Third-party due diligence: Has your program evolved enough to keep up with changes in regulations and advancements in technology?

Third-party due diligence: Has your program evolved enough to keep up with changes in regulations and advancements in technology?

By Bill Hauserman, Senior Director, Compliance Solutions, Bureau van Dijk, A Moody’s Analytics Company

Can you please tell the Risk Insights readers a little bit about yourself, your experiences and what your current professional focus is?

I have been involved in most aspects of employee and third-party compliance programs over the last 15 years. Most interesting to me is how third-party compliance evolved. Almost overnight after 2008, regulators across the globe eliminated the notion that third-parties in any way shield a bank or corporation from liability for corruption. Now over 10 years later, organizations still struggle to truly know their business partners and who controls them. And if they are involved in corruption.

At Bureau van Dijk, I focus on anti-corruption compliance solutions, primarily on the perplexing problem of creating efficient due diligence technology and content for truly understanding the risks of customers and business partners.

What, for you, are the benefits of attending a conference like Vendor & Third-Party Risk 2019 and what can attendees expect to learn from your session?

These conferences are one of the best ways to spread the message of due diligence best practices to a larger group. And to be able to gather input from the practitioners in organizations struggling to achieve better results. It is a safe place to debate the theories of good due diligence with the practical realities of the day-to-day job. After a decade, I believe we all know where we want to get to and we know we are not there yet.

And for attendees, whose priority is to maintain the minimum requirement of meeting regulatory expectations, it is a chance to step back. And to imagine what their world might look like if they have due diligence programs operating far above the minimum, reducing more types of risks, and require less time and money to operate. Only by stepping back can they find the creative input from multiple industry experts to define a way forward armed with the arguments to take back to senior management, so they are able to make the vision a reality.

In your opinion, what does the current evolution of third party due diligence look like and how is the US industry progressing?

The best due diligence programs have solved the due diligence dilemma: how to apply the proper mix of data, technology and people to achieve both lower risk and lower cost. And because of this type of program, they are allowing their organizations to enter markets, create products and expand revenue more quickly and easily than programs that have not evolved. The reality of global commerce today is that the risks of expansion are greater. So, the due diligence programs that detect and monitor risk must be business friendly which means timely, thorough and accurate.

US businesses involved in global commerce have generally not solved the due diligence dilemma. Too many programs are people heavy because they waste so much time on tasks better accomplished through data and technology. While there are examples of terrific programs, generally I see the current operations have not evolved. But the good news is I see more and more that the operations teams know how they need to evolve. The problem rests with senior management that has a hard time equating due diligence program cost with revenue expansion and organizational health.

Why is it important to look at vendor risk from a broader operational risk perspective to align goals across the organization?

Risk treated outside the business operational unit is never fully aligned with the day-to-day risk creation. A business unit sales and delivery process must integrate the risk detection and monitoring. It is far more effective to have due diligence begin and be monitored by the individuals dealing at the front line with risk vs. the back office. This means due diligence processes are embedded in the business processes and systems.

Likewise, all business units must have common due diligence goals. Only by standardizing the due diligence output across the whole organization is it possible to evaluate organizational risk.

How can risk assessments best be integrated across lines of business?

All business units must have common due diligence policies clearly identifying organizational risk. Additionally, there must be one set of risk remediation standards that cannot be over-ridden by business unit management for that business unit’s benefit. Then imagine all business units follow common operational procedures embedded in their business systems.

So, the risk detection and monitoring of selling, purchasing, and fulfilling business transactions are part of the business processes and common across all business units. With this operational model, the central Compliance team can spend their time creatively remediating risks to a revenue advantage rather than policing business units and wasting time cleaning up clear departures from agreed policy.

How do you see the Vendor & Third-Party risk space evolving over the next 6-12 months as processes mature?

Unfortunately, catching up to regulatory and reputational risk due diligence standards is not enough. The real challenge for organizations is that the due diligence regulatory and organizational expectations themselves are evolving quickly. Discoveries by US, EU and other regulators in 2018 and 2019 will require these regulators to demand more. At the heart of these new expectations are the changing understanding of “control” as applies to third parties. Because of recent enforcements, regulators have discovered complex new corporate structure mechanisms that invalidate share holdings as the ultimate indicator of control. In fact, complex structures are now deployed whereby nearly undetectable shareholdings can still provide ultimate control over a legal entity.

Organizations clearly need to increase efforts to better operationalize their business systems to standardize risk detection and monitoring. But as important is that they re-evaluate policies for what risks will be treated by a due diligence program and how broadly the program is applied across the third-party populations of all types.

vendor & third party risk usa series