Presented by Randy Stephens, JD, CCEP, & Mike Vermillion Third Party Risk Management: Obtaining Regulatory Relief
Supplier Risk Management: Obtaining Regulatory Relief from Third Parties
Jan 17, 2015
Ralph Lauren, Morgan Stanley, Deferred Prosecution Agreements, Non-Prosecution Agreements – new guidance regarding third party risk from both the U.S. Department of Justice and U.K. Ministry of Justice is providing an outline for internal program structure to achieve regulatory relief when corruption is discovered.
In this webinar, we discuss the minimum threshold suggested by global regulators and how to align your program to achieve the same. We also look at how companies in many industries should explore further the risk exposure from often-ignored indirect third parties.
Finally, we touch on how to ease the burden by applying proportionate effort and budget to third-party risk remediation. New automation techniques allow for seamless process integration for the on-boarding of third parties, their on-going management, compliance data acquisition, risk assessments, and the execution of due diligence activities and reports.
Presenters:
Randy Stephens, JD, CCEP, is vice president of the Ethical Leadership Group, a lawyer and compliance specialist who has worked in roles with legal and compliance responsibility for over 30 years, including operations in Mexico, China and Canada. Randy has significant in-house experience leading compliance programs and working for some of the largest and most diverse public and private corporations in the United States, e.g. Home Depot, Family Dollar and US Foods.
Michael Vermillion has more than 25 years of experience successfully facilitating c-level implementation engagements across several industry groups for clients including Dun & Bradstreet, Procter & Gamble, Eli Lilly, RR Donnelley, Georgia Pacific, EDS, BellSouth, SPX and Deutsche Bank. He works closely with senior executives and boards of directors at Fortune 1000 companies to design, build, integrate and implement enterprise-wide Third Party Risk Solutions, and – using that expertise – spearheads NAVEX Global’s Third Party Risk Management Solution creation and implementation.
In this webinar, we discuss the minimum threshold suggested by global regulators and how to align your program to achieve the same. We also look at how companies in many industries should explore further the risk exposure from often-ignored indirect third parties.
Finally, we touch on how to ease the burden by applying proportionate effort and budget to third-party risk remediation. New automation techniques allow for seamless process integration for the on-boarding of third parties, their on-going management, compliance data acquisition, risk assessments, and the execution of due diligence activities and reports.
Presenters:
Randy Stephens, JD, CCEP, is vice president of the Ethical Leadership Group, a lawyer and compliance specialist who has worked in roles with legal and compliance responsibility for over 30 years, including operations in Mexico, China and Canada. Randy has significant in-house experience leading compliance programs and working for some of the largest and most diverse public and private corporations in the United States, e.g. Home Depot, Family Dollar and US Foods.
Michael Vermillion has more than 25 years of experience successfully facilitating c-level implementation engagements across several industry groups for clients including Dun & Bradstreet, Procter & Gamble, Eli Lilly, RR Donnelley, Georgia Pacific, EDS, BellSouth, SPX and Deutsche Bank. He works closely with senior executives and boards of directors at Fortune 1000 companies to design, build, integrate and implement enterprise-wide Third Party Risk Solutions, and – using that expertise – spearheads NAVEX Global’s Third Party Risk Management Solution creation and implementation.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Presented by Randy Stephens, JD, CCEP, & Mike Vermillion
Third Party Risk Management: Obtaining Regulatory Relief
Agenda
The current 3P regulatory
environment
Regulatory minimums for 3P
programs
Considerations for automation
NAVEX Global approach
Benefits of automating third party
risk management
1
The Use of Third Parties by Business is Increasing…
Economic conditions
Company cutbacks
Cost of third parties versus internal development
Productivity
Flexibility of workforce
Globalization
Companies need representatives all over the world
Specialization
Lobbying
Reselling
Distribution
Limitation of Liability (false sense of security) 2
Contractor/Labor Issue
Supplier/Labor Issue
Vendor/Data Privacy Issue Contractor /Data Privacy Issue
Consultant/Privacy Issue
Contractor/Data Privacy Issue Agent/FCPA Issue Top Ten: $800M
JV & Agent/FCPA Issue Top 10: $365M
Advisor/FCPA Issue Top 10: $400M
Agent/FCPA Issue Top 10: $32.3M
Agent/FCPA Issue Top 10: $185M
Agent/FCPA Issue Top 10: $338M
3
…So Are Third Party Enforcement Actions
Risks Associated with Working with Third Parties
4
Why is This a Risk?
5
Third parties represent your company
o They may have little or no loyalty to your company
o You have less control over the actions of third parties
Do you even know all of the third parties you use?
What do you know about them?
International laws and guidance hold you accountable
• U.S. Foreign Corrupt Practices Act (FCPA)
• UK Bribery Act
o “Adequate Procedures”
FCPA Guidance (November 2012)
“…Risk based due diligence is particularly important with third parties and will
also be considered by the U.S. Department of Justice (DOJ) and Securities and
Exchange Commission (SEC) in assessing the effectiveness of a company’s
compliance program.
Although the degree of appropriate due diligence may vary based on industry,
county, size and nature of the transaction , and historical relationships with
the third-party, some guiding principles always apply.”
Resource Guide to the U.S. FCPA, p. 60
What are the Minimum Elements to Third-Party Compliance Program?
FCPA Minimums
1. Companies should understand the
qualifications and associations of
its third party partners.
The degree of scrutiny should
increase as red flags surface
FCPA Minimums
2. Companies should have an understanding of the business rationale for including the third-party in the transaction.
Contract terms related to services to be performed
Payment terms
Typical?
Timing of the third-party’s introduction
Confirm that work is actually being performed in accordance with the contract
FCPA Minimums
3. Companies should undertake some form of ongoing monitoring of third-party relationships
Updating due diligence periodically
Exercising audit rights
Providing periodic training
Requesting annual compliance certifications
Have a response plan in the event of a red flag or issue e.g. Apple/Foxcon
Protect your Company’s reputation
Investigate
Terminate?
FCPA Minimums
4. Inform third-parties about your
compliance program and commitment to ethical and lawful business practices and seek assurances of reciprocal commitments
Training on Code of Conduct
Training of appropriate third-party employees
Third Party Codes of Conduct
Global 3P Corruption Case Studies
Eli Lilly and Company
ORACLE or
What to Consider When Automating 3P
Risk management process
Scope of third parties
Types of risk to manage
What can and can’t be automated
Focus
Design factors
13
Start with a Standard Process
1. Identify/Prioritize Identify your universe of relationships and prioritize by risk.
2. Risk Assessment Conduct due diligence on a risk-adjusted basis; Uncover and assess risks
3. Risk Mitigation and Action Steps
Take steps to mitigate risk that was uncovered.
4. Ongoing Monitoring Continuous monitoring and periodic re-screening to identify risk events, keep information current, and ensure policy compliance is in force.
4. Monitor 3. Mitigate 2. Assess 1.
Identify/Prioritize
Consider Entire Scope of Relationships
Source: Compliance and Ethics Leadership Council
SUPPLIERS IN
EMERGING
MARKETS
TEMPORARY
EMPLOYEES
SUBCONTRACTORS
INT’L
INTERMEDIARIES
DOMESTIC
AGENCIES
OFFSHORE
SERVICE
PROVIDERS
DATA
VENDORS
FOREIGN
DISTRIBUTORS
DEALERS /
RESELLERS
LOBBYISTS
AUDITORS
INT’L JOINT
VENTURES
PARTNERSHIPS
SUPPLIERS’
SUPPLIERS
CONTRACTORS
VENDORS DISTRIBUTORS
CONSULTANTS
JOINT
VENTURES
SUPPLIERS
AGENTS
YOUR
CORPORATION
Identify Types of Third Party Risk to Manage
IDENTITY
Who are they?
Who are they owned by?
REPUTATION
Adverse media?
Sanctions lists?
CONFLICTS
Government ownership?
Government office?
COMPLIANCE
Policies & training?
Track record?
Automate Routine Tasks
Notifications
Questionnaire administration
Document collection
Research and analysis
Risk assessment
Report writing
Monitoring
Automate Program Administration
Deploy a standard process
Centralize data store
Control user permissions and access
Risk mitigation follow-up
Schedule rescreening
Program reporting and analytics
Audit compliance and support
What Can’t Be Automated (yet)
Business rules design
Complex resolution
Advising internal business partners
On the ground investigations
Primary Focus: Risk Event Management
On boarding new relationships
Screening existing relationships
Alerts
change of control
new adverse media
change in sanctions list presence
20
Secondary Focus: Program Management
Update third party information
Annual certification/attestation
Document updates
21
Design Factors
Fast deployment
Flexible – support multiple business
units, geographies, processes
Easy to use
Integrate with other business
processes
Budget friendly
22
NAVEX Global Third Party Risk
Designed specifically for Third Party Risk
Incorporates best practices
Covers entire risk universe within budget
Easy to deploy
Flexible to meet program requirements
23
Standard, Globally Deployable SaaS Platform
Due diligence requests are made online
Report type selection
determines the type of due
diligence process
Level One
Level Two
Level Three
Third Party Risk Due Diligence Levels
Level Four Enhanced DD
RISK
DUE DILIGENCE
Third Parties are automatically notified
Third Parties Complete a Questionnaire and Submit Documents Online
28
Additional Data is Automatically Collected from External Databases
29
NAVEX 3P Platform
Credit Bureau Database
Adverse Media Database
Same reputation screening process as top banks
Thousands global media sources
Hundreds global sanctions/watch lists
Analyst review
Ongoing monitoring
30
Data is Automatically Analyzed
31
Risk is Assessed Based on Business Rules
We calculate an overall risk
assessment based on a
weighted average of the risk
categories
Reports are automatically generated
33
The Reports are Stored and Retrieved Online
34
Users can sort, filter and export lists for review and reporting
35
Click on column header to sort
Filter options
Export as CSV or XLS
Users can download reports or view them online
36
Click on
report status
To download
or view the
report online
The Third Parties tab provides a list of relationships
37
Each Third Party has a detail page with a history of requests and reports
38
Third party records can be created without ordering a report
39
Monitoring and Follow-Up
We monitor every third party for:
Addition to global watch lists, sanctions lists, internal debarment lists
New adverse media
Material changes in financial condition
Alerts are screened by analyst to minimize false positive results
Notifications along with supporting source documentation are delivered by our analysts via email
40
Services: Pre-Screening
We batch screen existing relationships
Global watch lists, sanctions lists, internal debarment lists
Adverse media
PEP lists
Provided as a service
Third party names are loaded into platform
Does not include a report
41
Benefits of Third Party Risk Automation
Eliminates paperwork and moves your process “out of email”; Everything is one place
Integrate with existing processes
Standardizes ethics and compliance practices across business units and geographies
Establishes a permanent audit trail of all activity
On demand snapshot of all activity and status – view by region, category, risk rating, status or date
Automated data collection, analysis and report generation
Scalable by third party type, size and geography
Data and analysis are both insightful and actionable
42
Ethics & Compliance Platform
Ad-Hoc Reporting
Dis
clo
sure
s
Thir
d P
arty
Ris
k M
gmt.
An
ti-r
etal
iati
on
Po
licy
Man
age
me
nt
Cas
e M
anag
em
en
t
Exp
and
ed
In
take
Emp
loye
e A
war
en
ess
On
line
Tra
inin
g
Ho
tlin
e
Fu
ture
Ap
pli
ca
tio
n
ADVANCED ANALYTICS
AD
VIS
OR
Y S
ERV
ICES
P
RO
FESSION
AL SER
VIC
ES
ACCESS PORTAL
Thank You
Related Documents
