
media scanning includes newspapers,
magazines, TV, radio, transcripts etc.
Politically Exposed Persons
Government officials, senior legislative
branch, military and judicial figures,
state-controlled businesses and
key executives, ambassadors
and top diplomatic officials, family,
associates and advisors, multi-national
organizations and associated leadership.
33 34
vantage
Enquire here

20. Step 2
Exposure Risk:
assess the initial risk of a relationship
35 36
vantage

21. Collect information from your business to determine the degree
of exposure
Country risk
(of services)
Role of
third party
Criticality of
contract/relationship
Transactional
red flags
Liaising with
government bodies
1
via an internal questionnaire
2 3 4 5
37 38
vantage

22. Step 3
Third-Party Profile:
if level of risk is sufficient, collect
information from the third party
39 40
vantage

23. Collect information to build a profile of the third party
via an external questionnaire
Country risk
(of company footprint)
Ownership
& governance
Political
exposure
Entity
type
Reputation
& standing
41 42
vantage

24. Step 4
Decide on risk rating and conduct
appropriate level of due diligence
43 44
vantage

25. Assessing third parties with high risk ratings
Level 3 Bespoke
Bespoke Bespoke
Bespoke
Bespoke
Investigative Investigative
Investigative
Level 3
Level 2
Level 2
Level 1
Level 3 Level 3
Level 3
Level 2
Level 3
Level 2 Level 3
Exposure Risk (contract value, criticality etc.)
Third-Party Profile
Risk (ownership,
entity type etc.)
Use a scoring system
to plot the exposure risk
against the third-party
profile risk, and work out
the appropriate level of
due diligence.
45 46
vantage
Enquire here
consulting
vantage

26. Step 5
Third-party
training
?
Additional
mitigation
= Yes
Apply the right next steps based on risk level
Step 3
External
questionnaire
Step 2
Internal
questionnaire
Step 4
Enhanced due
diligence
Step 1
Screening
Risk
Low High
?
Match
= Yes
?
Acceptable
exposure
= No
?
Risk
= Yes
Scrutiny
Low High
47 48
vantage
Enquire here

27. 6. Challenges:
disconnected
approach to
third-party
management
49 50
vantage

28. A disconnected approach
Email from the
business to
Compliance when
the third party
needs to be paid
Compliance asks
for more info,
performs database
screenings,
compiles a file
The file is saved
by Compliance in
a shared drive
Compliance issues
a recommendation
to business,
business decides
51 52
vantage

29. ““
Personal judgment
Key challenges faced by CCOs
Unstructured
record keeping
Opaque jurisdictions or
lack of public information
Scattered information that’s
difficult to compile/retrieve
Proportionality
Reactive behavior
Maintaining oversight
Lack of consistent
methodology
53 54
vantage

30. Digitize your
processes into
workflows
Evaluate the
level of risks
consistently
Ensure decisions
are made at the
right level
Monitoring
your third parties
over time
Allocate
resources to
the risks
Automating your risk based approach can
solve these challenges and bring improvements:
55 56
vantage

31. With the
right solution,
compliance is
a competitive
advantage

32. The platform
59 60
vantage
Enquire here

33. ““
Enabling CCOs
Efficient and scalable
solutions
Immediate oversight
Objective decision making
Centralized database
Immediate retrieval
of information
Resources
strategically allocated
Methodology documented
& consistent
Record keeping structured
61 62
vantage

34. 7. Solution:
Control Risks
and GAN Integrity
63 64
vantage

35. A strategic partnership
to help compliance teams across the
globe manage third-party risk
65 66
vantage
vantage

36. The VANTAGE Suite
Third parties are critical to your business. They can also be the single greatest source of risk
exposure. Most organizations rely on laborious manual processes, juggle multiple vendors,
and lack sufficient local insight to mitigate risk. There’s a better way. Discover VANTAGE:
67 68
vantage
The product range
Effective third-party screening
using the industry’s largest
risk intelligence databases
platform
vantage diligence
vantage
screening
vantage consulting
vantage
Automated workflow solution to
manage third-party relationships
Standardised third-party due
diligence reports, compiled by
in-country experts
Professional third-party risk
management consulting,
delivered by experienced experts

37. To find out more about our joint offering, please visit:
www.discover-vantage.com