Conflicts of interest remain a key risk for management teams across industries and the globe. In Asia Pacific, cultural nuances around tight social networks (such as guanxi in China) and the expectation of using family connections to do business in places such as Indonesia add a level of complexity and delicacy to compliance risks. Historically, these connections have meant safety and trust in business. Connections can also lead to concerns around whether third parties have close and undisclosed links to their employees, which is a gateway for corruption and fraud.
We advocate a two-tiered approach to better understand your third parties. This will help you to identify potential or actual conflicts of interest, and signal potential issues for enhanced monitoring as and when early indicators are detected.
Not your grandfather’s due diligence
Traditional due diligence involves an expensive, manual review of third parties. Some organisations have uniform due diligence processes for hundreds or thousands of third parties, irrespective of the type of relationship. Others have risk-based diligence schemes that are sometimes arbitrary and rarely updated. Static risk ratings result in needless expense or otherwise avoidable fraud costs.
How can due diligence shift to dynamic, cost-effective processes?
Third party verification
Our approach starts with a broad review of third parties, by undertaking low-cost, high-volume verification. By verifying third parties through a number of openly available factors, customised by market, Control Risks assesses the validity and risk of third parties. The results are categorised, allowing clients to determine risk levels and adapt resource allocation accordingly. The verification is cost-effective enough to allow regular refreshes, thereby updating risk ratings in a timely manner.
Savvy clients also leverage their internal data, whether from sales, partners or procurement, to firstly automate the initial diligence and risk rating of third parties, and to secondly further enrich and optimise these risk ratings on an ongoing basis. This way, resources can be redirected to focus on the intensive and costly diligence and review of third parties consistently flagged as high risk, and less on lower risk third parties.
One way that we recommend our clients assess their third-party risk is through network analysis. Network analysis is an efficient and thorough tool to identify previously unknown or undeclared relationships. Information is captured about many areas of an organisation. Details such as telephone numbers, addresses, company registration numbers, bank account numbers and contact emails can be extracted from a number of sources, such as employee and supplier lists, purchase orders and banking information. Fusing and analysing these together can reveal previously unidentified and undisclosed networks and links.
In one of our investigations, we used network analysis to identify seven different companies that shared a contact email address and telephone number. The companies all provided the same services and invoiced for the same amount, which were all approved by the same employees. Further investigation found that despite having different directors, the seven companies listed the same sales manager and their invoices lacked appropriate description – all signs of fraudulent payments or money laundering.
However, network analysis is limited by the quantity and quality of data maintained by a company. The more information a company records in its system, the better the results. Additionally, consistency and completeness in data recording across the organisation makes analysis easier and allows a comprehensive understanding of who your third parties are.
You don’t know what you don’t know – advances in compliance monitoring
As abovementioned, having a conflict of interest does not necessarily equate to misconduct. Instead, it is the response and change in behaviour of these individuals and companies that needs to be monitored. Analysing suppliers’ patterns through statistical and red flag analytics can be useful to identify indicators of conflict of interest misconduct. Below share some examples of how this is done.
Supplier spend analysis
Sudden increases in the use of a supplier can be a sign of preferential treatment given to a related party. This is particularly of concern when the company redirects business from established organisations to smaller companies, often under the guise of “price competitiveness”. Further investigations would be required on these suppliers to determine whether procedural vetting and reference checks have been undertaken (often not, if the service was provided urgently) to assess the ability and suitability of these suppliers to properly undertake the work.
Other anomalies, such as duplicate invoice numbers, split payments and inconsistencies in the payment pattern relating to a supplier, can also indicate questionable behaviour, suggesting controls override or fraudulent payments to the related party.
Sales and purchase pricing monitoring
Sales pricing is another excellent area to monitor for compliance and other risks. Average prices, discounts and even metadata around manual changes in sales systems contain valuable insights into what is happening in the business. Clients have discovered the inappropriate behaviour of sales staff towards friends and family (offering discounts to friends and family creatively disguised across sales orders) and distributors (colluding with employees to falsely funnel customers into their sales pipeline) by such means. Through proactive monitoring, companies can avoid fraud and abuse schemes caused by conflicts of interest that can last for years.
Can you afford to wait?
Combining an understanding of who your third parties are and how they behave is vital to uncovering misconduct associated with conflicts of interest, and this can be best done through data.
Despite periodic disclosure processes mandated by most organisations, conflicts of interest are usually identified by a whistleblower. According to recent fraud surveys, the length of time of an uncovered fraud scheme is usually more than a year, resulting in compound losses. Knowing your third parties used to be a manual, process-driven and trust-based part of compliance. With advances in analytics and the movement of business in an ever more online direction, now is a great time to consider how you can exploit these methods for managing your knowledge of conflicts of interest.