Presented by Randy Stephens, JD, CCEP, & Mike Vermillion Third Party Risk Management: Obtaining Regulatory Relief
Jan 17, 2015
Presented by Randy Stephens, JD, CCEP, & Mike Vermillion
Third Party Risk Management: Obtaining Regulatory Relief
Agenda
The current 3P regulatory
environment
Regulatory minimums for 3P
programs
Considerations for automation
NAVEX Global approach
Benefits of automating third party
risk management
1
The Use of Third Parties by Business is Increasing…
Economic conditions
Company cutbacks
Cost of third parties versus internal development
Productivity
Flexibility of workforce
Globalization
Companies need representatives all over the world
Specialization
Lobbying
Reselling
Distribution
Limitation of Liability (false sense of security) 2
Contractor/Labor Issue
Supplier/Labor Issue
Vendor/Data Privacy Issue Contractor /Data Privacy Issue
Consultant/Privacy Issue
Contractor/Data Privacy Issue Agent/FCPA Issue Top Ten: $800M
JV & Agent/FCPA Issue Top 10: $365M
Advisor/FCPA Issue Top 10: $400M
Agent/FCPA Issue Top 10: $32.3M
Agent/FCPA Issue Top 10: $185M
Agent/FCPA Issue Top 10: $338M
3
…So Are Third Party Enforcement Actions
Risks Associated with Working with Third Parties
4
Why is This a Risk?
5
Third parties represent your company
o They may have little or no loyalty to your company
o You have less control over the actions of third parties
Do you even know all of the third parties you use?
What do you know about them?
International laws and guidance hold you accountable
• U.S. Foreign Corrupt Practices Act (FCPA)
• UK Bribery Act
o “Adequate Procedures”
FCPA Guidance (November 2012)
“…Risk based due diligence is particularly important with third parties and will
also be considered by the U.S. Department of Justice (DOJ) and Securities and
Exchange Commission (SEC) in assessing the effectiveness of a company’s
compliance program.
Although the degree of appropriate due diligence may vary based on industry,
county, size and nature of the transaction , and historical relationships with
the third-party, some guiding principles always apply.”
Resource Guide to the U.S. FCPA, p. 60
What are the Minimum Elements to Third-Party Compliance Program?
FCPA Minimums
1. Companies should understand the
qualifications and associations of
its third party partners.
The degree of scrutiny should
increase as red flags surface
FCPA Minimums
2. Companies should have an understanding of the business rationale for including the third-party in the transaction.
Contract terms related to services to be performed
Payment terms
Typical?
Timing of the third-party’s introduction
Confirm that work is actually being performed in accordance with the contract
FCPA Minimums
3. Companies should undertake some form of ongoing monitoring of third-party relationships
Updating due diligence periodically
Exercising audit rights
Providing periodic training
Requesting annual compliance certifications
Have a response plan in the event of a red flag or issue e.g. Apple/Foxcon
Protect your Company’s reputation
Investigate
Terminate?
FCPA Minimums
4. Inform third-parties about your
compliance program and commitment to ethical and lawful business practices and seek assurances of reciprocal commitments
Training on Code of Conduct
Training of appropriate third-party employees
Third Party Codes of Conduct
Global 3P Corruption Case Studies
Eli Lilly and Company
ORACLE or
What to Consider When Automating 3P
Risk management process
Scope of third parties
Types of risk to manage
What can and can’t be automated
Focus
Design factors
13
Start with a Standard Process
1. Identify/Prioritize Identify your universe of relationships and prioritize by risk.
2. Risk Assessment Conduct due diligence on a risk-adjusted basis; Uncover and assess risks
3. Risk Mitigation and Action Steps
Take steps to mitigate risk that was uncovered.
4. Ongoing Monitoring Continuous monitoring and periodic re-screening to identify risk events, keep information current, and ensure policy compliance is in force.
4. Monitor 3. Mitigate 2. Assess 1.
Identify/Prioritize
Consider Entire Scope of Relationships
Source: Compliance and Ethics Leadership Council
SUPPLIERS IN
EMERGING
MARKETS
TEMPORARY
EMPLOYEES
SUBCONTRACTORS
INT’L
INTERMEDIARIES
DOMESTIC
AGENCIES
OFFSHORE
SERVICE
PROVIDERS
DATA
VENDORS
FOREIGN
DISTRIBUTORS
DEALERS /
RESELLERS
LOBBYISTS
AUDITORS
INT’L JOINT
VENTURES
PARTNERSHIPS
SUPPLIERS’
SUPPLIERS
CONTRACTORS
VENDORS DISTRIBUTORS
CONSULTANTS
JOINT
VENTURES
SUPPLIERS
AGENTS
YOUR
CORPORATION
Identify Types of Third Party Risk to Manage
IDENTITY
Who are they?
Who are they owned by?
REPUTATION
Adverse media?
Sanctions lists?
CONFLICTS
Government ownership?
Government office?
COMPLIANCE
Policies & training?
Track record?
Automate Routine Tasks
Notifications
Questionnaire administration
Document collection
Research and analysis
Risk assessment
Report writing
Monitoring
Automate Program Administration
Deploy a standard process
Centralize data store
Control user permissions and access
Risk mitigation follow-up
Schedule rescreening
Program reporting and analytics
Audit compliance and support
What Can’t Be Automated (yet)
Business rules design
Complex resolution
Advising internal business partners
On the ground investigations
Primary Focus: Risk Event Management
On boarding new relationships
Screening existing relationships
Alerts
change of control
new adverse media
change in sanctions list presence
20
Secondary Focus: Program Management
Update third party information
Annual certification/attestation
Document updates
21
Design Factors
Fast deployment
Flexible – support multiple business
units, geographies, processes
Easy to use
Integrate with other business
processes
Budget friendly
22
NAVEX Global Third Party Risk
Designed specifically for Third Party Risk
Incorporates best practices
Covers entire risk universe within budget
Easy to deploy
Flexible to meet program requirements
23
Standard, Globally Deployable SaaS Platform
Due diligence requests are made online
Report type selection
determines the type of due
diligence process
Level One
Level Two
Level Three
Third Party Risk Due Diligence Levels
Level Four Enhanced DD
RISK
DUE DILIGENCE
Third Parties are automatically notified
Third Parties Complete a Questionnaire and Submit Documents Online
28
Additional Data is Automatically Collected from External Databases
29
NAVEX 3P Platform
Credit Bureau Database
Adverse Media Database
Same reputation screening process as top banks
Thousands global media sources
Hundreds global sanctions/watch lists
Analyst review
Ongoing monitoring
30
Data is Automatically Analyzed
31
Risk is Assessed Based on Business Rules
We calculate an overall risk
assessment based on a
weighted average of the risk
categories
Reports are automatically generated
33
The Reports are Stored and Retrieved Online
34
Users can sort, filter and export lists for review and reporting
35
Click on column header to sort
Filter options
Export as CSV or XLS
Users can download reports or view them online
36
Click on
report status
To download
or view the
report online
The Third Parties tab provides a list of relationships
37
Each Third Party has a detail page with a history of requests and reports
38
Third party records can be created without ordering a report
39
Monitoring and Follow-Up
We monitor every third party for:
Addition to global watch lists, sanctions lists, internal debarment lists
New adverse media
Material changes in financial condition
Alerts are screened by analyst to minimize false positive results
Notifications along with supporting source documentation are delivered by our analysts via email
40
Services: Pre-Screening
We batch screen existing relationships
Global watch lists, sanctions lists, internal debarment lists
Adverse media
PEP lists
Provided as a service
Third party names are loaded into platform
Does not include a report
41
Benefits of Third Party Risk Automation
Eliminates paperwork and moves your process “out of email”; Everything is one place
Integrate with existing processes
Standardizes ethics and compliance practices across business units and geographies
Establishes a permanent audit trail of all activity
On demand snapshot of all activity and status – view by region, category, risk rating, status or date
Automated data collection, analysis and report generation
Scalable by third party type, size and geography
Data and analysis are both insightful and actionable
42
Ethics & Compliance Platform
Ad-Hoc Reporting
Dis
clo
sure
s
Thir
d P
arty
Ris
k M
gmt.
An
ti-r
etal
iati
on
Po
licy
Man
age
me
nt
Cas
e M
anag
em
en
t
Exp
and
ed
In
take
Emp
loye
e A
war
en
ess
On
line
Tra
inin
g
Ho
tlin
e
Fu
ture
Ap
pli
ca
tio
n
ADVANCED ANALYTICS
AD
VIS
OR
Y S
ERV
ICES
P
RO
FESSION
AL SER
VIC
ES
ACCESS PORTAL
Thank You