Sign in Subscribe
By Zahn Alimbay in Program Effectiveness

Third-party management matters. A lot.

Third-party management matters. A lot.

The new Economic Crime and Corporate Transparency Act 2023 has put an added focus on the potential exposure originating from third-party relationships. Larger organisations can now be liable for fraud committed by associated persons.

This is not new. Over the years, US enforcement agencies have held organisations accountable for failure to prevent bribery and corruption, sanctions and export control violations involving third parties, such as agents, intermediaries and distributors. UK’s Bribery Act 2010 introduced corporate liability for failure to prevent bribery on organisations' behalf.

Third-party relationships pose a significant risk for many organisations. The solution lies in establishing a robust and effective third-party management process beyond just compliance with laws.

Managing risks throughout the lifespan of third-party relationships.

While many organisations nowadays employ a risk-based approach to third-party due diligence, it’s only the first step. The next question that needs to be answered is what the organisation does with the information it collects, how it controls the risks associated with dealings with third parties throughout the engagement, and, importantly, how it monitors these relationships over time.

A well-designed compliance program should apply risk-based due diligence throughout third-party relationships, from pre-engagement and contracting stages to ongoing monitoring and post-closing review.

It all starts with the risk assessment.

As with other elements of effective compliance programs, it all starts with identifying and evaluating risks.

Assess risks associated with the geographical footprint (high-risk countries?), business activity/transactional and third-party “identity” risk profile: operational risks, regulatory and enforcement risks, ownership, country of origin and sourcing, use of subcontractors, and relationships with governments and public officials. Pay attention to money laundering, sanctions and export controls, modern slavery and child labour, bribery and corruption risks.

The identified risks shall frame your controls and third-party management framework.

And it’s important to remember that one size does not fit all. Apply higher scrutiny to higher-risk relationships. With ever-limited compliance resources, it is essential to use those wisely and target the areas that represent higher exposure for the organisation. Nor do you want to create an unnecessary burden on business.  

Effective business processes are critical.

Organisations often face compliance issues not due to weak compliance procedures or internal controls but rather immature business processes. Proactive and effective third-party management is critical to an organisation’s ability to detect and prevent misconduct.

When assessing your third-party compliance control framework, start with understanding the business processes: how does the organisation engage with third parties? How are those assessed from a commercial and business perspective? How does contract management work? Who manages those relationships? How is third-party performance managed and documented?

Embedding compliance processes.

In my experience, compliance processes and controls are only effective when embedded into and operated as a part of the relevant business process, with “ownership” retained at the business owner level.  

  • Pre-engagement due diligence: collect information about the third party, their senior leaders, directors and owners, including ultimate beneficial owners, the business rationale for entering the transaction, compensation terms, and any third-party stakeholders directly or indirectly involved in the relationships (agents, Politically Exposed Persons, or active or former Public Officials), red flags, reputation and history of past compliance violations. Sanctions and AML screening are essential at this stage.  Apply enhanced DD when warranted.
  • Assess the risks associated with the nature of relationships, type of engagement, third-party geographical footprint, and operational profile. Apply higher scrutiny to higher-risk relationships. Use collected data to tailor your controls and ongoing monitoring set-up.
  • Embed conduct expectations, compliance with law requirements and policy standards into the contract. Ensure you have appropriate audit rights, remedies for non-compliance (indemnities, liabilities, recourse), exit rights, and potential misconduct disclosure obligations.
  • Hand over contract to business owners. Ensure relationship managers monitor the third party’s performance and adherence to the standards of conduct and contract terms.  Train your procurement and business teams on risks and how to manage them. Refresh your due diligence and screening periodically (risk-driven re-assessment).
  • Embed compliance controls into the business and operational processes. Track red flags and ensure risk remedial actions are implemented promptly. Compliance certification and self-assessments, supported by risk-based audits, are helpful tools in your assurance toolbox.
  • Where non-conformities are identified, business owners must ensure those are duly escalated, investigated and responded to. Root-cause analysis allows to identify system weaknesses and improve the control framework. Ask internal audit to re-check the effectiveness of remedial actions over time.
  • Upon exit from the relationships, evaluate whether compliance controls and ongoing monitoring were adequate, learn lessons and use those to improve the compliance control framework.

Subcontractor management.

Subcontractors often go unnoticed by many compliance teams, posing a hidden risk. Sanctions and export control violations, money laundering and tax evasion, bribery and corruption and modern slavery and child labour risks might be hidden deep in your supply chain. It’s essential you can detect those in a timely manner.

  • For high-risk engagements, extend your due diligence to substantial subcontractors. Understand the transactional risk profile, business rationale, ownership, geographical footprint, dealings with public officials and sources of supply, and factor those into your third-party risk assessment.
  • Require the main contractor to flow down business conduct standards and compliance obligations back-to-back.  
  • The main contractor is responsible for their subcontractors. Require them to monitor subcontractors' performance and conduct, periodically refresh risk-based due diligence, and implement subcontractor management processes. Identified red flags to be escalated.
  • Where warranted, implement annual compliance self-assessment and compliance certifications. Audit those with lower scores and systematic weaknesses.

Ongoing compliance monitoring.

Ongoing monitoring allows to close the feedback loop, which starts with pre-engagement due diligence. It gives you a 360-degree view of third-party relationships.

  • Use the outcomes of pre-engagement due diligence to define the level of ongoing monitoring.
  • Ensure ownership, roles and responsibilities are assigned. Relationship owners are best positioned to oversee third-party ethical practices. Train them and help them spot red flags.
  • Compliance is another business KPI. Include in the management reporting and escalation process.
  • Plan-Do-Check-Act framework builds a sound basis for a systematic approach to problem-solving and continuous improvement. If non-conformity is identified, ensure the issue is escalated and investigated. Use root-cause analysis to drive system improvements. Remedial actions are to be tracked and completed promptly.

The new “failure to prevent fraud” offence makes an effective compliance oversight of third-party engagements a must-have. Building it requires a strategic and structured approach and seamless integration with business processes.

If you would like to have a further discussion on any of the above, please get in touch. I will be happy to help.

 See you in two weeks!

 Comhla Intelligent Compliance

At Comhla, we are driven by a mission to revolutionise the way organisations approach compliance and misconduct prevention. We leverage cutting-edge applied research in behavioural science, actionable data insights, compliance, internal controls and regulatory expertise to help our clients identify and target conduct risks before misconduct occurs. We believe that each organisation should be proactive about maintaining business integrity. By going the extra mile to provide evidence-backed solutions tailored to our customer's unique needs, we enable them to maximise Compliance ROI while increasing the effectiveness and impact of the prevention strategies.

Follow us on LinkedIn: https://www.linkedin.com/company/comhlaic 

Learn More https://comhla.co

We aim to publish once a fortnight.  The information provided in this newsletter is not intended to and does not render legal, accounting, tax, or other professional advice or services.

Subscribe to Breaking the Mould

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe