In the recent webcast “7 Steps to Effective Reputational Due Diligence,” co-hosts John Arvanitis, Managing Director at Kroll, a division of Duff & Phelps, and Tony Rock, COO at Lockpath, discussed the third-party risks facing organizations today. As a result of that dialogue, Arvanitis identified several key areas your organization should focus on in order to uncover and mitigate reputational risk associated with third-party relationships.
Risk Assessment Considerations
Arvanitis: There are a multitude of risks you could consider in your assessment, such as jurisdiction, industry or political exposure. It all comes down to the risk profile of your organization and how much risk your business is willing to take on. With that said, a great first step is having your third parties validate themselves through a questionnaire and attestation process. Third parties are an integral part of any organization’s global operations, but they must be held accountable and to an extremely high standard.
Conducting Due Diligence on a Budget
Arvanitis: From a third-party prospective, it starts with the onboarding process. Your third parties should complete a questionnaire that allows you to categorize them by low-, medium- or high-risk. The ability to apply a risk score to a third party permits you to make the best decisions on how you want to proceed with them while keeping in mind budget and capability. The expectation is that you must conduct a degree of due diligence, but it also needs to be risk-based. If a high-risk third party is identified but there is not enough budget to perform due diligence, it might be wise for your organization to decide not to do business with that specific third party.
Aside from the onboarding process and risk scoring, an important mechanism worth mentioning again is the contract with the third party. There can be specific language and compliance requirements inserted into the contract that holds the third party accountable for illicit activities.
Organizational Responsibility for Third-Party Approval and Denial
Arvanitis: This is a case of togetherness and communication. The ability to have all organizational stakeholders weigh in—including compliance and other relevant business lines—is really important as it relates to moving forward with the third party and protecting the brand. Ultimately, it’s a team approach.
A Third Party Without a Compliance Program
Arvanitis: If a third party doesn’t have any type of anti-bribery and corruption compliance program, it should serve as a red flag to your organization. Through the globalization of regulatory enforcement and the development of anti-bribery and corruption (ABC) units, it should be apparent to all that ABC compliance should be top of mind and taken seriously. Organizations that delay or altogether decline to institute a proper internal compliance program and choose to not hold their third parties accountable expose themselves to serious regulatory and reputational risks.
Helping a Third Party Develop a Compliance Program
Arvanitis: This is a great building block for your relationship with a third party and your organization’s compliance requirements. If a third party is willing to bolster their compliance program and is asking you for guidance, you have two options. First, utilize your organization’s internal resources to talk with the third party at a high level about compliance program requirements and their value. Alternatively, you can direct them towards an external partner that will assist them in building a compliance program that would meet regulatory scrutiny. Ultimately, when third parties are seeking guidance, it’s a good sign because it shows their commitment to you and their ethical mindset.
Internal and External Compliance Training
Arvanitis: You should have online, web-based training for your third parties and employees that educates them on your organization’s commitment to compliance. If you have the processes internally to support compliance training, your representatives in international jurisdictions should be able to speak to the reasons you seek to provide the training and what the organization’s position is relative to bribery and corruption. If you lack the internal capabilities to provide training, there are external partners that can provide impactful and appropriate training and training technology.
Format and Frequency of Compliance Training
Arvanitis: Trainings should be engaging, entertaining and on a cadence that will encourage absorption of the material. The training schedule and curriculum will be different for every organization and different based on the business’ risk profile and how they go to market. Compliance training every six months is a good place to start, but your organization should not go longer than a year between trainings.
Conducting Reputational Due Diligence in High-Risk Jurisdictions
Arvanitis: In the absence of online information, obtaining in-country source information, often referred to as boots-on-the-ground, is a step that should be considered based on the risks posed by a third party. There are firms that can offer the in-network reputational investigations on issues or concerns the business flushes out or faces. If you don’t have the budget for this type of enhanced due diligence, you might want to consider not engaging with that external partner in order to avoid reputational exposure and potential enforcement actions
For more information on the topic or for help managing the reputational risks inherent in your third-party relationships, please reach out to Kroll Compliance.