Rebalancing Third-Party Risk Strategies
As companies move forward on third-party risk management programs, and as automated third-party risk solutions are being implemented, compliance professionals have to re-examine and re-balance the allocation of resources and time among three separate functions: (1) onboarding due diligence; (2) monitoring third-party conduct; and (3) review and audit of third-parties.
Over the last ten years, companies have focused on initial due diligence and onboarding procedures, including initial questionnaires, open source intelligence, Internet research, and deeper due diligence when needed to resolve red flags. As part of this investigation process, companies have been conducting basic and enhanced due diligence, when needed, to identify and resolve potential red flags. In conducting due diligence, companies have adopted risk mitigation strategies such as contractual representation and warranties, termination rights and audit rights, if needed, detailed invoice-to-payment procedures, training, and updated due diligence for higher risk candidates.
Since these programs have been implemented, there has been greater focus on monitoring and auditing practices to reduce third-party risks. This has been the new areas of focus, especially as proactive monitoring programs are being created. Unfortunately, compliance professionals may face a very difficult question as a result of limitations on resources and personnel. In some cases, companies may have to reallocate resources from the initial due diligence process to increase monitoring and audit programs.
To focus on this issue, let’s start with a few general assumptions – I know that these assumptions are not always true but bear with me that my general statements are based on years or experience working with clients in this area.
For most global companies, 10 to 20 percent of their third-party population fall into the high-risk category. By high-risk, I include representatives who interact with foreign officials on behalf of the company; and/or those representatives who are partially or wholly owned by government officials.
The middle category of risk covers approximately 40 to 60 percent of third-parties, and the remainder of the third-party population may fall within the low risk category.
Within each risk category, a ranking formula typically is based on country of operation and annual revenue paid to the third-party.
Given this risk population, compliance professionals should begin to develop creative high-risk monitoring programs to focus on the riskiest third parties. In designing such a program, compliance professionals should develop compliance reviews with the company’s business representative responsible for a specific, high-risk third-party representative. During these regular reviews, the compliance officer and the business employee should focus on: (1) third-party activities and reports on business, including significant tenders, RFPs, business opportunities and development; (2) changes in third-party performance (e.g. significant increase in business); (3) recent invoices/purchase orders and justification for payments; (4) discounts, rebates or marketing funds and support; (5) returns or changes in order status; (6) public reports concerning third-party; (7) training or other compliance events; and (8) any other issues relevant to review. A robust and ongoing review between compliance and business employees can provide important insights and information into high-risk third parties that can trigger further review and information requests from the third-party, including a more intensive audit of the third party.
Besides a high-risk third-party monitoring program, compliance reviews or audits can be used as a further tool to ensure third-party compliance. A full-out financial audit of a third-party requires time, travel and resources. It is difficult for companies to conduct (or retain someone to conduct) a large number of financial audits. But there are many other types of activities that can be characterized as an “audit,” including transaction testing, desk audits from remote location, and other sampling programs designed to detect potential wrongdoing without devoting the time and resources needed to conduct a financial audit at the third-party’s offices.
In the end, these three functions – onboarding, monitoring and audit/testing functions – have to be re-examined as to the benefits and costs of strategies associated with each function. When such an analysis is conducted, compliance officers may find a better balance among these three activities to focus more effectively on risk mitigation strategies.