Tying Mitigation to Third Party Risks
Managing your third-party risks requires a wide-angle view of your third parties. What do I mean by that?
Companies are hyper-focused on identifying risks during the onboarding process, the use of automated platforms to organize and conduct such screening, and continuous monitoring through an automated platform. Such a perspective, however, is far too narrow in scope and scale.
Too many third-party risk management strategies ignore or downplay the importance of developing risk mitigation strategies. In other words, once a red flag or risk has been identified, how should the company respond and resolve the red flag? This is a critical question and process.
Companies are relying on automated solutions that are effective in discovering a potential risk. But such solution do not provide an effective risk mitigation strategy.
The devil surrounding this issue is, of course, in the details. Let’s start by identifying potential solutions from a general standpoint. In response to a red flag identified in a basic due diligence review, a CCO can:
- Conduct an enhanced due diligence to learn more about the third-party and the particular red flag;
- Analyze the issue to determine the nature and extent of the risk (e.g. adverse media of an affiliated company);
- In-person or follow up interviews of third-party officials to collect additional information about candidate and red flag;
- Crafting of specific representations, warranties and certifications to address specific issue (e.g. alleged government official owner or affiliation);
- Additional training on risk issues;
- Robust monitoring program including sampling of specific business transactions;
- Refresh due diligence; and
- Modification of business relationship (e.g. scope of business relationship altered to reduce risks).
In many cases, a company can design and implement a risk mitigation program for a specific third-party. The CCO has to identify and assess the risk and develop appropriate tools to mitigate the risk. When crafting such a solution, the company has to document its analysis and its strategy in case it has to respond to a government (or auditor) inquiry.
Often, a red flag can be addressed by asking the candidate about the issue and assessing the response. There is no harm in asking and a candidate may already be familiar with the issue and can provide the candidate’s perspective. A red flag on paper usually looks worse than under careful scrutiny. Of course, if the candidate provides a misleading or false response, the company may face significant hurdles to justifying engagement of the third party. A careful balance has to be considered when conducting a further inquiry. In most situations, it is best to collect as much information as possible about the red flag and then speak to the third party about the issue.
A company also has to consider the extent to which a specific risk can be addressed by securing contractual representations concerning the issue as part of the engagement agreement. For example, if a company has questions concerning the potential involvement of a family member who is a government official, the company may be able to craft contractual certifications to confirm the exclusion of the family member from any business interactions involving the third party and the company.
In other situations, and depending on the nature and extent of the risk, a company can implement a sampling system for high-risk transactions designed to monitor transactions with the third-party.
These are just examples of solutions that may be used to address the risk exposed in the due diligence process. From the list above, a company can mix and match solutions, target the specific risk and then document the strategy it is implementing to mitigate the risk.