Huge anti-corruption fines. A focus on corporate conduct. Globalization. Each of these trends has put a lot of pressure on third party management programs. In the OCEG Tech Talk, “Anti-Corruption and Technology,” Ken Kurtz, Dennis Haist, and Tony Charles from STEELE CIS share insight and advice on managing anti-corruption in third party relationships.
Third Party Management Challenges
According to Dennis Haist, General Counsel at STEELE CIS, third party management challenges emerged with the Foreign Corrupt Practices Act (FCPA). A resource guide for the FCPA (written by the US Department Of Justice and US Securities and Exchange Commission) offered a solution: a risk based approach.
But what is a risk based approach and which third parties does it apply to?
Who Are Your Third Parties
Think of the external companies and individuals that support your business (both upstream and downstream): vendors, distributors, consultants, lawyers, accountants, independent sales representatives, agents, joint venture partners — the list of third parties can get very, long very quickly.
As Dennis Haist explains, “A typical multi-national company may have 20 to 30 different categories of third parties.” And that’s just categories – actual third parties can run into the thousands.
There’s also the challenge of out-of-date information. Company information systems (ERP and procurement for example) that track information about third parties often don’t talk to each other. This leads to incomplete and inaccurate information.
According to Kenneth Kurtz, Chief Strategy Officer at STEEL CIS, “Often companies find as much as 25% of their third party records are inactive.”
What Is A Risk Based Model
“When looking at a risk based approach it’s a combination of utilizing risk factors, weighting those factors, and a consistent scoring of third party behavior,” explained Kenneth Kurtz.
Risk factors include:
- Type of business relationship
- Country business is conducted in
- Input provided by the third party
- Input from employees and business sponsor
These risk factors are weighed and put into tiers (such as high, medium and low). Risk models are unique to each company and are affected by the risk tolerance and culture of the organization.
A risk model also includes:
- How much control you have over the third party
- How closely your business is aligned with them (and how likely you are to be found at fault if they do something illegal)
- The amount of due diligence required for each tier
A risk based third party management model allows you to conduct due diligence to evaluate if you should (and want to) do business with the third party.
“The risk model is the central nervous system of your third party management program. That risk model doesn’t just dictate scope of due diligence, that risk model is often prescribing and impacting the terms and conditions within your agreements, due diligence, the type of training, and schedule for ongoing monitoring. That risk model is very, very important.” Kenneth Kurtz, Chief Strategy Officer.
How to Create A Risk Based Third Party Management Model
Below is a brief summary of how to create a risk based third party management model (there’s much greater detail in the Tech Talk video series).
- Get executive and stakeholder buy-in
- Inventory your third parties
- Risk assessment
- Communicate and train on the risk based model
- Manage the third party life cycle
- Identify and manage red flags
- Due diligence
Third Party Management Software
Think about how many third parties you have to manage. Consider the many steps in a third party management program. Ponder the numerous sources of information to be reviewed (in multiple countries). Now envision how an automated third party management program saves time and resources.
Tony Charles, VP, Strategic Development Group, describes that vision: ““A good third party management system is actually bringing together a wealth of data and information around the third party universe.” Tony revealed that many companies are starting to appreciate an “unrealized return on investment” from benefits such as:
- Greater visibility and management of third parties through standardized third party data and process
- Greater control of and consistency in third party management through automated processes, integration with ERP and procurement systems, and input from third party management content and services providers
- Increased confidence that your third parties are honest, reliable, and compatible with your risk appetite.
“It’s important to move away from Excel spreadsheets, which companies have used historically to manage these compliance processes. It’s become so unwieldy to meet the regulatory expectations. An automation tool can provide a lot of value and be more efficient than managing in the SharePoint or Excel environment that so many companies start with.” Tony Charles, VP, Strategic Development Group
Learn More: Watch OCEG Tech Talks
Ken Kurtz, Dennis Haist, and Tony Charles from STEELE CIS share so much more information on anti-corruption and third party management in the Tech Talk “Anti-Corruption and Technology.”
Below is a list of additional topics they cover (see the video series for a full list of topics):
- Evolution and challenges of third party management (V02)
- Compliance program benefits (V06, V07)
- Anti corruption (V02, V10, V14, V26, V33, V16, V29)
- Data privacy issues (V16)
- Audits in third party management (V16, V17, V18)
- Integrating third party management with ERP (V19)
- Budgeting for third party management programs and software (V19, V26, V32, V33, V34)
- Central versus regional control of third party management (V35)
Stay informed and watch these 35 short videos.
“Anti-Corruption and Technology,” is part of OCEG’s Tech Talk Series. The online videos explore GRC technology through interviews with solution experts. Visit the full series listing for more information.