Third Party Risk Management: Balancing Due Diligence Screening and Monitoring
In response to aggressive FCPA enforcement and recurring problems with third parties, companies have spent substantial resources and time to design and implement comprehensive ethics and compliance programs. A key part of this effort was to implement robust due diligence programs to screen and identify potential risks created by third party intermediaries.
Hui Chen, DOJ Compliance Counsel, called 2015 “The Year of Due Diligence.” Many companies have implemented automated due diligence systems to screen third parties for potential risks. Smaller companies cannot justify an automated system if they have a small number of third party intermediaries. Nonetheless, compliance and legal staff are devoting more time to due diligence to mitigate potential risk.
Initial screening is an important process that every company needs to implement in one form or another. Due diligence data and investigation services have expanded to meet increasing demand. A cottage industry surrounding due diligence has grown and continues to evolve in response to changing demands.
While there has been significant progress in the initial (and renewal) screening of potential third parties, third party risk management requires a more holistic approach. Third party risk does not end after screening of a third party. To the contrary, third party risk increases as third parties handle more business and have more opportunities for bribery.
Automated due diligence systems provide ongoing monitoring systems that notify users when the status of a person or entity changes. In many cases, companies have to update their due diligence inquiries and documentation to address new information about a third party.
The new cutting edge area of compliance will entail more sophisticated monitoring techniques to identify third parties that may be engaged in misconduct. No longer can companies rely on an occasional audit of a third party to satisfy this monitoring requirement. Instead, companies will have to develop new and innovative approaches that include a mix of informal audit techniques, sampling, transaction monitoring, and formal audits.
The challenge for companies is how to take an existing third party mix and tailor a monitoring program that builds on a variety of techniques and is used to identify third parties for increased scrutiny based on ongoing risk. The monitoring function should be developed in coordination by compliance, audit, legal, finance and procurement staff to ensure that all potential third party risk is evaluated.
As I repeat myself, bribery takes money and third party risk depends on access to money for improper purposes. Financial controls and monitoring activities are critical to monitor in order to prevent third parties from implementing illegal bribery schemes.
In many cases, third party due diligence focuses on predictors of such risk or the presence of government officials or connections. This focus is an important part of risk evaluation but in the end the most significant factors surround access to money and proper use of money for legitimate expenses. Financial monitoring, therefore, must be an essential aspect of third party risk management.
The classic third party bribery scheme relies on funneling money to a shady third party who makes illegal payments to government officials. The third party secures funds for bribery through a number of techniques such as inflated invoices for products or services, marketing funds and rebates, and sham contracts. Paying attention to financial sources of bribery and documenting legitimate uses of the money by third parties is a critical part of the monitoring function. While the amount of work needed to conduct such monitoring may be daunting, sampling techniques and other risk-ranking approaches can be used to tailor the monitoring function to the amount of available resources.