Compliance Risk Assessment
and 3
rd
Party Due Diligence &
Monitoring
May, 2011
Advisory Services
Compliance Risk Strategy – 3
rdParty Due Diligence – 3rd Party Auditing
The differing ways in which a company approaches overall compliance risk will have impact on the implementation of an effective program Third Party/Business Partner program.
Compliance Risk
Management
Risk Tolerance
Go to market strategy
Third Party Due Diligence
Third Party Population
Levels of due diligence
Steps before and after
contracting
Third Party Auditing
When to exercise?
Scope?
Many companies are engaged in a complex web of 3
rdparty relationships and
face challenges in developing and implementing scalable, efficient processes to
address the risks associated with such 3
rdParties:
Regulatory
• Anti-corruption
• Export controls
• Anti-money
laundering
Licensing / Contract Compliance• Recovery of
revenues / costs
• Compliance with
key terms
Fraud risk• Grey market /
piracy
• Conflicts of interest
• Intellectual
property
•
Resellers
•
Distributors
•
Contractors
•
Sales Agents
•
Lobbyists
•
Manufacturers
•
Value Added Resellers
•
Joint Venture Partners
•
Logistics / Supply Chain
Example risk factors:
Example risk factors:
•
Consultants
The current regulatory environment expects, and regulators are
increasingly demanding that companies know who is conducting business on their behalf and the risks associated with doing business with them.
Companies use 3rd party business partners to assist them in various activities including, but not exclusive to sales, marketing, consulting and procurement. The pure number and complexity of such relationships and their role are sometimes unknown and not part of a Company’s global risk assessment.
A methodology designed to identify, assess, accept, and monitor
relationships with 3rd party business partners is a key component of a strong compliance program.
Compliance Risk Strategy – 3
rdParty Due Diligence – 3rd Party Auditing
The differing ways in which a company approaches overall compliance risk will have impact on the implementation of an effective program Third Party/Business Partner program.
Compliance Risk
Management
Risk Tolerance
Go to market strategy
Third Party Due Diligence
Third Party Population
Levels of due diligence
Steps before and after
contracting
Third Party Auditing
When to exercise?
Scope?
Business partner compliance framework
Business Partner Data
ERP systems Vendor master
Approvals & Contracting /
Contract amendments
Identify, Consolidate, and De-Duplicate Business Partners
Risk Assessment Risk Analysis & Rating
Business Partner Risk Classification Segmented into Low, Medium &
High Risk
CRM systems
Perform Due Diligence
Incident response and remediation Auditing Continuous Reassessment Reporting / Monitoring C on tr ol en vi ro n m en t an d to n e at th e to p G ov er n an ce ,e xe cu ti ve sp on so rs h ip ,c om p li an ce en fo rc em en t T ra in in g, p ol ic es an d ch an ge m an ag em en t T ec h n ol og y, to ol s an d in fo rm at io n m an ag em en t Standardize or systematize using third party databases, industry specific factors, questionnaires, etc.
The following framework is designed to address the key risks related to 3rdparty relationships and sets out the potential elements of an
Partner approval, contracting and continuous reassessment
Approval team reviews
evaluations:
+ Head of Compliance
+ Central or Regional
Compliance Officer
Local Management
High Medium Low L e v e l o f e ff o rtRejection
Conditional Approval:
•Enhanced internal controls •Additional monitoring •Enhanced contractual terms •Schedule Internal Audit
Further Investigation
Approval
The extent of approval required will depend on the level of risk. Final decisions can include conditions for approval that require enhanced internal controls or monitoring.
Contracting /
Contract
Renewal /
Amendments to
T&Cs (e.g. FCPA
language,
payment terms)
Business partner on boarding should be periodically revisited to ensure there have been no significant changes to the partner profile. This can include: annual re-certifications; updating questionnaire responses every one to three years; or revisiting due diligence procedures as
Due diligence considerations
Depending on a the results of the partner risk assessment, appropriate levels of due diligence should be conducted. The level of due diligence undertaken should be commensurate to the risk exposure:
Example Low Risk Procedures Additional Medium Risk Procedures
• For all business partners, obtain certification from new Business Partner and/or employee requesting partner onboarding
• Consider conducting minimal checks of entity against an industry leading compliance database (e.g. WorldCompliance) or restricted entity listing to identify informative indicators via watch lists, sanctions lists, or PEP designation
• Consider comprehensive surveys (tiered based on level of risk) addressing compliance risk factors, such as ownership structure, compliance history, internal controls programs, etc.
• Amend standard contractual language to reflect appropriate provisions (e.g. FCPA,
right to audit clause)
• Consider 3rdparty due diligence reports that may include analysis of:
• Compliance databases and regional-specific business/company/regulatory
information databases;
• English-language and relevant foreign-language media database; • Litigation databases across relevant jurisdiction(s); and
• Commercial open source search engine for any readily-apparent adverse
information.
Additional High Risk Procedures
• Consider enhanced 3rd party due diligence reports that, depending on the location of the entity and availability of information, may include: • on-site public record searches at government offices, ministries and court houses;
• reputational and business information interviews with source contacts (diplomatic, commercial, intelligence, etc.); • source information assessments of noteworthy relationships to political, military or government officials; and • discreet inquiries with commerce officials, local embassies, etc.
Compliance Risk Strategy – 3
rdParty Due Diligence – 3rd Party Auditing
The differing ways in which a company approaches overall compliance risk will have impact on the implementation of an effective program Third Party/Business Partner program.
Compliance Risk
Management
Risk Tolerance
Go to market strategy
Third Party Due Diligence
Third Party Population
Levels of due diligence
Steps before and after
contracting
Third Party Auditing
When to exercise?
Scope?
Reporting and continuous monitoring
After a business partner is on-boarded, the business will need to consider ongoing transactional risk. This could include procedures
such as:
•
Evaluating partner data sources (e.g. CRM, POS, ERP) and developing dashboards for monitoring key partner metrics
•
Periodic reviews of transaction detail to ensure transactions are limited to compliant partners
•
Monitoring training records for compliance with training requests
•
Periodic reviews of accounting records, marketing funds / partner incentives and time & expense records
•
Monitoring Whistleblower/helpline activity for business partner involvement
•
Monitoring status of onboarding process activities and reviewing outstanding requests
Channel Audits
Investigation into unusual business practices Changes to T&Cs
Prevent deals with high risk partners Escalate performance issues to Sales
Compliance audits with business partner contractual terms
Companies seek to improve their competitive advantage, grow revenues, and reduce development time and costs through
their relationships with 3rd parties.
Periodic independent inspections of activities under these contracts can improve the value received. Companies can get
more performance from these agreements and maintain their good relationships through effective and sensitive contract
enforcement.
Benefits of a robust licensing or contract compliance program includes:
•
Compliance with key terms
•
Identification of potential revenue leakage / incremental revenue
•
Enhanced 3
rdparty relationships / trust and increased communication
•
Improved predictability of future payments / enhanced reporting controls
•
Improvements to the drafting of future contracts
•
Partners / Channel understands you take contractual terms seriously
•
Flushes out contract language misinterpretations, side letters, etc.
•
Provides better understanding of the customer base usage and compliance
Identify key contracts & terms Analyze data Validate reporting and present findings Counter-party site inspection