Businesses need to manage third-party risk as part of a comprehensive compliance program to ensure they operate with integrity and thwart any attempts at bribery and corruption. Compliance professionals need to put in place processes and systems that assess risk and focus on the greatest threats among third parties.
Transparency International UK (TI), a leading non-governmental anti-corruption organization, recently launched a dedicated portal that clarifies elements of effective compliance programs. It covers all compliance program components, including managing third parties, procurement and contracting, risk assessment, and financial controls.
According to TI, the following key elements are necessary to effectively manage third-party risk:
- Integrated, company-wide approach: Developing a risk-based, integrated, and consistent approach to anti-bribery management of third parties across the company’s operations
- Due diligence: Collecting, analyzing, and storing due diligence information about the third parties, including their ownership, how they operate, their integrity and anti-corruption standards, and any significant bribery and corruption risks
- Be systematic: Applying a comprehensive and consistent approach to registering, conducting due diligence on, and appointing third parties, as well as to the management and monitoring of the relationship
- Focus on your highest risks: Focusing on the highest risks based on risk assessments
- Build trust and constructive relationships: Aim for an environment that fosters integrity and counters bribery
4 Steps to Managing Third-Party Risk
Dun & Bradstreet agrees with TI’s guidance on managing third-party risk, and we feel it’s important for businesses to inject processes and controls into the plan so that those steps can be replicated. A four-pronged approach to third-party compliance that weaves TI’s guidance with Dun & Bradstreet recommendations includes the following:
- A risk assessment process to identify, segment, mitigate, and monitor risks and risk factors
- Due diligence proportionate to the risk
- A comprehensive workflow system
- A company-wide approach to risk management
To effectively manage third parties to prevent bribery, a business must assess and rate the potential for bribery and mitigate that risk. You need information about the country in which the third party is based and about characteristics of that market, including local customs, according to TI.
In addition to country rankings, such as TI’s CPI and the Basel AML Index, consider leveraging insights such as D&B’s Country Risk Indicator, which details financial, political, economic (macro and micro), and social risks. Further standard risks are the industry, type, volume of business with the third party, and the nature of the work it performs. Third-party intermediaries pose higher risks when they represent the company before government agencies, perform services on behalf of the company, or are otherwise in contact with government officials on company business.
In assessing risk, businesses should consider leveraging third-party data, insights, and proprietary predictive scores, which can greatly strengthen client controls, risk triggers, and defensible position pillars. For example, Dun & Bradstreet’s TPI Modeler is a scoring model built to predict the likelihood of a supplier being a third-party intermediary (TPI).
Also consider thinking beyond compliance-specific factors when assessing your third-party risk. Entity matching capabilities transform raw data into clean, integrated, and enhanced data that a business needs for effective business-partner information management. Predictive scores enhance your assessment of a potential business partner by providing data elements that are critical to other business objectives. Raw attributes such as time in business, degree of marketplace activity, location, severe financial risk indicators, and change in circumstances fuel your risk-assessment model. Linkage analytics will give you the size, strength, and risk of a group of businesses, and economic indexes reflect risk to specific industries during different economic conditions.
Merely screening an individual or entity itself against sanctions and adverse media or relying on third-party supplied references will not give you the insight to conduct meaningful due diligence, especially in higher-risk situations. If you are in a higher-risk industry, geography, or business relationship, you may need to go deeper.
Dun & Bradstreet’s perspective is to seek a depth of diligence that includes leveraging global data assets on entities, including legal name, organizational structure, parent companies, names of all principals/officers/beneficial owners, and industry. This enables companies to fully identify and verify third parties. Leveraging a global beneficial ownership database enables businesses to visualize share ownership for both corporate entities and for individuals.
Expanding the screened population with this data enables you to search for compliance-relevant adverse data on not just the subject entity self-disclosed data but also known principals and relevant related entities (e.g., beneficial owners, shareholders, key executives). And by leveraging a unique identifier such as the D-U-N-S® number, this provides an unparalleled ability to track organizations associated with politically exposed persons (PEPs) and state-owned enterprises through global corporate compliance linkage data and consolidation of disparate but related records. These insights help strengthen a company’s compliance program by enhancing depth of due diligence and moving beyond sole reliance on self-disclosed information from a questionnaire. This capability enables effective risk-based due diligence ranging from very basic sanctions, PEPs, and media searches to local “boots on the ground” investigation.
TI-UK’s guidance calls for rigorous monitoring procedures to deter and detect bribery incidents and breaches of the anti-bribery program and to repeat due diligence periodically. It is Dun & Bradstreet’s position that companies should consider not only identifying screening alerts, but also continuously and proactively monitor third parties for relevant changes that may affect risk profiles (e.g., M&A activity, severe financial distress, principal changes, primary location/headquarter moves). Additional risks you should also consider monitoring for: financial, human rights, data privacy, and cybersecurity risks.
UK-TI’s guidance recommends use of an electronic workflow system. Consider a comprehensive workflow that is an end-to-end due-diligence process and can migrate data out to other business units throughout the organization. The process should include data that gives you holistic visibility into your compliance needs. Here are a few examples to consider: supplier profile; segmented vendor list; financial risk; environmental, social, and governance data; diversity; Tier N visibility; geopolitical, climate, and operational data; and cyber security.
The TI-UK guidance recommends an integrated approach to risk management – apply consistent standards, policies, and procedures across the organization, including coherent automated data systems and tools. Master data drives all compliance activities across regulatory, financial reputation, and geographical risks.
Having the right governance and internal controls in place simultaneously helps companies benefit from complete visibility into transactions with third parties. With a complete picture of the risk and activities of business partners, management can make reliable, trusted decisions about where to invest and how to safely conduct business with third-party partners.