Third Party Risk Management: Moving to 'Business as Usual'
From suppliers to agents and distributors, corporate third party ecosystems have grown larger and more interconnected than ever.
At the same time, regulatory expectations about how corporations manage risk from the layers of third parties that lie in each branch of their global operations have become increasingly onerous and difficult to keep track of. Legislation is being introduced at a national and intra-national level calling for senior management and compliance functions to hold different responsibilities in a diffuse range of risk types – from bribery and sanctions to modern slavery. It’s no longer just regulators asking the awkward questions too, as financiers are more concerned with mitigating reputational risk than ever.
So how do you get your arms around the problem? Senior compliance and legal professionals from leading multinational corporations joined us for a roundtable in London recently to discuss the risk environment and share best practices in how to push their risk management plans into day to day operations in a scalable way.
Bribery & Corruption: 2018 is Already a Record Year
Third party risk incapsulates everything from the cyber security preparedness of your customers all the way to how your agents or distributors conduct business. Yet corruption is the one risk type that most compliance functions watch the closest, given the healthy appetite of regulatory agencies to hand out strict enforcements.
The long arm of the Foreign Corrupt Practices Act (FCPA) looms heavier than ever. Whilst 2016 was thought to be the bumper year for fines arising from FCPA enforcements, 2018 has already beaten this – with a series of high profile cases adding up to fines in excess of $2.8bn.
But it’s no longer just the old hands of the FCPA or UK Bribery Act that compliance departments need to shape their policies and procedures around. Anti-corruption drives have taken place worldwide, resulting in local anti-corruption legislation being introduced in as diverse markets as France, Thailand and Argentina. All of these have their own local nuances that corporations need to build policies and procedures around in order to mitigate risk.
Alongside a tightening in the regulatory environment for bribery and corruption is an upwards trend in information sharing between government agencies in different countries. Regulators are seeing the value of sharing information they extract from investigations with their counterparts across the world, meaning that just because a bribe is paid by a corporate agent on another continent – it doesn’t mean a regulator the other side of the world will stay in the dark about it.
Mitigating the Risk at Scale
Despite the regulatory burden, even the largest corporations don’t have the resources to launch dozens of trained analysts out into their third party ecosystem to monitor business conduct. This often leaves compliance and legal officers, who carry liability for the corporation, with fewer resources to devote to a growing challenge.
So how can you mitigate third party risk in a way that’s scalable for the future?
- Artificial intelligence (AI) & automation
Technology is already automating many of the manual tasks that bog down compliance officers. From screening third parties against sanctions watchlists to sending out requests for attestations or questionnaires, tools such as Exiger Insight 3PM powered by DDIQ are helping push third party risk management policies into day-to-day practice without the need for an army of analysts.
- Joined up compliance efforts
Compliance isn’t very effective when in a silo. Be sure that your compliance and due diligence efforts make sense in the round and for the different regions your organisation operates in. Equally, if different teams in your organisation are all looking at different pieces of the picture when it comes to due diligence – taking a more joined up view can help you spot trends and create efficiencies.
- Domestic corruption enforcement – spotting trends
The intelligence gathered by regulators during a domestic corruption investigation can often cascade out and lead to other investigations. This is particularly the case given the inter-agency intelligence sharing mentioned above. Analysing enforcements that have taken place in similar countries or sectors to your organisation can help you identify and mitigate risk exposure.
As third party risk grows, it is a healthy combination of AI-powered technology and deep subject matter expertise that will enable corporations to scale their risk management programmes to the point where they provide the necessary assurance.