Post By Kristy Grant-Hart, Chief Executive Officer, Spark Compliance Consulting
“Risk-based approach” may be the three most over-used and least understood buzzwords in compliance in the past two years. The DOJ talked at length about using a risk-based approach to third-party due diligence and risk management in its Evaluation of Corporate Compliance Program guidance, going so far as to give examples of what they mean. And yet, nearly every client I work with has blind spots when it comes to implementing a truly risk-based due diligence program. Why? Because “risk-based” is easy to say but difficult to implement.
There are four distinct places that a risk-based approach should be implemented during your third-party due diligence process. Let’s look at each in turn.
No. 1: Scoping
The first place to apply a risk-based approach is in scoping. Scoping should result in one of two outcomes for each third-party: you’re in or you’re out. Applying a risk-based approach to scoping is critical because if every possible third-party is in-scope, your program is probably overly broad and doesn’t address the true risk to the company.
Let’s be honest, do you really need to score and review paperclip vendors? How about one-off customers or distributors selling less than $500 of your products annually? I’ve seen every one of those third-party types in scope at different companies.
Here’s my top tip for scoping: if you can’t come up with a plausible scenario where the third-party would violate the rules, the third-party type should be out of scope. This determination rests on which risk types you are reviewing in your due diligence program.
For example, let’s say that in your program, you’re reviewing third-parties solely for bribery risk, and you need to determine whether suppliers should be in-scope. Try to come up with a plausible scenario about how a supplier could bribe someone on your company’s behalf. Well, they’re not going to bribe a customer on your behalf. The only scenario in which a bribe would be made by a supplier is the attempt to bribe your employees, who should be trained to avoid this situation. After this analysis, suppliers should be kept out of scope for this third-party program.
Remove third-parties from the scope when there is little or no chance that they could create a problem for you based on the risk areas you’re reviewing.
No. 2: Initial Risk Ranking
Creating an initial risk ranking is critical for determining how problematic a third-party type is likely to become. Many companies apply the hammer approach and put every third-party into the same bucket for the same treatment. Instead of putting everyone through the same review, the creation of a truly risk-based approach comes from using multiple criteria to determine the third-party’s riskiness. What criteria can be used? Examples include:
- The Corruptions Perceptions Index score in the country in which the third-party does business for your company
- Whether or not the third-party represents your company to government officials
- Whether the third-party is owned or operated by a government official
- The level of spend associated with this third-party
Many other criteria can be used to create an initial risk ranking. Your initial review should create a stratified third-party world.
No. 3: Create an Escalating Process
Once you’ve got your initial risk stratification, you need to create an escalating review process with multiple layers. You can use an entire menu of different tools. This may include:
- Escalating contract terms: g., low-risk = basic anti-bribery clauses, medium-risk = audit rights, high-risk = audit and termination rights
- Escalating levels of review: g., low-risk = automated sanctions review, medium-risk = order desk-top report, high-risk = order a boots-on-the-ground reputation check
- Escalating training requirements: g., low-risk = no training, medium-risk = training for those working on your company’s business, unless they can prove they have taken compliance-related training through their company, high-risk = annual refresher training for everyone at the company working on your company’s business
There are many ways to create an escalating evaluation process, and it makes sense to do so. Think about it, does every third-party really need a due diligence questionnaire? The paperclip provider shouldn’t have to answer six pages of questions about its corporate history and ownership structure in order to sell your company $250 of office supplies.
By creating a consistent escalation process based on the initial risk score of the third-party, you create a defensible risk-based approach.
No. 4: Known Risk Mitigation
What happens when you get a red flag? Is there a consistent approach to the issue? Or does each third-party go through a different process? Having a written approach to red flag mitigation is a critical way to complete your risk-based approach. You can create a red flag clearing criteria matrix which describes the way that red flags are reviewed and remediated. Once again, a list of mitigating techniques can come into play here.
Most Importantly: Document Your Thought Process
The best way to make a risk-based model defensible is to write down your thought process. Why did you make the determinations you did? How did you choose which third-parties were in scope? Why did you choose the initial risk-ranking criteria that you did? If your program is ever challenged during a prosecution, having your thought process in writing will make your program much more likely to be found credible, even if you missed something.
The number one reason compliance officers don’t take a risk-based approach is because they are terrified that something will get through the cracks, and then they’ll be blamed. Prosecutors and regulators understand that businesses can’t and shouldn’t give the same amount of attention and resources to every third-party. By adopting a risk-based approach every step of the way, you’ll ensure your resources are properly applied to the highest-risk third-parties.