Never has third-party risk management been as high a priority as it is in today's stringent anti-corruption enforcement environment. Yet, many companies still aren't up to snuff when it comes to refining the processes used to mitigate third-party risks.
They are in a “relative state of paralysis,” says Kenneth Kurtz, chief executive officer of Steele Compliance & Investigation Services. “What we're experiencing is an environment where companies know they need to do something, but they don't know exactly what to do first.” Kurtz says lots of companies have defined policies and a framework in place, but no process to execute those policies.
A high portion of charges of Foreign Corrupt Practices Act violations come from the actions of third parties acting on another company's behalf. That means companies need to have far more knowledge of the entities they transact with. “Know your customer, know your vendor, know who you're doing business with,” says Bobby Butler, senior vice president, chief compliance officer, and internal audit director for Universal Weather and Aviation, a global flight planning and flight support services provider.
According to Butler, companies need to develop better tools, processes, and policies for minimizing risks associated with third parties. The first step in that process is to establish a “credible and defensible risk model” for your company, says Kurtz. That risk model should be based on the company's unique risk factors, which should then be weighted and used to calculate a risk score for each third party.
Companies don't have to go it alone on conducting due diligence on third parties. Universal Weather and Aviation, for example, uses a supply chain compliance solution as a starting point on the path to streamline its Level I due diligence process, says Butler. The global platform captures, assesses, and shares baseline due diligence information on organizations and individuals across the supply chain. For example, the system can
track the details of an organization and its ownership and scan them against government watch lists.
The system "takes the financial burden off the company and allows us to reallocate our resources to enhance and increase our Level II and Level III due diligence,” says Butler. That involves taking a deeper dive into understanding the risk profile of each third party.
Effective third-party due diligence is not a “one-size-fits-all program,” Kurtz says, but rather should be based on each organization's appetite for risk. Employ a risk model that is “realistic for your business, reflective of best practices, and affordable on a long-term basis,” he advises.
Testing your risk model and processes before rolling them out is crucial, Kurtz adds. “Some organizations try to roll a program out globally, and they end up committing themselves to a process that is too expensive and too complex for the business,” he says.
At Universal Weather and Aviation, each of its roughly 10,000 third parties is scored based on several risk factors, such as geography, or how long the company has been doing business with that third party. One industry-specific risk factor is how many landings occur at a particular airport on an annual basis.
“We take all these factors to develop a risk matrix,” says Butler. That allows the company to rank and continuously review each third party from high to low risk. The company refers to outside measures of corruption in the countries it does business in, for example, and adds them to the matrix.
The establishment of that risk model prescribes the next steps for the third-party on-boarding process, which needs to be clearly understood and refined by the business, says Kurtz. Often, however, companies that have implemented a risk model “don't have the resources or defined processes to support the risk model,” he says. Due diligence is just one step in an entire third-party on-boarding process.
“What we're experiencing is an environment where companies know they need to do something, but they don't know exactly what to do first.”
—Kenn Kurtz,
Chief Executive Officer,
Steele CIS
Companies need to dig deeper into the actual practices of third parties to make sure they align with the policies and procedures on the surface. One of the most daunting challenges when it comes to managing third-party risks, for example, is ensuring that the actions of venders and service providers are “consistent and aligned with the company's code of conduct and core values, so that they're not doing anything that you wouldn't want your own employees doing,” says Butler.
For Universal Weather and Aviation, safety is a particularly serious concern. “We send our traffic to some of these third parties, so we have certain service-level agreements and safety standards that we want them to meet,” he says.
Trust, but Verify
In addition to anti-corruption training, all third parties have a business sponsor within Universal Weather and Aviation who owns the relationship and is accountable for any actions associated with that relationship, says Butler.
The company also periodically reconfirms the third-party information it has on file and certifies that the information is accurate. Various factors may change in the course of a year, including a third party's risk ownership, revenue stream, business location, and the services they provide. So you need to continually audit and monitor those activities, says Butler.
Including a right-to-audit clause in contracts with third parties is not always the best avenue to take. On the positive side, a right-to-audit clause in contracts with third parties can act as a safeguard to provide more detailed insight into its practices. It gives you a “foot in the door” to understand what the third parties are doing on your behalf,” says Butler.
They allow the contracting company to develop a specific audit program with defined scope and objectives to achieve a desired outcome. If your third parties know they can't slip anything passed you, it prevents a whole bunch of compliance lapses from occurring, says Butler.
The disadvantage with incorporating a right-to-audit clause into a third-party contract, however, is that it arguably creates an implied obligation to audit from an enforcement perspective in the event that an issue arises. “If you include a right-to-audit clause and don't audit against them, it makes you look ineffective,” says Butler.
Butler and Kurtz agree that if your company does not have the manpower or resources to audit third parties, don't put them in place. Having fewer, clearly defined policies in your program that are actually followed is much better than having more programs that are less defined and not followed at all, says Kurtz.
Universal Weather and Aviation ensures that its processes are reviewed and followed by having in place an operational selection committee. In addition to Butler, other members on the committee include operational vice presidents, as well as the general counsel.
Having an operational selection committee ensures that decisions are being made as a group, rather than on an individual level, says Butler. “It helps minimize service-level deficiencies from occurring,” he says, “and it helps minimize compliance breaches that could occur on the ground.”
No comments yet