It is easy to be overwhelmed by the overall risk profile of your third-party population. The best way to tackle the problem is by defining specific problems and risks and then analyzing a subset of third parties as to this specific problem or risk.
On the operational side, the business can guide this inquiry, especially procurement professionals who should be familiar with the direct and indirect suppliers, the need for specific vendors and suppliers, and the overall importance of the specific vendor’s products or services. This requires a complete understanding of the company’s manufacturing or service-provider operations and where each vendor category fits in as to importance, geographic location, and commercial relationship.
On the legal side, there are various key issues that have to be examined to unearth relevant risks and considerations. The classic example — does the third-party interact with government officials on behalf of the company? This inquiry concerning representation of the company is a quick and significant way to identify a significant risk and focus on anti-corruption risks.
Within that category of third-parties, the inquiry then leads to additional layers of risk relating to types of interactions (e.g. customs, sales/tenders to government, regulatory inquiries, payment of foreign taxes), beneficial ownership, countries of operation, prior history of corruption, legal status and documentation. While this may sound simplistic, the key here is to consistently address and measure these issues across the relevant segment of third-party population and apply risk-ranking weights to rank the third parties within the segment.
With respect to sanctions risks, geographic locations of the third parties, the specific role of the third party (i.e. distributor or vendor) carries distinct risks, annual revenue (as a proxy for frequency and importance of transactions) are important inquiries. To identify potential prohibited or restricted parties, beneficial ownership has to be examined as well so that the 50 Percent Rule and other analyses can be applied to the risk analysis.
Depending on the level and overall specific risk factors identified, mitigation strategies should be designed to mitigate these specific risks. Contractual representations and assurances are, of course, important. But we have all observed too many cases where such representations are easily secured but have no meaningful impact on third-party behavior. nonetheless, it is an important first step, especially where contractual representations address a specific risk identified during the onboarding process.
The “game changing” practice, however, is in the adoption of proactive monitoring strategies that respond to specific risks — several examples include:
(1) end-user certificates and documentation reviews to ensure that third-party distributors do not sell products to prohibited countries, entities or individuals;
(2) financial transaction sampling to monitor transactions between the company and the third-party and then the subsequent resale of products to the end-user customer; and
(3) high-risk partnerships and in-person inquiries concerning interactions between company and third-party.
Without belittling other monitoring systems, such as adverse media notifications and alerts, the bread and butter of monitoring requires getting into the trenches. This means sampling specific high-risk transactions to examine documentation and certification compliance. Following the money is a time-tested and relevant way to stay on top of your third party. And dedicating time and effort to managing high-risk third parties is a productive strategy for unearthing risky developments.
Remote monitoring strategies such as transaction and financial sampling is the best way to identify potential irregularities. This initial inquiry usually leads to additional questions and inquiries. Of course, third-party misconduct can be hidden and false documentation can be used to avoid scrutiny but often there are subtle but important signs of such behavior. The important point is as these concerns arise they need to be addressed and not ignored. Often, what starts out as a “routine” follow up will lead to exposure of a bigger problem.
Aside from a proactive monitoring strategy that is tailored to higher risk third parties, an overall audit program and strategy for third-parties can be used to supplement management of your third-party risks. If your company has a relatively small number of high-risk third parties, a rotating schedule of formal audits can be applied. In these days of remote connections, a formal audit does not require boots on the ground at the third party’s premises — there are a number of tasks, including interviews, that can be conducted remotely in order to save time and money. Financial data is usually accessible remotely. Remote audits have their limitations but in this day of difficult and expensive travel such audits may become more the norm than the exception.
For lower risk third parties that have not been identified through any proactive monitoring strategy, the time for assessment and re-evaluation usually arises when the third party contract expires (assuming there is a contract). At renewal, a fresh examination and assessment may be conduct and third-party risk can then be evaluated again with any new measures as needed to mitigate risks.