By Brian Alster
Every large organization wants to automate its due diligence program, and for good reason. Third-party risks have proliferated to such an extent that manual approaches to due diligence can’t keep pace with the challenge anymore, leaving senior executives unclear on the risk landscape their organization faces.
That doesn’t mean, however, that a company should rush to implement an automation program.
On the contrary, crafting the right approach to automating due diligence and third-party monitoring is a delicate matter, with considerable planning that must happen before moving forward with an automation plan. Otherwise, the compliance program risks ending up with automation that (1) doesn’t correctly assess the company’s third-party risk or (2) employees won’t want to integrate into their daily routines.
What groundwork is necessary? Consider these five steps.
Step 1: Know how third parties fit into the company’s business strategy. Global organizations use third parties in all sorts of ways. Compliance officers need to understand how and why their firms use third parties so they can build a due diligence program that meets the firm’s compliance risks today and will evolve with those risks in the future.
For example, your firm might rely on local agents in emerging markets to perform sales functions — but “local agents” is a broad term. An agent acting as a reseller can pose one set of anti-corruption risks; distributors pose another. Consultants who only introduce potential customers to your full-time sales executives pose yet another.
So corporate compliance officers first need to talk with any part of the enterprise that might use third parties, to understand what those relationships are and why they exist. Only then can the compliance officer begin to map out the compliance risks those third parties pose.
Moreover, compliance officers also need to understand whether those relationships could change in the future. For example, could a local law firm originally hired to execute real-estate purchases be asked to draft customer sales agreements? That might be a reasonable business decision, but it changes the risk profile of the law firm. A compliance officer needs to know that such changes in status could happen, so he or she can craft a due diligence program that responds accordingly when such changes happen.
What’s really at issue here is how much visibility the compliance function has into business operations. Compliance officers will need a lot. Otherwise, the compliance function can’t assess the firm’s risks accurately, and your due diligence efforts might not address your company’s risks.
Step 2: Know how the company currently governs third parties. To some extent — perhaps a small one — your company already exercises some amount of governance over its third parties. Somebody in procurement found those resellers working in high-risk markets. Somebody in sales receives the purchase orders those resellers pass back to the company. Somebody in accounting is receiving invoices from third parties and issuing checks.
The challenge for compliance officers is to understand how those processes work. Only then can you identify weak spots in due diligence processes or find opportunity for automation.
For example, you might find processes for onboarding third parties without any corresponding policy — that is, ad hoc risk assessment and governance, carried out by the employee working with a third party at a specific moment. Or you might discover policy for third-party governance without any supporting procedure — a compliance program that looks good on paper but doesn’t work in the real world.
Neither scenario is tolerable, but each one requires different solutions. So, compliance officers should conduct a “policy and procedure inventory” to see the due diligence steps the company is already taking, regardless of how limited they may be. That will identify many due diligence weak spots.
Step 3: Know what data the company has about its third parties. Along similar lines, your company also already collects at least some amount of data about its third parties. Compliance officers need to understand what that data is and how it’s organized.
For example, different parts of the enterprise might use different applications to track the business they do with third parties: the sales team might use Salesforce, while the accounting team might use Oracle. Departments in the Latin America division might store all transaction data in one central data repository, while departments in the Asia-Pacific region store data in separate spreadsheets. Europeans might use one format for calendar dates, North Americans another.
Compliance officers need to know those details. The data might exist in many different formats or in different locations, and questions about how to cleanse and append all that data for automated due diligence can become critical.
For example, would you want a risk management tool to collect and harmonize different types of data for better analysis? Or would you want to change employee processes so they input data about third parties in a uniform manner? In the search for answers, a compliance officer needs to understand the company’s data environment.
Step 4: Understand how employees work with third parties. The most delicate challenge for automating due diligence is understanding what changes to employee workflows might be necessary, and how to integrate those changes effectively. To do that well, compliance officers must understand how employees work with third parties, and with each other, on a practical, daily level.
For example, a rule of thumb is that due diligence programs should automate repetitive, tedious tasks (collecting ownership data on third parties, for example) to save valuable employee time for more “high-touch” due diligence procedures, such as telling a high-risk third party he or she won’t be paid until background checks are completed.
That makes sense in theory. In practice, would automating those procedures lead to staff redundancies? Would employees need training on those high-touch duties? Or if the company changes the software it uses for collecting third-party data, will employees use the software to its full potential? If better analytics identifies third parties too high-risk to use, does the company have clear policy and procedure to stop employees from using those parties?
Again, every company will need to find its own answers to those questions. Compliance officers just need to be aware that those questions exist and need answers — because employees and third parties will start asking them quickly. Even the best due diligence program won’t succeed if employees decide it impedes their “real jobs” and try to evade it.
Step 5: Plan for third-party risk management, not just onboarding. We alluded to this point earlier, with our example in Step 1 of an outside law firm asked to take on more duties. A due diligence program shouldn’t simply allow a third party to pass inspection once, then reside in your corporate enterprise forever. A due diligence program should also monitor third parties on an ongoing basis and raise alerts when their risk profiles change.
That means compliance officers need to know what events might trigger a change in risk profile, and how to respond to those events when they happen.
Easy examples include a trusted third party coming under new senior management; or the third party being named in a lawsuit or regulatory enforcement action. Other times, your company’s own actions might trigger a change in risk. A decision to start selling to foreign governments, for example, might introduce new compliance risks to previously onboarded local sales agents.
Due diligence programs need to anticipate those natural evolutions in business so that when they happen, compliance officers can apply any new due diligence that might be necessary (and document that the new due diligence happened).
Every large organization wants to automate its due diligence program because manual due diligence processes can no longer keep pace with the risk. Manual processes overwhelm employees, introduce error and leave senior leaders with an inaccurate picture of their third-party risks.
That said, automated due diligence programs need to be durable and versatile. Before compliance officers automate anything, they need to understand third parties’ roles within the enterprise, and how employees have tried to govern third parties. Practical points such as data formats, written policies versus “we’ve always done it this way” practices, and employee habits can assume enormous significance as you plan your automation effort.
Above all, compliance officers should understand that successful third-party risk management is really about managing business risk — not just fulfilling a compliance obligation. It’s about helping the enterprise accelerate the due diligence process while reducing costs.
Automated due diligence and smoother onboarding of third parties is a critical step to that goal. With astute planning and use of technology, corporate compliance officers can achieve it.
Brian Alster is general manager, supply and compliance, at Dun & Bradstreet in Short Hills, New Jersey.