This week, I am exploring some of the compliance service offerings I make available to the compliance community through my consulting company, Advanced Compliance Solutions. Today, I explore third party check-ups.
When was the last time you considered the health of your company’s third-party management program? A good way to test that well-being is to perform a check-up on your program. Inspired by an article from Marjorie W. Doyle with input from Diana Lutz, I can provide to you a review of your third-party program. It would include the following areas of exploration.
Do you have a database of all your third-parties and their information? (Or is it still in a spreadsheet?) In this step, I would review the full list of all third-parties including such basic information as name, location, type of services provided, contract files and dates, principals of the third-party and primary contact, due diligence files and any other information you might need to manage the third-party relationship going forward.
Have you done a risk assessment of your third-parties and prioritized them by level of risk? Here I would check and double-check which third-party services present the greatest risk to your company by asking some of the following questions: (a) Is the third-party’s service critical to your business?; (b) Is the third-party’s service performed with little company supervision or oversight?; (c) Does the third-party have access to any company funds, resources or assets?; (d) Can the third-party fund the company contractually?; and (e) Does the third-party obtain any foreign governmental licenses, certifications or other approvals for your company? When was the last time you asked these questions of the Relationship Manager?
Do you have a due diligence process for the selection of third-parties, based on the risk assessment? You should use the information determined through the risk assessment to “tailor the level of diligence to the level of risk.” From this starting point, I would assign risk profile to categories, such as high, medium and low. The higher the risk, the more due diligence will be required to vet the third-party. Finally, how often does your company receive updated due diligence reports? Is it on a daily, quarterly, semi-annual or annual basis?
Once the risk categories have been determined, we would then move to revise your written due diligence process. Obviously, you need to have a written policy and defined procedures to implement your due diligence policy. However, when was the last time it was reviewed or updated? What happens if you, the compliance professional, wins the lottery (or gets run over by a bus)? Would a substitute know what to do or would there be a written reference for your replacement? You should consider the following: (a) who is responsible for implementation; (b) list of red flags and how such red flags are to be dealt with and cleared; (c) a procedure to pay for any due diligence performed; (d) reference checks on third-parties; (e) procedures for in-person interviews for third-parties in a high-risk category; (f) conflicts of interest checks; and (g) process for documentation and storage of the information.
Once the third-party has been selected based on the due diligence process, I would review all contracts to ensure appropriate compliance terms and conditions are in place. However, I would also ask, when was the last time you considered your compliance terms and conditions or reviewed all of your third-party contracts to ascertain if they include the following required terms: (a) anti-corruption and anti-bribery certification; (b) requirement that the third-party maintain accurate books and records and that your company has audit rights; (c) indemnity rights; (d) anti-corruption and anti-bribery training for the third-party’s employees; (e) an anonymous reporting mechanism for ethics complaints; (f) require the third-party to obtain pre-approval to subcontract out any of its work for your company; (g) require the third-party to report any ownership change back to your company; and lastly (h) clear termination rights.
Does your company use Relationship Managers for third-party management? For just as your company would never have an employee who is not supervised, your company should not have a third-party which does not have company oversight. Do you rotate Relationship Managers? What training has the compliance function provided to them as the company’s point of contact for third-parties?
When did you last check your third parties for any new red flags which may have arisen after the initial due diligence was performed or completed? At what interval do you update or renew your due diligence? How about a change from the company side regarding sales, sales practices, products or services which might become high-risk?
Many companies understand the maxim “know your customer” (KYC) nevertheless, in today’s global economy this maxim may well need to be expanded to “know your third-party” (KYTP). The bottom line is that there is no out when it comes to third-party risk management and third-party compliance efforts. A good place to start is with a third-party checkup program.
A third-party check-up can go a long way towards identifying any gaps in your third-party risk management program. If you would like any more information, give me a shout.