Frankly, this is a topic that requires more than a single blog-post. Books and podcasts can be organized around this topic with helpful ideas and guidance. In this respect, I will try to synthesize some important ideas that may be helpful.
We all know that many companies “monitor” their third-party risks, for example, by subscribing to data services as part of risk-management platform that notify the company if an adverse event arises as to a specific third-party distributor, vendor or supplier. Let’s move beyond this and focus on what information generated by a compliance program should be monitored on a continuous basis. A short-hand for this task is building a real-time compliance dashboard — which will be the subject of an upcoming webinar and blog series.
In terms of relevant information, continuous monitoring functions can be built around two types of source material — quantitative (i.e. data) and qualitative. When making decisions in this area, the evaluation of information sources should be prioritized along the company’s risk profile — what are the most significant risks facing the company and how well are we mitigating these risks? Based on a gap analysis, we can then prioritize the topics to focus on when monitoring.
Within the quantitative categories, we need to design data collection and analysis of relevant categories of information. A compliance program generates significant information and tailoring that data is important. For example, assume we have identified our third-party risks as significant, and that the business adds a large number of third parties over the course of a year. in response, we should monitor the onboarding process to determine where and what types of third parties are onboarded every few weeks or month. As we build up this monitoring data, we may determine that evaluating the risks and operations of these new third parties in relation to our existing third-party population may require more frequent testing and sampling of our third party risks.
To focus on this issue, we will collect and analyze the data for the new third-party population (country, expected financial revenue, interactions with government officials, type of third party, and presence of government ownership or connections). In some cases, we may request specific documentation relating to the due diligence process, the contract and initial business transactions. By reviewing some initial business documents we may be able to identify risks and potential issues of concern.
On the qualitative side, assume the company maintains a high-risk third-party partnership program with regular “check-ins” with an internal manager of a high-risk third party identified and assigned as part of a risk management program. To monitor the high-risk third party, a compliance officer can interview the key manager, learn about any issues of concern, and encourage the manager to raise any issues that may arise in the future.
On a broader scale, and to drill down on issues, companies may consider conducting “compliance workshops” consisting of managers and employees for a discussion of relevant topics and observations. Two other important techniques include surveys and focus groups. Internal surveys that are targeted to specific lines of business, countries of operation or other categories may provide helpful insights. Equally valuable can be focus groups organized along lines of specific shared categories — countries, types of products and services, and other relevant classifications.
Quantitative and qualitative information can provide a relevant picture of a business operation and its compliance performance. Beyond the examples discussed above, data and qualitative information can provide helpful insights on a number of important topic areas, including: (1) conflicts of interest; (2) policies and procedures (compliance with specific compliance controls derived from specific policies and procedures); (3) training; (4) incident reporting management and response; (5) ethical culture; (6) internal investigations (focus and performance); and (7) related financial controls (e.g. gifts, meals and entertainment, discounts and rebates, payables and receivables).