Businesses today are more interconnected than ever while at the same time having to manage supply chains that are in the greatest flux in a generation and heightened scrutiny from external stakeholders around the business practices of their entire value chain. As a result, companies must be increasingly vigilant in monitoring compliance risks associated with their third-party relationships. This often means engaging in comprehensive due diligence processes to ensure that their partners meet the highest regulatory, compliance, and reputational standards. Enterprises typically address third-party anti-corruption risk through front-end due diligence and onboarding processes. The processes assess attributes such as geographical location, services provided, contract value, adverse media, and government connections to establish an appropriate level of scrutiny toward the prospective entity. Following this assessment, compliance teams may adopt strengthened controls with increased auditing or reporting requirements, compliance training, and contractual provisions for added assurance against corruption risks.
When assessing such risk, a comprehensive analysis is essential. Although the process may be subjective and therefore vulnerable to inaccuracies or human error, it requires specialized knowledge for employees to carry out their tasks accurately. For example, companies should consider third parties high-risk if they interact with government officials or customers on behalf of the enterprise. However, without complete comprehension of the agency principle involved and the entity's governmental interactions combined with inadequate due diligence processes, these entities could easily go unnoticed and be labeled low-risk instead. At the same time, access to ownership information of third parties continues to be limited by both the presence of multiple secrecy jurisdictions around the world and recent privacy-related court rulings in Europe that have led to some countries removing access to their previously-public ownership registries.
These challenges are exacerbated when a company already has numerous existing third parties relationships or gains many new third parties via an acquisition. Understanding the risks posed by a large number of third parties can be highly challenging. Manually cataloging those third parties, sending diligence questionnaires, and running enhanced diligence reports can be time-consuming, error-prone, and expensive for the enterprise and its third parties, which may lead to the enterprise failing to complete this work comprehensively and accurately.
Although due diligence can detect certain risk factors, such as publicly known compliance issues or shell companies, such detection relies on the good faith involvement of third parties and company employees in the process. Employees may misclassify the nature of the third party to avoid heightened review or may collude with the third party to provide fraudulent or misleading information, hindering a company's ability to protect itself from malicious actors.
Furthermore, even effective front-end due diligence does not guarantee the prevention of third-party corruption post-diligence, since companies could still hire legitimate third parties that engage in corrupt behavior alongside their legitimate practices. For instance, several years ago, a number of oilfield services enterprises were penalized for improper payments by their otherwise legitimate logistics vendors disguised as service fees under discreet labels like "special handling charges." The typical due diligence exercise ends at contract onboarding and would not cover line items hidden amid legitimate charges in the third party’s invoices. Similarly, many enforcement actions over the years have involved sales channel partners, such as distributors, who may otherwise be legitimate commercial entities but use sales commissions or margins to generate proceeds for improper payments. In these scenarios, due diligence would likely not prevent or detect such behavior in the company’s credit notes and revenue transactions.
When it comes to third-party risk mitigation, for many companies, the missing piece is continuous monitoring of their expenditures for possibly fraudulent or corrupt payments. A continuous spend monitoring program using data analytics can provide in-house compliance and audit professionals with real-time tools to identify problematic payments or other anomalous third-party behavior while generating a wealth of data that can strengthen and improve a compliance program.
Such spend monitoring can extend and supplement front-end due diligence processes and close many control gaps identified above. For example, only continuous compliance monitoring can address the risks of bona fide third parties, such as customs brokers or distributors, engaging in improper payments after being retained. Spend compliance monitoring can detect anomalous patterns in payments or discounts with those third parties that might indicate corrupt activity.
In addition, spend monitoring can also help identify and mitigate against any inadvertent or purposeful errors or oversights made during the front-end third-party due diligence process. If a third party is not recognized as high-risk or government-interfacing in the diligence process due to employee error or rogue behavior, spend compliance monitoring using data analytics can still detect whether the third party might be interacting with the government. For example, suppose a third party identified by an employee as "low-risk" appears in expense categories typically used by high-risk third parties. In that case, continuous monitoring tools can detect such an anomaly and potentially root out a corrupt scheme or sham third party before systemic issues arise.
The combination of powerful front-end due diligence and back-end continuous spend monitoring will define whether an enterprise's third-party risk management system is effective. Fortunately, implementing such a system is possible today with off-the-shelf software and by following an established implementation roadmap.
While it is clear that a compliance monitoring system that can identify problem transactions and generate compliance data is the best way to manage and mitigate third-party risk, many enterprises need more viable options for easily implementing such integrated compliance monitoring programs. Enterprises almost always lack the internal software development and advanced data analytic capabilities to build and maintain such end-to-end compliance monitoring systems internally. On the other hand, consulting firms may offer data analysts but are not strong in software development and support. In addition, those firms are incentivized to provide as many service hours as possible and often produce bespoke solutions that are difficult and costly to build and maintain.
Fortunately, fully end-to-end integrated due diligence and compliance monitoring systems are now available through innovative off-the-shelf software. These systems allow companies to cost-effectively transform their third-party management from manual, subjective, and front-end-focused systems to automated, objective, and truly end-to-end risk management systems. The next chapter in third-party risk management promises to be more effective, more efficient, and more scalable to companies of all sizes worldwide.
To learn about Lextegrity and our many compliance solutions, reach out to us for a consultation today.