Third-Party Risk Management – How Compliance Officers Have Adapted Their Programs During COVID-19

As compliance professionals continued their commitment and efforts to safeguard their business’ reputations across the globe, they faced numerous challenges from the COVID-19 pandemic, including increased demand and expectations associated with managing their third-party risks. As a result, compliance professionals had to quickly adapt to this “new normal” by ensuring that proper compliance controls and procedures for onboarding, training, risk assessment, risk-based due diligence, and the approval and monitoring of global third parties were occurring effectively. To achieve these objectives, innovative approaches were needed for virtual third-party mandatory training, including creating customized training documents, and automating the onboarding processes for new third parties via technological solutions that more efficiently facilitated the identification and remediation of potential third-party risks.

Kroll’s 2021 Anti-Bribery and Corruption (ABC) survey provides details on how the pandemic has impacted compliance policies and procedures and changed compliance professionals’ approach and thought processes on how they oversee and monitor their compliance program in a challenging environment.

Compliance Officers’ Preference for In-Person Third-Party Training

Responses to Kroll’s 2020 survey described the inclusion, review and acknowledgement of an anti-bribery statement in a company’s code of conduct policy as the main approach to third-party training. This year’s survey showed a focus on third-party anti-bribery and corruption training with in-person on-site training as the preferred method to educate organizational members and external partners. This method may be fueled by the latest U.S. Department of Justice’s guidelines on corporate compliance programs, which detailed the importance of conducting effective and risk-based training for vendors to ensure compliance with an organization’s policies and procedures. Although preferred, sadly, opportunities for hosting in-person trainings were limited in the past year. Deciding to host in-person or virtual training sessions for third parties largely depends on a compliance officer’s ability to travel and the number of third parties needing to be trained. Additionally, organizations consider the role of their third parties when determining the specific content of the training material presented.

Use of Electronic Onboarding Questionnaires to Assess Risks

This year’s survey shows that respondents who included training as part of their onboarding and questionnaire process decreased by 7%. Across all respondents, this training-at-onboarding method represented the second most common approach in Kroll’s 2020 survey responses, but in the 2021 survey appears to come second to last compared to other third-party education steps, such as web-based training or a certification included in contract materials. This shift in preference between 2020 and 2021 may be attributed to the impact of COVID-19 and a slow-down in business operations leading to fewer third parties being onboarded. This approach demonstrates the organizations’ commitment to the compliance requirements associated with third parties, while leveraging monitoring, questionnaires and continuous training to prevent potential bribery and corruption risks. Additionally, the natural decline of business activity throughout Q2 2020, as a result of the initial impact of COVID-19, may have resulted in fewer third parties being onboarded, and thus a lesser need for ABC education and a greater need for assessing a third party’s value to the organization.

Identification of Red Flags Triggered Due Diligence Engagement

Compliance professionals recognize that not all third parties require the same level of due diligence to ensure adherence with regulatory expectations and best practices. Deciding on an appropriate level of due diligence should be based on potential risks that a third party poses to an organization. 35% of 2021 survey respondents shared that they would conduct enhanced due diligence based on red flags identified when using a screening database, following outcomes of questionnaires, when higher risk jurisdictions of operation are included or as a result of other information collected during the onboarding process. Among the multiple risk-based management and escalation triggers to identify and understand their third-party risks 34% of respondents detailed that they would engage in due diligence for any third parties operating in high risk jurisdictions, yet only 28% would seek to conduct due diligence in situations where a third party could potentially have a relationship with a politically exposed persons (PEPs) and as such create a potential environment for greater risks associated with bribery and corruption.

Conducting desktop research into a third party is often one of the first steps that compliance professionals perform when considering onboarding a new third party. Moreover, utilizing a risk-based onboarding questionnaire is optimal for collecting data and documentation and attesting to an organization’s compliance policies and procedures as it relates to complying and acting ethically. Furthermore, 17% of respondents advised that they used a risk score from onboarding questionnaires to determine the level of due diligence that needs to be conducted.

Other factors considered for conducting enhanced due diligence include the value of the commercial opportunity involving the third party (27%), a lack of understanding on how the third party operates (23%), unclear or opaque ownership (15%) and underdeveloped or decentralized compliance programs (12%). These factors help determine overall risk exposure and assist organizations in taking proper measures to validate a third party.

Striving During Challenging Times and Safeguarding the Company’s Reputation

Compliance professionals recognize that a check-the-box third-party risk management program is not ideal or acceptable by regulators around the globe. An organization’s compliance officer should set the standards for ethics and compliance policies and procedures to ensure that their program is tailored to the organization’s risk tolerance in regard to industries, geographies and services being provided by its third parties.

The pandemic has made onboarding processes and training more challenging, thus necessitating increased scrutiny of compliance professionals when evaluating current and new third-party relationships. This past year has been a great example of the resiliency and innovation put forth by compliance professionals as it relates to ensuring the reputation and integrity of their brands and the third-party relationships they maintain. This dedication and commitment of compliance professionals is the “ethos” of the profession and what drives them to protect their respective organizations from regulatory and other challenges.