A Layered Approach to Third Party Due Dilligence · Approach to Conducting Due Diligence. Initiate Due Diligence • Based on the “Risk Base” score, initiate the appropriate level

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 0

A Layered Approach to Third-Party

Due DiligencePresented by

Michael Olver & Alex Wilkinson

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 1www.navexglobal.com

Presenters

Michael OlverManaging Director, PSA Group Advisor, Third-Party Risk Management,

NAVEX Global

Alex Wilkinson


• Introduction

• Defining Due Diligence

• Standard Risk-Based Workflow

• Your Tools & Their Limitations

• The Wildcard of Jurisdiction

• Conclusion & Key Takeaways

Agenda


Defining Due Diligence

A Risk-Based Approach



• Due Diligence is the level of judgment, prudence and care to be exercised by a reasonable person in a similar situation

However there is…

• No absolute standard

• No defined maximum or minimum

• Only industry norms, best practices, informed interpretations and relevant guidance to help determine what due diligence is to you



• Given this flexibility, an essential aspect of defining due diligence to your company is understanding:

1. The desired outcome – what do you want to accomplish?

2. Defining your “risk remit” – what risks and concerns are you responsible for mitigating in your role and with this programme?



• For the purpose of this conversation, we understand the roles to be:

− Compliance and legal professionals – “Defenders of the Realm”

− FCPA & UKBA will be the overriding concerns

− Your programmatic aim will be the identification and mitigation of bribery and corruption risk inherent in dealing with third parties

− Your remit will be to uncover any risks associated with third parties that present a bribery or corruption risk to your company


Defining the Risk-Based Approach

• With this in mind, the following are the standard leading indicators of risk:

− Local perceived corruption risk in jurisdiction (CPI)

− Level of expenditure with third party

− Third-party industry

− Type of relationship

− Intent of relationship

− Other factors specific to the company or overriding legislation

• However, we would argue that key to a cost effective and robust programme is ALSO the incorporation of the level of information obtainable in each jurisdiction into both the risk calculation and the internally mandated response


Defining the “Risk Base”

• The simplest means of initiation is to ascribe a value to each indicator

• This does not need to be complicated and can be as simple as a 1-5 value

• The assessment methodology and each assessment will need to be documented

• The process flow needs to be based and to be able to pivot based on the “Risk Base”


Applying the “Risk Base”

• In order to ensure even application, it is ideal that the defined risk-response:

− Is centrally defined and mandated

− Is an automated process to an extent

− Creates an audit trail, especially of any exceptions is rigorously maintained


Standard Risk-Based Flow


Approach to Conducting Due Diligence

Questionnaire• Collects basic and self-declared

information. The review should trigger any disclosed instances of bribery, existence of a compliance programme, PEP’s or conflicts of interest

Organise Data• Understand how third parties

are touching your company and the implications it may have

Triage & Address• Prioritise and adequately

address the risks posed by the third parties


Approach to Conducting Due Diligence

Initiate Due Diligence• Based on the “Risk Base” score,

initiate the appropriate level of due diligence

Review Data• Review findings and either

accept and progress, or request further information disclosure or additional inquires

Further Due Diligence• Expand the remit of the

inquiry or conduct targeted research into issues of concern


Your Tools & Their Limitations


Informing the Approach

• While the above slides should be familiar to any compliance professional, greater knowledge drives a more effective process

• To be effective you need to know:

− What are the tools available to you?

− What are their limitations?

− What are the inherent limitations in each specific environment?


Due Diligence Tools

Broadly speaking the tools available are:

1. Databases

2. Risk reviews

3. OSINT: Open Source Intelligent

4. OSINT in English and local language

5. Enhanced due diligence with local reach

6. Source commentary within the local market


Important Limitations

Databases:

• Once thought to be the ultimate industry direction and a “magic bullet” inherent problems persist from:

− False positives

− Local character search limitations (Chinese, Thai, Arabic)

− Supporting algorithms

− Overwhelming or underwhelming baseline databases

− Potential for user error



Risk Reviews:

• A creative middle ground, this is the professional review of the disclosure documents combined with database searches and research for risk remediation

• Limitations:

− Limited to what is disclosed and database returns only, no additional research or sourcing

− Based only on self-reported information, with no ability to independently collect

− No ability to go further in identification of risk

− Inherits the limitations of database usage with no ability to mitigate through further research into issue of concern

− Reactive, rather than active



OSINT (English Only):

• This allows professional researchers a free hand to apply a process of searches against specialist database and all public domain sources in English in order to identify issues of concern

• Limitations:

− What is reported is only what is in the public domain, and what is in the public domain in English

− The key limitation is language and the information available within the local environment



OSINT (English & Local Language):

• Much better in that it allows the professional researcher a broader base of sources to draw from in conducting their searches, and is essential in non-English dominated environments (China)

• Limitations:

− This type of report is limited to what is available electronically within the local environment

− Often this means that it is not possible to recover meaningful litigations searches, reputational research or in some cases basic registration and ownership information

− This can result in substantive gaps in achieving coverage against programme mandates



In Country EDD with Source Commentary:

• Further expands what is available to include commentary from people in position of knowledge. Useful in identifying the information that is not reported on but that “everyone knows” such as whose company this is

• In jurisdictions in which there is limited public domain information, this is the only means of meaningful coverage

• Limitations:

− Time – 10-15 days and possibly longer to network into good sourcing

− Budget – sourcing is usually worth exactly what you pay for it


The Wildcard of Jurisdiction


Impact of CPI Overlay

• The Corruption Perception Index is taken into account in most workflow programmes associated with risk-based due diligence

• Companies operating in countries in which there is low incidences of bribery and corruption can be generally considered to be lower risk of this behaviour for social

• Inversely, in countries like Afghanistan, even the smallest transaction comes with the risk of corruption

− Example: A third party that is a furniture store in Denmark supplying USD 2,000 of tables as part of a yearly transaction managed by London HQ

− The elicited compliance response should therefore be in line with defined Low Risk practice


Impact of Freedom of the Press Overlay

• An effective compliance process should take into account the freedom of the press and access to information in each jurisdiction

− Example: A third party in Saudi Arabia that is engaged to develop an online marketing programme making your products more appealing in the region

− While on the face of it, this is a Low Risk third party, the functional limitations of the environment means that OSINT only is likely to be ineffective


Implications

• This does not mean that you must conduct the highest level of due diligence on all locations in which there is limited information in the public domain

• This does mean you need to be selective about what you do in these jurisdictions and incorporate knowledge of the environment and risk-based feedback

• This may include running initial reports, requesting greater disclosure or selectively engaging commentary only into issues of concern

• But it is important to document why you have taken these steps or why you chose not too


Key Recommendations & Takeaways


Recommendations

• Know the mechanical limitations of the report types you have available

• Incorporate an honest appraisal of the limitations of these report types in the process flow

• Incorporate the limitations of the Open Source in each jurisdiction in your process

• Never be afraid to ask more of your process or your diligence provider, as a risk-based approach is not a one-size-fits-all approach and neither should your compliance programme


Questions?


Thank You

Documents

A Layered Approach to Third Party Due Dilligence · Approach to Conducting Due Diligence. Initiate Due Diligence • Based on the “Risk Base” score, initiate the appropriate level