Mariette Cutler (mariette.cutler@gmail.com) is Managing Director of Risk Navigation Group Inc. in Chicago Illinois, USA.
Well-designed compliance programs should apply risk-based due diligence to their third-party relationships. The main takeaway from the DOJ guidance[1] is the word “risk-based.” Risk is part of doing business, and eliminating too much of it can hamper company growth. Even if you invest an unlimited amount of money, time, and energy into a due diligence program, you can never eliminate all risks, including third-party risk. There is no one-size-fits-all approach to mitigating this specific type of risk, but there are some things to keep in mind when a red flag does show up in the due diligence process. A red flag does not mean per se that a company cannot do business with the third party; it means does the company want to do business with this third party, given the red flag?
Screening for red flags
Each red flag will have specific, but sometimes limited, information available to base the decisions on. The more information that can be used to screen the third party, the more accurate the results will be. Once a third party is screened, the first step will be to analyze the information that the screening provides, such as:
-
Third party’s name: Does the name match fully or is there merely a fuzzy match. Do not discount aliases, but ensure that the red flag is indeed the third party that was intended to be screened.
-
Location: Is the screened third party located in the same place as the red flag? Sometimes there will be a match in name, but the third party is flagged in a different country. This tends to happen with common proper names that are screened.
-
Nature: What event caused the red flag? If the third party was convicted of money laundering and served time in jail, they may not be the best finance consultant of an overseas operation with limited oversight. However, if the third party is related to a politically exposed person (i.e., someone whose prominent position may make them more susceptible to bribery or corruption), there may be simple and effective controls in place to ensure the risk is limited.
-
Time frame: When did the cause of the red flag occur? Was it a 20-year-old case that is irrelevant to today’s business, or is it a politically exposed person within the last six months? The recency of the red flag event should be considered as part of the overall analysis.
-
Full company/single division: Does the red flag indicate that there is trouble on the corporate level and throughout all divisions, or was it a single event at a specific division?
-
Business relationship: What is the business rationale for the third party? In case of a sole-source supplier, there may be few or no alternatives. However, in the case of commodities, alternative suppliers could be considered.
The risk analysis phase in the due diligence process will identify: (1) false positives that can be ignored, (2) red flags that are true but not applicable to the specific situation, and (3) red flags that should be evaluated further. As the due diligence program matures, the algorithm should be refined and improved to reduce false positives. These are a waste of valuable time that could be spent on investigating red flags that are true warning signs. Those are the red flags that require the business to decide whether to move forward with the third party that got flagged or find an alternate business partner. The business decision will come down to the acceptable level of risk.
Assessing your risk tolerance
Each company should identify the higher-risk areas of the business to proactively manage the ever-changing business environment. Best business practice is to have an enterprise risk management (ERM) program, which lists company-wide risks and is used as part of the business strategy. Even if the company does not have a full-scale ERM program, risk levels can be identified by conducting risk assessments. Because risk is never static, I would recommend to at least conduct risk assessments annually. Best practice would be to have an agile approach and conduct risk assessments as soon as there is a change in the company’s risk landscape.
Risk assessments are used to evaluate risk and assign a numeric value—a risk level—to specific risks. These numeric values are used to prioritize mitigation actions. Risk levels are broken down to the impact and likelihood of an event that would adversely affect the company. Some risk assessments also consider something called “risk onset.” This factor indicates how fast a risk would be realized, and often it also includes the detection time before risk mitigation would start. The combination of likelihood, impact, and onset are translated into an overall risk level, ranging high risk to low risk on the overall risk profile of the business.
Once the risk levels are identified, a risk tolerance level can be set to indicate the level of risk that the company is willing to handle. Each company has its own risk profile, representing the business environment in which it operates. The risk tolerance will inform the response of the business to realized risks. Tolerance levels should be evaluated often, especially when there are changes within the business that affect its capability to adequately respond. Since risk tolerance depends on risk levels, any changes to the risk level should also have the tolerances reevaluated.
Third-party due diligence is one part of the risk profile, and each company has different third-party exposures. The level of third-party involvement depends on the nature of the business. Multinational companies have more exposure, because they operate in multiple countries, each with its own laws, regulations, and cultural expectations. Certain countries are known to be higher risk than others, but excluding all other factors besides country is a rudimentary approach to risk level assignment. Many other factors should be incorporated in the risk profile determination of a third party, such as business type, third-party relationship type (e.g., sales agent vs. distributor), transaction volume, transaction amounts, oversight, etc.
Making a final decision
Marrying both the third-party red flags and the company’s risk tolerance is where the risk-based/risk-informed decision process comes in. Does one red flag tell you to avoid a specific third party completely? If the red flag is that the third party is on the U.S. Department of Commerce’s Denied Parties List, yes. But usually there are many considerations to make before rejecting a third party. The third-party type (e.g., agent vs. customer), the nature of the red flag, their location, and business volume tend to be higher-weight considerations. Many countries have state-owned enterprises, which inherently brings about politically exposed people. Politically exposed persons risk can be mitigated in many ways, so it would not be an automatic disqualifier.
Ideally there is a conversation with a cross-functional team, with people responsible for managing third parties as well as people responsible for compliance. The team should review the red flags and reference the risk tolerance of the business. All factors that influence the final decision will need to be considered, including future business/long-term strategic goals of the business. It may be worth the risk, because additional business support is available to ensure compliance. However, if there is not enough reason to assume the risk or if the third party is outside of the business’ risk tolerance level, it would be advisable to not proceed with the third-party relationship.
In order to get the final decision made and abided by, team members need to be authorized to make decisions. This is especially important when it comes to rejecting a third party. There should be no option to circumvent a rejection decision. In most cases, the head of procurement would make the final decision on a vendor and the head of sales would make the decision for a customer/agent. These people tend to also be more aware of the business’s risk tolerance level or long-term strategic goals, which will guide them in their decisions.
All decisions should be documented for audit purposes as well as guidance in case of employee turnover. Ideally the documentation includes who was present in the meeting, who made the decision, and why they made their decision. The document should also include how the red flag risk will be mitigated. For example, in the case of a politically exposed person, the employees managing that relationship should receive additional training on anti-bribery/anti-corruption. Auditors should frequently check the payments relating to this specific third party to ensure they are complying. These trainings and payment audits should be documented and kept with the other records for the third party to provide a complete audit trail.
Conclusion
No one-size-fits-all solution will resolve every red flag. Therefore, companies should conduct a risk assessment, at least annually, and from there generate a risk tolerance level for the business. Red flags should be analyzed for their accuracy and relevance as part of the due diligence process. Not all red flags are created equal, so depending on risk tolerances, one company may engage a third party where another would refrain from doing so. It comes down to getting the right people together to make a risk-informed decision and record that decision. In an ever-changing business environment, third parties need to be continuously monitored to ensure they remain within the business’s risk tolerance levels.
Takeaways
-
No one-size-fits-all solution will resolve every red flag once the issue comes up.
-
A red flag does not mean per se that one cannot do business with the third party.
-
Best practice is an agile approach to risk assessments. Reevaluate the risk levels throughout the year, because risk is not static.
-
Risk tolerance levels should be evaluated often to keep up with the risk levels.
-
The business decision for third-party engagement will come down to the level of risk that is acceptable.