Building or overhauling your compliance programme can be a daunting prospect. Where do you start?
Third parties pose a substantial risk to your organisation. An effective and robust compliance programme is critical, as companies can be held accountable and risk reputational damage as a result of illegal actions, poor decisions, or actions taken for or across business operations by third parties.
Important questions to ask about any third party you are planning to work with:
- Does the company exist?
- Is it legal to work with this entity?
- Is this the kind of company we are proud to work with?
- Has it broken the law?
- Is it linked to a government?
- Can it deliver the service?
- Is it financially stable?
Most importantly: How will I manage the potential risks this third party poses to my organisation?
Control Risks VANTAGE can assist in answering all the above questions and more with our Due Diligence products and Compliance Solutions.
1. Evaluate (or design) your policies
Decide the outcome you want your transformation to achieve and then work backwards. Consider each scenario that requires a compliance overview and map out the steps they should go through before sign-off. As a basic structure, we would recommend an initial assessment, a risk-based review, evaluation of the result, mitigation measures and a regular refresh.
No matter the maturity of your compliance approach, or whether you need assistance on building new policies and procedures or improving your existing ones, VANTAGE is here to assist.
Through VANTAGE Design, you can access compliance experts who have both in-house and extensive experience providing our solutions to clients across multiple sectors and geographies. These experts will guide you through or review your current procedures to help you build a policy and vet procedures in a manner that suits your organisation, industry and risk appetite.
2. Review your third-party base
Once you have your policy and compliance processes in place, it is important to review your third-party base.
Consider:
- who you will be interacting with
- where in the world they are
- where the services will be provided
- what kind of contracts and permits are needed
- what kinds of activities they are undertaking
- how much you plan to spend with them
You should also consider the risks associated with each of these.
A technology solution such as VANTAGE Platform can help you streamline this process. VANTAGE Platform can be utilised directly or integrated with your own systems via an API. Having an overall view of all third parties and their associated risks is a vital step to implementing a risk-based approach.
3. Implement a risk-based approach
It is best to adopt a risk-based approach when it comes to tackling compliance. It is unlikely that your office coffee provider will require the same amount of due diligence as a sales agent working with a government to win contracts on your behalf.
Reviewing your third-party population and the risks that each relationship poses to you is the best way to start. By categorising the risk types, you can prioritise the order in which you review as well as determine the level of diligence conducted on each third-party. Estimating the risk using parameters such as country-specific, activity-specific or contract-value rules across a population can provide a good guideline.
An essential first step of the process is to run all your third parties through an automated database search, such as VANTAGE Screening, to identify any potential sanctions risks that could prohibit you from doing business with the third party. This can be an introductory activity conducted in parallel with the risk assessment and will likely be enough for the majority of your third parties.
Following this assessment, a more nuanced approach to review is recommended. Once you have identified the higher risk third parties, you can determine the appropriate level of diligence. Do you need a report highlighting red flags or a deeper-dive insight report with targeted interviews for commentary on the general reputation of the third party?
4. Assess the risks to your organisation
Some organisations may have a broader focus on reputational issues and how a third-party’s reputation could impact them, while others will begin their focus on the Anti-Money Laundering (AML)/Anti-Bribery and Corruption (ABC) risks. And others still will have moved to consider all of these risks plus those in the Environmental, Social, Governance (ESG) space.
Your consideration of risk will be linked to legal requirements your organisation is obliged to meet as well as its risk appetite. By adding VANTAGE Assess, one of our compliance specialists will take the findings of a VANTAGE Screening or Diligence report and put them into context for your organisation, providing a risk assessment that mirrors your policies and approach to risk.
Our assessment of the impact will be conducted as an extension of your in-house Compliance Team and will provide suggestions for mitigation, saving you time and freeing up capacity for you and your team to focus on what really matters and making priority decisions.
5. Mitigate the risks found
Once you have identified the various risks in your third-party population, it is important to mitigate these risks. This could include conducting additional checks, asking for additional information from the third party, conducting compliance focused interviews, requiring the third-party to conduct training, or adding certain clauses to the contract.
These are just some of the examples that you could implement to mitigate a risk posed from your third parties. Through VANTAGE Act, we can take on this burden and assist with implementing such measures to manage the risks identified from your vetting process.
6. Monitor the future
In addition, it is best practice to set review dates for each third party, and to re-run due diligence checks on a regular basis, typically every 1 to 3 years depending on risk. The owners of a third party can change, its relationships with a government can develop, or the political climate of a country can evolve.
Furthermore, the way you work with the third party could have changed, your spend could have increased and the services they provide may have altered, resulting in increased risk exposure. This is why when assessing the mitigation required, you should also set a review cadence for each third party to remind you to reassess the inherent risk posed, consider any new or increased risks and ensure that your mitigation measures are still effective.
7. It takes time
Start as soon as you can. Do not wait for perfect data or to have the perfect programme in place. Begin with what you have, and you will learn, adapt and improve as you go.
And remember: you cannot review everything overnight. The first steps may feel small, but they will make a huge impact to the future of your compliance programme and will lay the groundwork for success.
If you are struggling to resource the day-to-day management and steps in your compliance programme and need assistance to gather, review, analyse and make decisions on next steps, VANTAGE Manage can assist you. Whether it be for short- or long-term support, you can outsource any or all elements of your compliance programme to our team who will run the third party through the vetting process on your behalf according to your instructions and unique requirements.
Time to get started
As you transform and develop your Compliance function, the more data you gather on risks and mitigation actions, the more informed you will be when making future decisions. This enables streamlining and efficiencies in your decision making, as each decision contributes to a matrix forming a blueprint for how all future decisions should be made.
While it may appear daunting, getting started is the first step to learning about, analysing and addressing the risks in your third-party universe.