Data-driven decision making is the name of the game when it comes to risk management, but understanding the pros and cons of implementing new strategies for data processing is vitally necessary to keep risk from mushrooming out.

Top-of-mind issues addressed at Compliance Week’s Third-Party Risk Management & Oversight Summit, held June 3-4 in Atlanta, included safe deployment of artificial intelligence (AI), assessing vendor viability and sustainability, understanding the role of procurement in risk ranking, the intersection (or lack thereof) between data privacy and cybersecurity, and many others.

Generative AI: TPRM’s new frontier

Quantifying how generative AI can help TPRM efficiency and effectiveness throughout the third-party lifecycle is a huge endeavor for many practitioners looking for ways to save lost time and resources. This is especially true when it comes to due diligence, said Qifei Zeng, risk intelligence manager at the London Stock Exchange Group (LSEG).

“Given the importance of due diligence in a defensible compliance program, if you’re thinking about outsourcing due diligence to an AI, it’s probably going to do more harm than good,” she said.

The same risk exists when outsourcing due diligence to a vendor who could be using AI as well, Zeng added, with many factors to consider.

“Can the AI differentiate different entities and individuals that have the same names?” she asked. “Many AI models in the due diligence space still require human intervention to avoid false positives.”

Zeng said the LSEG has implemented an AI model in its due diligence best practices, but with the caveat of it being a “human-centric and low-risk approach.” She said AI is used to summarize risk findings based off human analysis with wait times being cut from an hour to 10-15 minutes.

Another use case Zeng touched on was implementing AI in vendor and third-party questionnaires, which she said can help by pre-filling answers based off questionnaires and in the review and validation process by flagging discrepancies.

“Given the importance of due diligence in a defensible compliance program, if you’re thinking about outsourcing due diligence to an AI, it’s probably going to do more harm than good.”

– Qifei Zeng, Risk Intelligence Manager, LSEG

Lindsay Koren, senior vice president, ethics and compliance, at Darden Restaurants, warned against AI pulling from open-source data and stressed the fact that every prompt, word, and figure imputed trains the next generation of the technology.

“If you have folks in your environment leveraging generative AI that is not walled off in some way, you’re putting all of that sensitive information out into the atmosphere,” Koren said, emphasizing the importance of guardrails.

An audience member used the example of a helpline provider telling clients it could improve its integrity helpline intake mechanism by training an AI on their data, which clients soundly rejected.

Web Hull, privacy and compliance officer at Abacus Insights, used a different use case to drive home another point. In February, Air Canada was held liable for its chatbot offering discounts to customers.

“The airline said, “That’s the chatbot, that’s not us,’” Hull said. “The judge said, “’Be responsible for what your vendors do.’”

Vendor red flags

Sanghamitra Saha, former lead governance, risk, and compliance auditor and program director at Cirrus Cybersecurity Group, said vendor red flags depend on the industry, business size, and team size, with standardization key to creating uniformity.

TPRM_9

Leslie Williams, director of privacy at AT&T (left), speaks while Mimi Schaefer, lead data privacy and vendor risk management programs at Frontier, listens during a session on data privacy and cybersecurity third-party engagement.

Saha, who also spoke at Compliance Week’s Women in Compliance Summit on tackling racial bias, emphasized the importance of collaboration between departments: specifically legal, compliance, cybersecurity, HR, and IT.

Financial instability affecting operations can have a domino effect, she said, using the example of the Toys “R” Us bankruptcy affecting toy manufacturers.

“Based on how much dependency you have on that vendor or partner, being able to deliver your services and products will obviously get impacted,” she said.

Data privacy vs. cybersecurity

Carey Davidson, vice president of global sales at Aravo, asked a simple question: “Can you have data privacy and cybersecurity separately, or do they go together?”

Mimi Schaefer, lead data privacy and vendor risk management programs at Frontier, said the question is a pet peeve of her’s, arguing security and privacy are not synonymous.

“We speak a different language and have different focuses,” she said. “Your cyber team is not your privacy team.”

Procurement in risk scoring

TPRM_8

Edno Coutinho da Costa Junior, compliance lead at Petrobras, listens while Elizabeth Dunsmoor, TPRM principal at Shared Assessments, speaks during a session on risk oversight strategies. 

Angelique Lee, vice president, global chief compliance & ethics officer at Jazz Pharmaceuticals, stressed the importance of using available data when risk scoring vendors while emphasizing procurement’s role in the process.

“Assign a risk score to the types of activities and engagements that they’re having,” she said, adding that in healthcare the U.S. Consumer Price Index impacts government contracts.

Edno Coutinho da Costa Junior, compliance lead at Brazil state-owned petroleum company Petrobras, spoke to the importance of communication between the procurement and compliance teams.

“Procurement has become a kind of compliance hub, but the compliance experts are not there,” he said. “We have to teach them to communicate and bridge the gap in order to disseminate information and let the message spread to the procurement department.”

He added that sometimes there can be a conflict between procurement and compliance because they want to have service while compliance wants security.

Minefield for sanctions compliance

Whether it be extended statute of limitations  for sanctions violations, increased global scrutiny  toward popular social media app TikTok, separate legislation to thwart Iranian petroleum allegedly being funneled through China, or the illicit trafficking of synthetic opioid fentanyl, there’s a reason sanctions compliance is considered the new Foreign Corrupt Practices Act. 

A panel discussion on sanctions compliance hit on these topics and more during a Day 1 session. 

“Coffee is for closers”

There was a significant lack of liquidity in Atlanta for Compliance Week’s Women in Compliance and Third-Party Risk Management Summits … literally.

A water main break in the city’s downtown caused boil water advisories in the run up to the event, forcing the host hotel’s pool to close, and a Megan Thee Stallion concert at nearby State Farm Arena to be postponed a night.

The dual summits went on as planned, though, with a few hitches, like no bottomless coffee and tea for attendees. It was an unfortunate reality harkening back to the famous “Glengarry Glen Ross” scene, “Coffee is for closers.”

The lesson, especially for a TPRM Summit: Murphy’s Law always applies, as do force majeure clauses.