Post on 12-Jul-2020
transcript
Effectively designed
anti-bribery and
anti-corruption programs
July 9 2019
2
PARTICIPATE IN QampAbull Download the IIA Conferences App to
participate in QampA during select
sessions
bull Select the session through the schedule
icon
bull Submit your questions for the session or
to specific presenters by selecting the
ASK icon
bull Ask a member of the Conference Staff if
you need assistance
bull You can also go to httpsiccnfio from
your mobile device web browser
3
Agenda
Topic
Introductions
Learning Objectives
Effective Anti-Bribery Anti-Corruption Programs ndash Overview
bull Risk Assessments and Due Diligence
bull Codes Policies and Procedures
bull Auditing and Monitoring
bull Third Party Due Diligence
bull Compliance Monitoring leveraging analytics
Case Study ndash TE Connectivity
bull TE Connectivity ndash Overview
bull Phased assessment and enhancement of the ABAC program
QampA
Introductions
5
Introductions - Presenters
Managing Director FTI Consulting ndash practice leader for corporate
and organizational ethics compliance and anti-corruption
27 years of professional experience (last 8 as a consultant)
Held compliance officer positions at the leadership level in large
global companies
Philip Morris
Kraft Foods Global Inc
Schering-Plough Pharmaceuticals
DeVry Inc
As a former chief compliance officer designed global compliance
programs reported to audit committee led global teams worked
in over 30 countries
Teach graduate-level courses at state universities in New Jersey
on governance compliance and risk-management
Maurice J Crescenzi Jr
6
Brian Risser
Senior Compliance
Manager TE Connectivity
Oversees TE Connectivityrsquos Anti-Bribery amp Anti-Corruption
Program including Third Party Management
Background in Audit and Accounting
Spent 6 years in audit with Arthur Andersen and 18 years in
various corporate finance roles including Sarbanes Oxley
before transitioning into a legal compliance role
Introductions - Presenters
Learning Objectives
8
Learning Objectives
The learning objectives associated with this presentation and case study are to
Explore a framework for effectively designed anti-bribery and anti-corruption programs
Showcase the third-party risk management component as part of that framework
Discuss leading practices to extend risk-management strategies to third parties throughout the
full lifecycle of third-party relationships
Examine the importance of internal business ldquobuy inrdquo and how to leverage technology in
managing third-party bribery and corruption risk
Effective Anti-bribery Anti-Corruption
Programs ndash Overview
10
Anti-bribery Anti-corruption Programs Overview
An anti-bribery anti-corruption program is one part of an enterprise-wide
framework of people programs policies systems and controls
designed to prevent detect and respond to instances of legal and policy
violations and ethical misconduct
Ethics and compliance program framework
bull Culture of ethics and compliance
bull Governance and oversight
bull Documentation
Prevent Detect Respond
bull Risk assessments and due
diligence
bull Standards policies and procedures
bull Training and communications
bull Third-party compliance
bull Process-level controls
bull Data analytics
bull Employee reporting systems
(including hotlines helplines)
bull Testing and monitoring
bull Data analytics
bull Case management and
investigations
bull Enforcement and accountability
bull Incentives and discipline
bull Remediation plans
11
Anti-Bribery Anti-Corruption Compliance Program Framework
An anti-corruption compliance program framework is an enterprise-wide cross-functional and cross-geographic approach to preventing
detecting and responding to instances of legal and policy violations and ethical misconduct The framework is predicated on key regulatory
requirements guiding frameworks agency guidance and other leading practices that organizations with mature ethics and compliance
programs generally find to be effective Examples of drivers that influence the framework are as follows
Program Drivers
bull Foreign Corrupt Practices Act (and related guidance) - 1977
bull Defense Industry Initiative on Ethics and Business Conduct ndash 1985
bull US Federal Sentencing Guidelines for Organizational Defendants ndash 1991
bull COSO Internal Control Framework ndash 1992
bull In Re Caremark Decision ndash 1996
bull Department of Justice Enforcement Guidance (Holder Memo) ndash 1999
bull US Patriot Act ndash 2001
bull Sarbanes-Oxley Act ndash 2002
bull Office of Inspector General Guidance ndash 2003
bull Revised Federal Sentencing Guidelines for Organizational Defendants ndash 2004
bull Dodd-Frank Act ndash 2010
bull Revised COSO Framework ndash 2013
bull ISO 37001 ndash Anti-bribery management systems requirements with guidance for
use ndash 2016
bull Ethics and Compliance Initiative ndash High-quality Ethics and Compliance Program
Measurement Framework ndash 2018
bull Department of Justice Guidance on the Evaluation of Corporate Compliance
Programs ndash 2019
12
EXAMPLES OF ABAC COMPLIANCE PROGRAM ldquoDRIVERSrdquo RESULTING LEADING PRACTICES
The framework is predicated on a variety of legal requirements (eg
Department of Justice Guidance Officer of Inspector General
Guidance) and other drivers as well (eg US Federal Sentencing
Guidelines Foreign Corrupt Practice Act ISO 37001)
The framework incorporates and organizes a wide variety of programmatic requirements guidance and expectations into a holistic meaningful model The framework rationalizes and
summarizes these drivers in a proprietary manner
ISO 370012016
The organization has a governing body that body shall demonstrate leadership and commitment with respect to the anti-bribery management system
Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system
Federal Sentencing Guidelines
The organizationrsquos governing authority shall be knowledgeable about the
content and operation of the compliance and ethics program and shall
exercise reasonable oversight with respect to the implementation and
effectiveness of the compliance and ethics program
High-level personnel of the organization shall ensure that the organization
has an effective compliance and ethics program as described in this
guideline Specific individuals within high-level personnel shall be
assigned overall responsibility for the compliance and ethics program
DOJ SEC Guidance
Within a business organization compliance begins with the board of
directors and senior executives setting the proper tone for the rest of the
company
OECD Framework
Oversight of ethics and compliance programs or measures regarding foreign bribery including the authority to report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or at supervisory boards is the duty of one or more senior corporate officers with an adequate level of autonomy from management resources and authority
Governance and Oversight
Governing Authority Oversight Organizations should
have a governing authority (typically the Board of Directors
or a Committee of the Board) that exercises high-level
oversight of all elements of the organizationrsquos ethics and
compliance program and is knowledgeable about the
content and operation of the program
Executive Level Oversight Organizations should have a
senior member of management who (1) oversees the
development implementation and maintenance of the
organizations ethics and compliance program (2)
collaborates with functional and geographic leaders to help
integrate ethics and compliance activities within the
business and (3) provides ethics and compliance program
related updates to the board or one of its committees
directly and on a regular basis
Day-to-day Oversight Organizations should identify
compliance risk owners (eg anti-bribery and anti-
corruption etc) across the functions geographies and
business units who are responsible for working
collaboratively with the organizations head of compliance
and centralized compliance function to support the
organizations ethics and compliance activities and to
implement the organizations anti-bribery and anti-
corruption framework in a consistent manner
Anti-Bribery Anti-Corruption Compliance Program Framework
Risk Assessments and
Due Diligence
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
2
PARTICIPATE IN QampAbull Download the IIA Conferences App to
participate in QampA during select
sessions
bull Select the session through the schedule
icon
bull Submit your questions for the session or
to specific presenters by selecting the
ASK icon
bull Ask a member of the Conference Staff if
you need assistance
bull You can also go to httpsiccnfio from
your mobile device web browser
3
Agenda
Topic
Introductions
Learning Objectives
Effective Anti-Bribery Anti-Corruption Programs ndash Overview
bull Risk Assessments and Due Diligence
bull Codes Policies and Procedures
bull Auditing and Monitoring
bull Third Party Due Diligence
bull Compliance Monitoring leveraging analytics
Case Study ndash TE Connectivity
bull TE Connectivity ndash Overview
bull Phased assessment and enhancement of the ABAC program
QampA
Introductions
5
Introductions - Presenters
Managing Director FTI Consulting ndash practice leader for corporate
and organizational ethics compliance and anti-corruption
27 years of professional experience (last 8 as a consultant)
Held compliance officer positions at the leadership level in large
global companies
Philip Morris
Kraft Foods Global Inc
Schering-Plough Pharmaceuticals
DeVry Inc
As a former chief compliance officer designed global compliance
programs reported to audit committee led global teams worked
in over 30 countries
Teach graduate-level courses at state universities in New Jersey
on governance compliance and risk-management
Maurice J Crescenzi Jr
6
Brian Risser
Senior Compliance
Manager TE Connectivity
Oversees TE Connectivityrsquos Anti-Bribery amp Anti-Corruption
Program including Third Party Management
Background in Audit and Accounting
Spent 6 years in audit with Arthur Andersen and 18 years in
various corporate finance roles including Sarbanes Oxley
before transitioning into a legal compliance role
Introductions - Presenters
Learning Objectives
8
Learning Objectives
The learning objectives associated with this presentation and case study are to
Explore a framework for effectively designed anti-bribery and anti-corruption programs
Showcase the third-party risk management component as part of that framework
Discuss leading practices to extend risk-management strategies to third parties throughout the
full lifecycle of third-party relationships
Examine the importance of internal business ldquobuy inrdquo and how to leverage technology in
managing third-party bribery and corruption risk
Effective Anti-bribery Anti-Corruption
Programs ndash Overview
10
Anti-bribery Anti-corruption Programs Overview
An anti-bribery anti-corruption program is one part of an enterprise-wide
framework of people programs policies systems and controls
designed to prevent detect and respond to instances of legal and policy
violations and ethical misconduct
Ethics and compliance program framework
bull Culture of ethics and compliance
bull Governance and oversight
bull Documentation
Prevent Detect Respond
bull Risk assessments and due
diligence
bull Standards policies and procedures
bull Training and communications
bull Third-party compliance
bull Process-level controls
bull Data analytics
bull Employee reporting systems
(including hotlines helplines)
bull Testing and monitoring
bull Data analytics
bull Case management and
investigations
bull Enforcement and accountability
bull Incentives and discipline
bull Remediation plans
11
Anti-Bribery Anti-Corruption Compliance Program Framework
An anti-corruption compliance program framework is an enterprise-wide cross-functional and cross-geographic approach to preventing
detecting and responding to instances of legal and policy violations and ethical misconduct The framework is predicated on key regulatory
requirements guiding frameworks agency guidance and other leading practices that organizations with mature ethics and compliance
programs generally find to be effective Examples of drivers that influence the framework are as follows
Program Drivers
bull Foreign Corrupt Practices Act (and related guidance) - 1977
bull Defense Industry Initiative on Ethics and Business Conduct ndash 1985
bull US Federal Sentencing Guidelines for Organizational Defendants ndash 1991
bull COSO Internal Control Framework ndash 1992
bull In Re Caremark Decision ndash 1996
bull Department of Justice Enforcement Guidance (Holder Memo) ndash 1999
bull US Patriot Act ndash 2001
bull Sarbanes-Oxley Act ndash 2002
bull Office of Inspector General Guidance ndash 2003
bull Revised Federal Sentencing Guidelines for Organizational Defendants ndash 2004
bull Dodd-Frank Act ndash 2010
bull Revised COSO Framework ndash 2013
bull ISO 37001 ndash Anti-bribery management systems requirements with guidance for
use ndash 2016
bull Ethics and Compliance Initiative ndash High-quality Ethics and Compliance Program
Measurement Framework ndash 2018
bull Department of Justice Guidance on the Evaluation of Corporate Compliance
Programs ndash 2019
12
EXAMPLES OF ABAC COMPLIANCE PROGRAM ldquoDRIVERSrdquo RESULTING LEADING PRACTICES
The framework is predicated on a variety of legal requirements (eg
Department of Justice Guidance Officer of Inspector General
Guidance) and other drivers as well (eg US Federal Sentencing
Guidelines Foreign Corrupt Practice Act ISO 37001)
The framework incorporates and organizes a wide variety of programmatic requirements guidance and expectations into a holistic meaningful model The framework rationalizes and
summarizes these drivers in a proprietary manner
ISO 370012016
The organization has a governing body that body shall demonstrate leadership and commitment with respect to the anti-bribery management system
Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system
Federal Sentencing Guidelines
The organizationrsquos governing authority shall be knowledgeable about the
content and operation of the compliance and ethics program and shall
exercise reasonable oversight with respect to the implementation and
effectiveness of the compliance and ethics program
High-level personnel of the organization shall ensure that the organization
has an effective compliance and ethics program as described in this
guideline Specific individuals within high-level personnel shall be
assigned overall responsibility for the compliance and ethics program
DOJ SEC Guidance
Within a business organization compliance begins with the board of
directors and senior executives setting the proper tone for the rest of the
company
OECD Framework
Oversight of ethics and compliance programs or measures regarding foreign bribery including the authority to report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or at supervisory boards is the duty of one or more senior corporate officers with an adequate level of autonomy from management resources and authority
Governance and Oversight
Governing Authority Oversight Organizations should
have a governing authority (typically the Board of Directors
or a Committee of the Board) that exercises high-level
oversight of all elements of the organizationrsquos ethics and
compliance program and is knowledgeable about the
content and operation of the program
Executive Level Oversight Organizations should have a
senior member of management who (1) oversees the
development implementation and maintenance of the
organizations ethics and compliance program (2)
collaborates with functional and geographic leaders to help
integrate ethics and compliance activities within the
business and (3) provides ethics and compliance program
related updates to the board or one of its committees
directly and on a regular basis
Day-to-day Oversight Organizations should identify
compliance risk owners (eg anti-bribery and anti-
corruption etc) across the functions geographies and
business units who are responsible for working
collaboratively with the organizations head of compliance
and centralized compliance function to support the
organizations ethics and compliance activities and to
implement the organizations anti-bribery and anti-
corruption framework in a consistent manner
Anti-Bribery Anti-Corruption Compliance Program Framework
Risk Assessments and
Due Diligence
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
3
Agenda
Topic
Introductions
Learning Objectives
Effective Anti-Bribery Anti-Corruption Programs ndash Overview
bull Risk Assessments and Due Diligence
bull Codes Policies and Procedures
bull Auditing and Monitoring
bull Third Party Due Diligence
bull Compliance Monitoring leveraging analytics
Case Study ndash TE Connectivity
bull TE Connectivity ndash Overview
bull Phased assessment and enhancement of the ABAC program
QampA
Introductions
5
Introductions - Presenters
Managing Director FTI Consulting ndash practice leader for corporate
and organizational ethics compliance and anti-corruption
27 years of professional experience (last 8 as a consultant)
Held compliance officer positions at the leadership level in large
global companies
Philip Morris
Kraft Foods Global Inc
Schering-Plough Pharmaceuticals
DeVry Inc
As a former chief compliance officer designed global compliance
programs reported to audit committee led global teams worked
in over 30 countries
Teach graduate-level courses at state universities in New Jersey
on governance compliance and risk-management
Maurice J Crescenzi Jr
6
Brian Risser
Senior Compliance
Manager TE Connectivity
Oversees TE Connectivityrsquos Anti-Bribery amp Anti-Corruption
Program including Third Party Management
Background in Audit and Accounting
Spent 6 years in audit with Arthur Andersen and 18 years in
various corporate finance roles including Sarbanes Oxley
before transitioning into a legal compliance role
Introductions - Presenters
Learning Objectives
8
Learning Objectives
The learning objectives associated with this presentation and case study are to
Explore a framework for effectively designed anti-bribery and anti-corruption programs
Showcase the third-party risk management component as part of that framework
Discuss leading practices to extend risk-management strategies to third parties throughout the
full lifecycle of third-party relationships
Examine the importance of internal business ldquobuy inrdquo and how to leverage technology in
managing third-party bribery and corruption risk
Effective Anti-bribery Anti-Corruption
Programs ndash Overview
10
Anti-bribery Anti-corruption Programs Overview
An anti-bribery anti-corruption program is one part of an enterprise-wide
framework of people programs policies systems and controls
designed to prevent detect and respond to instances of legal and policy
violations and ethical misconduct
Ethics and compliance program framework
bull Culture of ethics and compliance
bull Governance and oversight
bull Documentation
Prevent Detect Respond
bull Risk assessments and due
diligence
bull Standards policies and procedures
bull Training and communications
bull Third-party compliance
bull Process-level controls
bull Data analytics
bull Employee reporting systems
(including hotlines helplines)
bull Testing and monitoring
bull Data analytics
bull Case management and
investigations
bull Enforcement and accountability
bull Incentives and discipline
bull Remediation plans
11
Anti-Bribery Anti-Corruption Compliance Program Framework
An anti-corruption compliance program framework is an enterprise-wide cross-functional and cross-geographic approach to preventing
detecting and responding to instances of legal and policy violations and ethical misconduct The framework is predicated on key regulatory
requirements guiding frameworks agency guidance and other leading practices that organizations with mature ethics and compliance
programs generally find to be effective Examples of drivers that influence the framework are as follows
Program Drivers
bull Foreign Corrupt Practices Act (and related guidance) - 1977
bull Defense Industry Initiative on Ethics and Business Conduct ndash 1985
bull US Federal Sentencing Guidelines for Organizational Defendants ndash 1991
bull COSO Internal Control Framework ndash 1992
bull In Re Caremark Decision ndash 1996
bull Department of Justice Enforcement Guidance (Holder Memo) ndash 1999
bull US Patriot Act ndash 2001
bull Sarbanes-Oxley Act ndash 2002
bull Office of Inspector General Guidance ndash 2003
bull Revised Federal Sentencing Guidelines for Organizational Defendants ndash 2004
bull Dodd-Frank Act ndash 2010
bull Revised COSO Framework ndash 2013
bull ISO 37001 ndash Anti-bribery management systems requirements with guidance for
use ndash 2016
bull Ethics and Compliance Initiative ndash High-quality Ethics and Compliance Program
Measurement Framework ndash 2018
bull Department of Justice Guidance on the Evaluation of Corporate Compliance
Programs ndash 2019
12
EXAMPLES OF ABAC COMPLIANCE PROGRAM ldquoDRIVERSrdquo RESULTING LEADING PRACTICES
The framework is predicated on a variety of legal requirements (eg
Department of Justice Guidance Officer of Inspector General
Guidance) and other drivers as well (eg US Federal Sentencing
Guidelines Foreign Corrupt Practice Act ISO 37001)
The framework incorporates and organizes a wide variety of programmatic requirements guidance and expectations into a holistic meaningful model The framework rationalizes and
summarizes these drivers in a proprietary manner
ISO 370012016
The organization has a governing body that body shall demonstrate leadership and commitment with respect to the anti-bribery management system
Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system
Federal Sentencing Guidelines
The organizationrsquos governing authority shall be knowledgeable about the
content and operation of the compliance and ethics program and shall
exercise reasonable oversight with respect to the implementation and
effectiveness of the compliance and ethics program
High-level personnel of the organization shall ensure that the organization
has an effective compliance and ethics program as described in this
guideline Specific individuals within high-level personnel shall be
assigned overall responsibility for the compliance and ethics program
DOJ SEC Guidance
Within a business organization compliance begins with the board of
directors and senior executives setting the proper tone for the rest of the
company
OECD Framework
Oversight of ethics and compliance programs or measures regarding foreign bribery including the authority to report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or at supervisory boards is the duty of one or more senior corporate officers with an adequate level of autonomy from management resources and authority
Governance and Oversight
Governing Authority Oversight Organizations should
have a governing authority (typically the Board of Directors
or a Committee of the Board) that exercises high-level
oversight of all elements of the organizationrsquos ethics and
compliance program and is knowledgeable about the
content and operation of the program
Executive Level Oversight Organizations should have a
senior member of management who (1) oversees the
development implementation and maintenance of the
organizations ethics and compliance program (2)
collaborates with functional and geographic leaders to help
integrate ethics and compliance activities within the
business and (3) provides ethics and compliance program
related updates to the board or one of its committees
directly and on a regular basis
Day-to-day Oversight Organizations should identify
compliance risk owners (eg anti-bribery and anti-
corruption etc) across the functions geographies and
business units who are responsible for working
collaboratively with the organizations head of compliance
and centralized compliance function to support the
organizations ethics and compliance activities and to
implement the organizations anti-bribery and anti-
corruption framework in a consistent manner
Anti-Bribery Anti-Corruption Compliance Program Framework
Risk Assessments and
Due Diligence
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
Introductions
5
Introductions - Presenters
Managing Director FTI Consulting ndash practice leader for corporate
and organizational ethics compliance and anti-corruption
27 years of professional experience (last 8 as a consultant)
Held compliance officer positions at the leadership level in large
global companies
Philip Morris
Kraft Foods Global Inc
Schering-Plough Pharmaceuticals
DeVry Inc
As a former chief compliance officer designed global compliance
programs reported to audit committee led global teams worked
in over 30 countries
Teach graduate-level courses at state universities in New Jersey
on governance compliance and risk-management
Maurice J Crescenzi Jr
6
Brian Risser
Senior Compliance
Manager TE Connectivity
Oversees TE Connectivityrsquos Anti-Bribery amp Anti-Corruption
Program including Third Party Management
Background in Audit and Accounting
Spent 6 years in audit with Arthur Andersen and 18 years in
various corporate finance roles including Sarbanes Oxley
before transitioning into a legal compliance role
Introductions - Presenters
Learning Objectives
8
Learning Objectives
The learning objectives associated with this presentation and case study are to
Explore a framework for effectively designed anti-bribery and anti-corruption programs
Showcase the third-party risk management component as part of that framework
Discuss leading practices to extend risk-management strategies to third parties throughout the
full lifecycle of third-party relationships
Examine the importance of internal business ldquobuy inrdquo and how to leverage technology in
managing third-party bribery and corruption risk
Effective Anti-bribery Anti-Corruption
Programs ndash Overview
10
Anti-bribery Anti-corruption Programs Overview
An anti-bribery anti-corruption program is one part of an enterprise-wide
framework of people programs policies systems and controls
designed to prevent detect and respond to instances of legal and policy
violations and ethical misconduct
Ethics and compliance program framework
bull Culture of ethics and compliance
bull Governance and oversight
bull Documentation
Prevent Detect Respond
bull Risk assessments and due
diligence
bull Standards policies and procedures
bull Training and communications
bull Third-party compliance
bull Process-level controls
bull Data analytics
bull Employee reporting systems
(including hotlines helplines)
bull Testing and monitoring
bull Data analytics
bull Case management and
investigations
bull Enforcement and accountability
bull Incentives and discipline
bull Remediation plans
11
Anti-Bribery Anti-Corruption Compliance Program Framework
An anti-corruption compliance program framework is an enterprise-wide cross-functional and cross-geographic approach to preventing
detecting and responding to instances of legal and policy violations and ethical misconduct The framework is predicated on key regulatory
requirements guiding frameworks agency guidance and other leading practices that organizations with mature ethics and compliance
programs generally find to be effective Examples of drivers that influence the framework are as follows
Program Drivers
bull Foreign Corrupt Practices Act (and related guidance) - 1977
bull Defense Industry Initiative on Ethics and Business Conduct ndash 1985
bull US Federal Sentencing Guidelines for Organizational Defendants ndash 1991
bull COSO Internal Control Framework ndash 1992
bull In Re Caremark Decision ndash 1996
bull Department of Justice Enforcement Guidance (Holder Memo) ndash 1999
bull US Patriot Act ndash 2001
bull Sarbanes-Oxley Act ndash 2002
bull Office of Inspector General Guidance ndash 2003
bull Revised Federal Sentencing Guidelines for Organizational Defendants ndash 2004
bull Dodd-Frank Act ndash 2010
bull Revised COSO Framework ndash 2013
bull ISO 37001 ndash Anti-bribery management systems requirements with guidance for
use ndash 2016
bull Ethics and Compliance Initiative ndash High-quality Ethics and Compliance Program
Measurement Framework ndash 2018
bull Department of Justice Guidance on the Evaluation of Corporate Compliance
Programs ndash 2019
12
EXAMPLES OF ABAC COMPLIANCE PROGRAM ldquoDRIVERSrdquo RESULTING LEADING PRACTICES
The framework is predicated on a variety of legal requirements (eg
Department of Justice Guidance Officer of Inspector General
Guidance) and other drivers as well (eg US Federal Sentencing
Guidelines Foreign Corrupt Practice Act ISO 37001)
The framework incorporates and organizes a wide variety of programmatic requirements guidance and expectations into a holistic meaningful model The framework rationalizes and
summarizes these drivers in a proprietary manner
ISO 370012016
The organization has a governing body that body shall demonstrate leadership and commitment with respect to the anti-bribery management system
Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system
Federal Sentencing Guidelines
The organizationrsquos governing authority shall be knowledgeable about the
content and operation of the compliance and ethics program and shall
exercise reasonable oversight with respect to the implementation and
effectiveness of the compliance and ethics program
High-level personnel of the organization shall ensure that the organization
has an effective compliance and ethics program as described in this
guideline Specific individuals within high-level personnel shall be
assigned overall responsibility for the compliance and ethics program
DOJ SEC Guidance
Within a business organization compliance begins with the board of
directors and senior executives setting the proper tone for the rest of the
company
OECD Framework
Oversight of ethics and compliance programs or measures regarding foreign bribery including the authority to report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or at supervisory boards is the duty of one or more senior corporate officers with an adequate level of autonomy from management resources and authority
Governance and Oversight
Governing Authority Oversight Organizations should
have a governing authority (typically the Board of Directors
or a Committee of the Board) that exercises high-level
oversight of all elements of the organizationrsquos ethics and
compliance program and is knowledgeable about the
content and operation of the program
Executive Level Oversight Organizations should have a
senior member of management who (1) oversees the
development implementation and maintenance of the
organizations ethics and compliance program (2)
collaborates with functional and geographic leaders to help
integrate ethics and compliance activities within the
business and (3) provides ethics and compliance program
related updates to the board or one of its committees
directly and on a regular basis
Day-to-day Oversight Organizations should identify
compliance risk owners (eg anti-bribery and anti-
corruption etc) across the functions geographies and
business units who are responsible for working
collaboratively with the organizations head of compliance
and centralized compliance function to support the
organizations ethics and compliance activities and to
implement the organizations anti-bribery and anti-
corruption framework in a consistent manner
Anti-Bribery Anti-Corruption Compliance Program Framework
Risk Assessments and
Due Diligence
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
5
Introductions - Presenters
Managing Director FTI Consulting ndash practice leader for corporate
and organizational ethics compliance and anti-corruption
27 years of professional experience (last 8 as a consultant)
Held compliance officer positions at the leadership level in large
global companies
Philip Morris
Kraft Foods Global Inc
Schering-Plough Pharmaceuticals
DeVry Inc
As a former chief compliance officer designed global compliance
programs reported to audit committee led global teams worked
in over 30 countries
Teach graduate-level courses at state universities in New Jersey
on governance compliance and risk-management
Maurice J Crescenzi Jr
6
Brian Risser
Senior Compliance
Manager TE Connectivity
Oversees TE Connectivityrsquos Anti-Bribery amp Anti-Corruption
Program including Third Party Management
Background in Audit and Accounting
Spent 6 years in audit with Arthur Andersen and 18 years in
various corporate finance roles including Sarbanes Oxley
before transitioning into a legal compliance role
Introductions - Presenters
Learning Objectives
8
Learning Objectives
The learning objectives associated with this presentation and case study are to
Explore a framework for effectively designed anti-bribery and anti-corruption programs
Showcase the third-party risk management component as part of that framework
Discuss leading practices to extend risk-management strategies to third parties throughout the
full lifecycle of third-party relationships
Examine the importance of internal business ldquobuy inrdquo and how to leverage technology in
managing third-party bribery and corruption risk
Effective Anti-bribery Anti-Corruption
Programs ndash Overview
10
Anti-bribery Anti-corruption Programs Overview
An anti-bribery anti-corruption program is one part of an enterprise-wide
framework of people programs policies systems and controls
designed to prevent detect and respond to instances of legal and policy
violations and ethical misconduct
Ethics and compliance program framework
bull Culture of ethics and compliance
bull Governance and oversight
bull Documentation
Prevent Detect Respond
bull Risk assessments and due
diligence
bull Standards policies and procedures
bull Training and communications
bull Third-party compliance
bull Process-level controls
bull Data analytics
bull Employee reporting systems
(including hotlines helplines)
bull Testing and monitoring
bull Data analytics
bull Case management and
investigations
bull Enforcement and accountability
bull Incentives and discipline
bull Remediation plans
11
Anti-Bribery Anti-Corruption Compliance Program Framework
An anti-corruption compliance program framework is an enterprise-wide cross-functional and cross-geographic approach to preventing
detecting and responding to instances of legal and policy violations and ethical misconduct The framework is predicated on key regulatory
requirements guiding frameworks agency guidance and other leading practices that organizations with mature ethics and compliance
programs generally find to be effective Examples of drivers that influence the framework are as follows
Program Drivers
bull Foreign Corrupt Practices Act (and related guidance) - 1977
bull Defense Industry Initiative on Ethics and Business Conduct ndash 1985
bull US Federal Sentencing Guidelines for Organizational Defendants ndash 1991
bull COSO Internal Control Framework ndash 1992
bull In Re Caremark Decision ndash 1996
bull Department of Justice Enforcement Guidance (Holder Memo) ndash 1999
bull US Patriot Act ndash 2001
bull Sarbanes-Oxley Act ndash 2002
bull Office of Inspector General Guidance ndash 2003
bull Revised Federal Sentencing Guidelines for Organizational Defendants ndash 2004
bull Dodd-Frank Act ndash 2010
bull Revised COSO Framework ndash 2013
bull ISO 37001 ndash Anti-bribery management systems requirements with guidance for
use ndash 2016
bull Ethics and Compliance Initiative ndash High-quality Ethics and Compliance Program
Measurement Framework ndash 2018
bull Department of Justice Guidance on the Evaluation of Corporate Compliance
Programs ndash 2019
12
EXAMPLES OF ABAC COMPLIANCE PROGRAM ldquoDRIVERSrdquo RESULTING LEADING PRACTICES
The framework is predicated on a variety of legal requirements (eg
Department of Justice Guidance Officer of Inspector General
Guidance) and other drivers as well (eg US Federal Sentencing
Guidelines Foreign Corrupt Practice Act ISO 37001)
The framework incorporates and organizes a wide variety of programmatic requirements guidance and expectations into a holistic meaningful model The framework rationalizes and
summarizes these drivers in a proprietary manner
ISO 370012016
The organization has a governing body that body shall demonstrate leadership and commitment with respect to the anti-bribery management system
Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system
Federal Sentencing Guidelines
The organizationrsquos governing authority shall be knowledgeable about the
content and operation of the compliance and ethics program and shall
exercise reasonable oversight with respect to the implementation and
effectiveness of the compliance and ethics program
High-level personnel of the organization shall ensure that the organization
has an effective compliance and ethics program as described in this
guideline Specific individuals within high-level personnel shall be
assigned overall responsibility for the compliance and ethics program
DOJ SEC Guidance
Within a business organization compliance begins with the board of
directors and senior executives setting the proper tone for the rest of the
company
OECD Framework
Oversight of ethics and compliance programs or measures regarding foreign bribery including the authority to report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or at supervisory boards is the duty of one or more senior corporate officers with an adequate level of autonomy from management resources and authority
Governance and Oversight
Governing Authority Oversight Organizations should
have a governing authority (typically the Board of Directors
or a Committee of the Board) that exercises high-level
oversight of all elements of the organizationrsquos ethics and
compliance program and is knowledgeable about the
content and operation of the program
Executive Level Oversight Organizations should have a
senior member of management who (1) oversees the
development implementation and maintenance of the
organizations ethics and compliance program (2)
collaborates with functional and geographic leaders to help
integrate ethics and compliance activities within the
business and (3) provides ethics and compliance program
related updates to the board or one of its committees
directly and on a regular basis
Day-to-day Oversight Organizations should identify
compliance risk owners (eg anti-bribery and anti-
corruption etc) across the functions geographies and
business units who are responsible for working
collaboratively with the organizations head of compliance
and centralized compliance function to support the
organizations ethics and compliance activities and to
implement the organizations anti-bribery and anti-
corruption framework in a consistent manner
Anti-Bribery Anti-Corruption Compliance Program Framework
Risk Assessments and
Due Diligence
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
6
Brian Risser
Senior Compliance
Manager TE Connectivity
Oversees TE Connectivityrsquos Anti-Bribery amp Anti-Corruption
Program including Third Party Management
Background in Audit and Accounting
Spent 6 years in audit with Arthur Andersen and 18 years in
various corporate finance roles including Sarbanes Oxley
before transitioning into a legal compliance role
Introductions - Presenters
Learning Objectives
8
Learning Objectives
The learning objectives associated with this presentation and case study are to
Explore a framework for effectively designed anti-bribery and anti-corruption programs
Showcase the third-party risk management component as part of that framework
Discuss leading practices to extend risk-management strategies to third parties throughout the
full lifecycle of third-party relationships
Examine the importance of internal business ldquobuy inrdquo and how to leverage technology in
managing third-party bribery and corruption risk
Effective Anti-bribery Anti-Corruption
Programs ndash Overview
10
Anti-bribery Anti-corruption Programs Overview
An anti-bribery anti-corruption program is one part of an enterprise-wide
framework of people programs policies systems and controls
designed to prevent detect and respond to instances of legal and policy
violations and ethical misconduct
Ethics and compliance program framework
bull Culture of ethics and compliance
bull Governance and oversight
bull Documentation
Prevent Detect Respond
bull Risk assessments and due
diligence
bull Standards policies and procedures
bull Training and communications
bull Third-party compliance
bull Process-level controls
bull Data analytics
bull Employee reporting systems
(including hotlines helplines)
bull Testing and monitoring
bull Data analytics
bull Case management and
investigations
bull Enforcement and accountability
bull Incentives and discipline
bull Remediation plans
11
Anti-Bribery Anti-Corruption Compliance Program Framework
An anti-corruption compliance program framework is an enterprise-wide cross-functional and cross-geographic approach to preventing
detecting and responding to instances of legal and policy violations and ethical misconduct The framework is predicated on key regulatory
requirements guiding frameworks agency guidance and other leading practices that organizations with mature ethics and compliance
programs generally find to be effective Examples of drivers that influence the framework are as follows
Program Drivers
bull Foreign Corrupt Practices Act (and related guidance) - 1977
bull Defense Industry Initiative on Ethics and Business Conduct ndash 1985
bull US Federal Sentencing Guidelines for Organizational Defendants ndash 1991
bull COSO Internal Control Framework ndash 1992
bull In Re Caremark Decision ndash 1996
bull Department of Justice Enforcement Guidance (Holder Memo) ndash 1999
bull US Patriot Act ndash 2001
bull Sarbanes-Oxley Act ndash 2002
bull Office of Inspector General Guidance ndash 2003
bull Revised Federal Sentencing Guidelines for Organizational Defendants ndash 2004
bull Dodd-Frank Act ndash 2010
bull Revised COSO Framework ndash 2013
bull ISO 37001 ndash Anti-bribery management systems requirements with guidance for
use ndash 2016
bull Ethics and Compliance Initiative ndash High-quality Ethics and Compliance Program
Measurement Framework ndash 2018
bull Department of Justice Guidance on the Evaluation of Corporate Compliance
Programs ndash 2019
12
EXAMPLES OF ABAC COMPLIANCE PROGRAM ldquoDRIVERSrdquo RESULTING LEADING PRACTICES
The framework is predicated on a variety of legal requirements (eg
Department of Justice Guidance Officer of Inspector General
Guidance) and other drivers as well (eg US Federal Sentencing
Guidelines Foreign Corrupt Practice Act ISO 37001)
The framework incorporates and organizes a wide variety of programmatic requirements guidance and expectations into a holistic meaningful model The framework rationalizes and
summarizes these drivers in a proprietary manner
ISO 370012016
The organization has a governing body that body shall demonstrate leadership and commitment with respect to the anti-bribery management system
Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system
Federal Sentencing Guidelines
The organizationrsquos governing authority shall be knowledgeable about the
content and operation of the compliance and ethics program and shall
exercise reasonable oversight with respect to the implementation and
effectiveness of the compliance and ethics program
High-level personnel of the organization shall ensure that the organization
has an effective compliance and ethics program as described in this
guideline Specific individuals within high-level personnel shall be
assigned overall responsibility for the compliance and ethics program
DOJ SEC Guidance
Within a business organization compliance begins with the board of
directors and senior executives setting the proper tone for the rest of the
company
OECD Framework
Oversight of ethics and compliance programs or measures regarding foreign bribery including the authority to report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or at supervisory boards is the duty of one or more senior corporate officers with an adequate level of autonomy from management resources and authority
Governance and Oversight
Governing Authority Oversight Organizations should
have a governing authority (typically the Board of Directors
or a Committee of the Board) that exercises high-level
oversight of all elements of the organizationrsquos ethics and
compliance program and is knowledgeable about the
content and operation of the program
Executive Level Oversight Organizations should have a
senior member of management who (1) oversees the
development implementation and maintenance of the
organizations ethics and compliance program (2)
collaborates with functional and geographic leaders to help
integrate ethics and compliance activities within the
business and (3) provides ethics and compliance program
related updates to the board or one of its committees
directly and on a regular basis
Day-to-day Oversight Organizations should identify
compliance risk owners (eg anti-bribery and anti-
corruption etc) across the functions geographies and
business units who are responsible for working
collaboratively with the organizations head of compliance
and centralized compliance function to support the
organizations ethics and compliance activities and to
implement the organizations anti-bribery and anti-
corruption framework in a consistent manner
Anti-Bribery Anti-Corruption Compliance Program Framework
Risk Assessments and
Due Diligence
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
Learning Objectives
8
Learning Objectives
The learning objectives associated with this presentation and case study are to
Explore a framework for effectively designed anti-bribery and anti-corruption programs
Showcase the third-party risk management component as part of that framework
Discuss leading practices to extend risk-management strategies to third parties throughout the
full lifecycle of third-party relationships
Examine the importance of internal business ldquobuy inrdquo and how to leverage technology in
managing third-party bribery and corruption risk
Effective Anti-bribery Anti-Corruption
Programs ndash Overview
10
Anti-bribery Anti-corruption Programs Overview
An anti-bribery anti-corruption program is one part of an enterprise-wide
framework of people programs policies systems and controls
designed to prevent detect and respond to instances of legal and policy
violations and ethical misconduct
Ethics and compliance program framework
bull Culture of ethics and compliance
bull Governance and oversight
bull Documentation
Prevent Detect Respond
bull Risk assessments and due
diligence
bull Standards policies and procedures
bull Training and communications
bull Third-party compliance
bull Process-level controls
bull Data analytics
bull Employee reporting systems
(including hotlines helplines)
bull Testing and monitoring
bull Data analytics
bull Case management and
investigations
bull Enforcement and accountability
bull Incentives and discipline
bull Remediation plans
11
Anti-Bribery Anti-Corruption Compliance Program Framework
An anti-corruption compliance program framework is an enterprise-wide cross-functional and cross-geographic approach to preventing
detecting and responding to instances of legal and policy violations and ethical misconduct The framework is predicated on key regulatory
requirements guiding frameworks agency guidance and other leading practices that organizations with mature ethics and compliance
programs generally find to be effective Examples of drivers that influence the framework are as follows
Program Drivers
bull Foreign Corrupt Practices Act (and related guidance) - 1977
bull Defense Industry Initiative on Ethics and Business Conduct ndash 1985
bull US Federal Sentencing Guidelines for Organizational Defendants ndash 1991
bull COSO Internal Control Framework ndash 1992
bull In Re Caremark Decision ndash 1996
bull Department of Justice Enforcement Guidance (Holder Memo) ndash 1999
bull US Patriot Act ndash 2001
bull Sarbanes-Oxley Act ndash 2002
bull Office of Inspector General Guidance ndash 2003
bull Revised Federal Sentencing Guidelines for Organizational Defendants ndash 2004
bull Dodd-Frank Act ndash 2010
bull Revised COSO Framework ndash 2013
bull ISO 37001 ndash Anti-bribery management systems requirements with guidance for
use ndash 2016
bull Ethics and Compliance Initiative ndash High-quality Ethics and Compliance Program
Measurement Framework ndash 2018
bull Department of Justice Guidance on the Evaluation of Corporate Compliance
Programs ndash 2019
12
EXAMPLES OF ABAC COMPLIANCE PROGRAM ldquoDRIVERSrdquo RESULTING LEADING PRACTICES
The framework is predicated on a variety of legal requirements (eg
Department of Justice Guidance Officer of Inspector General
Guidance) and other drivers as well (eg US Federal Sentencing
Guidelines Foreign Corrupt Practice Act ISO 37001)
The framework incorporates and organizes a wide variety of programmatic requirements guidance and expectations into a holistic meaningful model The framework rationalizes and
summarizes these drivers in a proprietary manner
ISO 370012016
The organization has a governing body that body shall demonstrate leadership and commitment with respect to the anti-bribery management system
Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system
Federal Sentencing Guidelines
The organizationrsquos governing authority shall be knowledgeable about the
content and operation of the compliance and ethics program and shall
exercise reasonable oversight with respect to the implementation and
effectiveness of the compliance and ethics program
High-level personnel of the organization shall ensure that the organization
has an effective compliance and ethics program as described in this
guideline Specific individuals within high-level personnel shall be
assigned overall responsibility for the compliance and ethics program
DOJ SEC Guidance
Within a business organization compliance begins with the board of
directors and senior executives setting the proper tone for the rest of the
company
OECD Framework
Oversight of ethics and compliance programs or measures regarding foreign bribery including the authority to report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or at supervisory boards is the duty of one or more senior corporate officers with an adequate level of autonomy from management resources and authority
Governance and Oversight
Governing Authority Oversight Organizations should
have a governing authority (typically the Board of Directors
or a Committee of the Board) that exercises high-level
oversight of all elements of the organizationrsquos ethics and
compliance program and is knowledgeable about the
content and operation of the program
Executive Level Oversight Organizations should have a
senior member of management who (1) oversees the
development implementation and maintenance of the
organizations ethics and compliance program (2)
collaborates with functional and geographic leaders to help
integrate ethics and compliance activities within the
business and (3) provides ethics and compliance program
related updates to the board or one of its committees
directly and on a regular basis
Day-to-day Oversight Organizations should identify
compliance risk owners (eg anti-bribery and anti-
corruption etc) across the functions geographies and
business units who are responsible for working
collaboratively with the organizations head of compliance
and centralized compliance function to support the
organizations ethics and compliance activities and to
implement the organizations anti-bribery and anti-
corruption framework in a consistent manner
Anti-Bribery Anti-Corruption Compliance Program Framework
Risk Assessments and
Due Diligence
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
8
Learning Objectives
The learning objectives associated with this presentation and case study are to
Explore a framework for effectively designed anti-bribery and anti-corruption programs
Showcase the third-party risk management component as part of that framework
Discuss leading practices to extend risk-management strategies to third parties throughout the
full lifecycle of third-party relationships
Examine the importance of internal business ldquobuy inrdquo and how to leverage technology in
managing third-party bribery and corruption risk
Effective Anti-bribery Anti-Corruption
Programs ndash Overview
10
Anti-bribery Anti-corruption Programs Overview
An anti-bribery anti-corruption program is one part of an enterprise-wide
framework of people programs policies systems and controls
designed to prevent detect and respond to instances of legal and policy
violations and ethical misconduct
Ethics and compliance program framework
bull Culture of ethics and compliance
bull Governance and oversight
bull Documentation
Prevent Detect Respond
bull Risk assessments and due
diligence
bull Standards policies and procedures
bull Training and communications
bull Third-party compliance
bull Process-level controls
bull Data analytics
bull Employee reporting systems
(including hotlines helplines)
bull Testing and monitoring
bull Data analytics
bull Case management and
investigations
bull Enforcement and accountability
bull Incentives and discipline
bull Remediation plans
11
Anti-Bribery Anti-Corruption Compliance Program Framework
An anti-corruption compliance program framework is an enterprise-wide cross-functional and cross-geographic approach to preventing
detecting and responding to instances of legal and policy violations and ethical misconduct The framework is predicated on key regulatory
requirements guiding frameworks agency guidance and other leading practices that organizations with mature ethics and compliance
programs generally find to be effective Examples of drivers that influence the framework are as follows
Program Drivers
bull Foreign Corrupt Practices Act (and related guidance) - 1977
bull Defense Industry Initiative on Ethics and Business Conduct ndash 1985
bull US Federal Sentencing Guidelines for Organizational Defendants ndash 1991
bull COSO Internal Control Framework ndash 1992
bull In Re Caremark Decision ndash 1996
bull Department of Justice Enforcement Guidance (Holder Memo) ndash 1999
bull US Patriot Act ndash 2001
bull Sarbanes-Oxley Act ndash 2002
bull Office of Inspector General Guidance ndash 2003
bull Revised Federal Sentencing Guidelines for Organizational Defendants ndash 2004
bull Dodd-Frank Act ndash 2010
bull Revised COSO Framework ndash 2013
bull ISO 37001 ndash Anti-bribery management systems requirements with guidance for
use ndash 2016
bull Ethics and Compliance Initiative ndash High-quality Ethics and Compliance Program
Measurement Framework ndash 2018
bull Department of Justice Guidance on the Evaluation of Corporate Compliance
Programs ndash 2019
12
EXAMPLES OF ABAC COMPLIANCE PROGRAM ldquoDRIVERSrdquo RESULTING LEADING PRACTICES
The framework is predicated on a variety of legal requirements (eg
Department of Justice Guidance Officer of Inspector General
Guidance) and other drivers as well (eg US Federal Sentencing
Guidelines Foreign Corrupt Practice Act ISO 37001)
The framework incorporates and organizes a wide variety of programmatic requirements guidance and expectations into a holistic meaningful model The framework rationalizes and
summarizes these drivers in a proprietary manner
ISO 370012016
The organization has a governing body that body shall demonstrate leadership and commitment with respect to the anti-bribery management system
Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system
Federal Sentencing Guidelines
The organizationrsquos governing authority shall be knowledgeable about the
content and operation of the compliance and ethics program and shall
exercise reasonable oversight with respect to the implementation and
effectiveness of the compliance and ethics program
High-level personnel of the organization shall ensure that the organization
has an effective compliance and ethics program as described in this
guideline Specific individuals within high-level personnel shall be
assigned overall responsibility for the compliance and ethics program
DOJ SEC Guidance
Within a business organization compliance begins with the board of
directors and senior executives setting the proper tone for the rest of the
company
OECD Framework
Oversight of ethics and compliance programs or measures regarding foreign bribery including the authority to report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or at supervisory boards is the duty of one or more senior corporate officers with an adequate level of autonomy from management resources and authority
Governance and Oversight
Governing Authority Oversight Organizations should
have a governing authority (typically the Board of Directors
or a Committee of the Board) that exercises high-level
oversight of all elements of the organizationrsquos ethics and
compliance program and is knowledgeable about the
content and operation of the program
Executive Level Oversight Organizations should have a
senior member of management who (1) oversees the
development implementation and maintenance of the
organizations ethics and compliance program (2)
collaborates with functional and geographic leaders to help
integrate ethics and compliance activities within the
business and (3) provides ethics and compliance program
related updates to the board or one of its committees
directly and on a regular basis
Day-to-day Oversight Organizations should identify
compliance risk owners (eg anti-bribery and anti-
corruption etc) across the functions geographies and
business units who are responsible for working
collaboratively with the organizations head of compliance
and centralized compliance function to support the
organizations ethics and compliance activities and to
implement the organizations anti-bribery and anti-
corruption framework in a consistent manner
Anti-Bribery Anti-Corruption Compliance Program Framework
Risk Assessments and
Due Diligence
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
Effective Anti-bribery Anti-Corruption
Programs ndash Overview
10
Anti-bribery Anti-corruption Programs Overview
An anti-bribery anti-corruption program is one part of an enterprise-wide
framework of people programs policies systems and controls
designed to prevent detect and respond to instances of legal and policy
violations and ethical misconduct
Ethics and compliance program framework
bull Culture of ethics and compliance
bull Governance and oversight
bull Documentation
Prevent Detect Respond
bull Risk assessments and due
diligence
bull Standards policies and procedures
bull Training and communications
bull Third-party compliance
bull Process-level controls
bull Data analytics
bull Employee reporting systems
(including hotlines helplines)
bull Testing and monitoring
bull Data analytics
bull Case management and
investigations
bull Enforcement and accountability
bull Incentives and discipline
bull Remediation plans
11
Anti-Bribery Anti-Corruption Compliance Program Framework
An anti-corruption compliance program framework is an enterprise-wide cross-functional and cross-geographic approach to preventing
detecting and responding to instances of legal and policy violations and ethical misconduct The framework is predicated on key regulatory
requirements guiding frameworks agency guidance and other leading practices that organizations with mature ethics and compliance
programs generally find to be effective Examples of drivers that influence the framework are as follows
Program Drivers
bull Foreign Corrupt Practices Act (and related guidance) - 1977
bull Defense Industry Initiative on Ethics and Business Conduct ndash 1985
bull US Federal Sentencing Guidelines for Organizational Defendants ndash 1991
bull COSO Internal Control Framework ndash 1992
bull In Re Caremark Decision ndash 1996
bull Department of Justice Enforcement Guidance (Holder Memo) ndash 1999
bull US Patriot Act ndash 2001
bull Sarbanes-Oxley Act ndash 2002
bull Office of Inspector General Guidance ndash 2003
bull Revised Federal Sentencing Guidelines for Organizational Defendants ndash 2004
bull Dodd-Frank Act ndash 2010
bull Revised COSO Framework ndash 2013
bull ISO 37001 ndash Anti-bribery management systems requirements with guidance for
use ndash 2016
bull Ethics and Compliance Initiative ndash High-quality Ethics and Compliance Program
Measurement Framework ndash 2018
bull Department of Justice Guidance on the Evaluation of Corporate Compliance
Programs ndash 2019
12
EXAMPLES OF ABAC COMPLIANCE PROGRAM ldquoDRIVERSrdquo RESULTING LEADING PRACTICES
The framework is predicated on a variety of legal requirements (eg
Department of Justice Guidance Officer of Inspector General
Guidance) and other drivers as well (eg US Federal Sentencing
Guidelines Foreign Corrupt Practice Act ISO 37001)
The framework incorporates and organizes a wide variety of programmatic requirements guidance and expectations into a holistic meaningful model The framework rationalizes and
summarizes these drivers in a proprietary manner
ISO 370012016
The organization has a governing body that body shall demonstrate leadership and commitment with respect to the anti-bribery management system
Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system
Federal Sentencing Guidelines
The organizationrsquos governing authority shall be knowledgeable about the
content and operation of the compliance and ethics program and shall
exercise reasonable oversight with respect to the implementation and
effectiveness of the compliance and ethics program
High-level personnel of the organization shall ensure that the organization
has an effective compliance and ethics program as described in this
guideline Specific individuals within high-level personnel shall be
assigned overall responsibility for the compliance and ethics program
DOJ SEC Guidance
Within a business organization compliance begins with the board of
directors and senior executives setting the proper tone for the rest of the
company
OECD Framework
Oversight of ethics and compliance programs or measures regarding foreign bribery including the authority to report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or at supervisory boards is the duty of one or more senior corporate officers with an adequate level of autonomy from management resources and authority
Governance and Oversight
Governing Authority Oversight Organizations should
have a governing authority (typically the Board of Directors
or a Committee of the Board) that exercises high-level
oversight of all elements of the organizationrsquos ethics and
compliance program and is knowledgeable about the
content and operation of the program
Executive Level Oversight Organizations should have a
senior member of management who (1) oversees the
development implementation and maintenance of the
organizations ethics and compliance program (2)
collaborates with functional and geographic leaders to help
integrate ethics and compliance activities within the
business and (3) provides ethics and compliance program
related updates to the board or one of its committees
directly and on a regular basis
Day-to-day Oversight Organizations should identify
compliance risk owners (eg anti-bribery and anti-
corruption etc) across the functions geographies and
business units who are responsible for working
collaboratively with the organizations head of compliance
and centralized compliance function to support the
organizations ethics and compliance activities and to
implement the organizations anti-bribery and anti-
corruption framework in a consistent manner
Anti-Bribery Anti-Corruption Compliance Program Framework
Risk Assessments and
Due Diligence
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
10
Anti-bribery Anti-corruption Programs Overview
An anti-bribery anti-corruption program is one part of an enterprise-wide
framework of people programs policies systems and controls
designed to prevent detect and respond to instances of legal and policy
violations and ethical misconduct
Ethics and compliance program framework
bull Culture of ethics and compliance
bull Governance and oversight
bull Documentation
Prevent Detect Respond
bull Risk assessments and due
diligence
bull Standards policies and procedures
bull Training and communications
bull Third-party compliance
bull Process-level controls
bull Data analytics
bull Employee reporting systems
(including hotlines helplines)
bull Testing and monitoring
bull Data analytics
bull Case management and
investigations
bull Enforcement and accountability
bull Incentives and discipline
bull Remediation plans
11
Anti-Bribery Anti-Corruption Compliance Program Framework
An anti-corruption compliance program framework is an enterprise-wide cross-functional and cross-geographic approach to preventing
detecting and responding to instances of legal and policy violations and ethical misconduct The framework is predicated on key regulatory
requirements guiding frameworks agency guidance and other leading practices that organizations with mature ethics and compliance
programs generally find to be effective Examples of drivers that influence the framework are as follows
Program Drivers
bull Foreign Corrupt Practices Act (and related guidance) - 1977
bull Defense Industry Initiative on Ethics and Business Conduct ndash 1985
bull US Federal Sentencing Guidelines for Organizational Defendants ndash 1991
bull COSO Internal Control Framework ndash 1992
bull In Re Caremark Decision ndash 1996
bull Department of Justice Enforcement Guidance (Holder Memo) ndash 1999
bull US Patriot Act ndash 2001
bull Sarbanes-Oxley Act ndash 2002
bull Office of Inspector General Guidance ndash 2003
bull Revised Federal Sentencing Guidelines for Organizational Defendants ndash 2004
bull Dodd-Frank Act ndash 2010
bull Revised COSO Framework ndash 2013
bull ISO 37001 ndash Anti-bribery management systems requirements with guidance for
use ndash 2016
bull Ethics and Compliance Initiative ndash High-quality Ethics and Compliance Program
Measurement Framework ndash 2018
bull Department of Justice Guidance on the Evaluation of Corporate Compliance
Programs ndash 2019
12
EXAMPLES OF ABAC COMPLIANCE PROGRAM ldquoDRIVERSrdquo RESULTING LEADING PRACTICES
The framework is predicated on a variety of legal requirements (eg
Department of Justice Guidance Officer of Inspector General
Guidance) and other drivers as well (eg US Federal Sentencing
Guidelines Foreign Corrupt Practice Act ISO 37001)
The framework incorporates and organizes a wide variety of programmatic requirements guidance and expectations into a holistic meaningful model The framework rationalizes and
summarizes these drivers in a proprietary manner
ISO 370012016
The organization has a governing body that body shall demonstrate leadership and commitment with respect to the anti-bribery management system
Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system
Federal Sentencing Guidelines
The organizationrsquos governing authority shall be knowledgeable about the
content and operation of the compliance and ethics program and shall
exercise reasonable oversight with respect to the implementation and
effectiveness of the compliance and ethics program
High-level personnel of the organization shall ensure that the organization
has an effective compliance and ethics program as described in this
guideline Specific individuals within high-level personnel shall be
assigned overall responsibility for the compliance and ethics program
DOJ SEC Guidance
Within a business organization compliance begins with the board of
directors and senior executives setting the proper tone for the rest of the
company
OECD Framework
Oversight of ethics and compliance programs or measures regarding foreign bribery including the authority to report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or at supervisory boards is the duty of one or more senior corporate officers with an adequate level of autonomy from management resources and authority
Governance and Oversight
Governing Authority Oversight Organizations should
have a governing authority (typically the Board of Directors
or a Committee of the Board) that exercises high-level
oversight of all elements of the organizationrsquos ethics and
compliance program and is knowledgeable about the
content and operation of the program
Executive Level Oversight Organizations should have a
senior member of management who (1) oversees the
development implementation and maintenance of the
organizations ethics and compliance program (2)
collaborates with functional and geographic leaders to help
integrate ethics and compliance activities within the
business and (3) provides ethics and compliance program
related updates to the board or one of its committees
directly and on a regular basis
Day-to-day Oversight Organizations should identify
compliance risk owners (eg anti-bribery and anti-
corruption etc) across the functions geographies and
business units who are responsible for working
collaboratively with the organizations head of compliance
and centralized compliance function to support the
organizations ethics and compliance activities and to
implement the organizations anti-bribery and anti-
corruption framework in a consistent manner
Anti-Bribery Anti-Corruption Compliance Program Framework
Risk Assessments and
Due Diligence
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
11
Anti-Bribery Anti-Corruption Compliance Program Framework
An anti-corruption compliance program framework is an enterprise-wide cross-functional and cross-geographic approach to preventing
detecting and responding to instances of legal and policy violations and ethical misconduct The framework is predicated on key regulatory
requirements guiding frameworks agency guidance and other leading practices that organizations with mature ethics and compliance
programs generally find to be effective Examples of drivers that influence the framework are as follows
Program Drivers
bull Foreign Corrupt Practices Act (and related guidance) - 1977
bull Defense Industry Initiative on Ethics and Business Conduct ndash 1985
bull US Federal Sentencing Guidelines for Organizational Defendants ndash 1991
bull COSO Internal Control Framework ndash 1992
bull In Re Caremark Decision ndash 1996
bull Department of Justice Enforcement Guidance (Holder Memo) ndash 1999
bull US Patriot Act ndash 2001
bull Sarbanes-Oxley Act ndash 2002
bull Office of Inspector General Guidance ndash 2003
bull Revised Federal Sentencing Guidelines for Organizational Defendants ndash 2004
bull Dodd-Frank Act ndash 2010
bull Revised COSO Framework ndash 2013
bull ISO 37001 ndash Anti-bribery management systems requirements with guidance for
use ndash 2016
bull Ethics and Compliance Initiative ndash High-quality Ethics and Compliance Program
Measurement Framework ndash 2018
bull Department of Justice Guidance on the Evaluation of Corporate Compliance
Programs ndash 2019
12
EXAMPLES OF ABAC COMPLIANCE PROGRAM ldquoDRIVERSrdquo RESULTING LEADING PRACTICES
The framework is predicated on a variety of legal requirements (eg
Department of Justice Guidance Officer of Inspector General
Guidance) and other drivers as well (eg US Federal Sentencing
Guidelines Foreign Corrupt Practice Act ISO 37001)
The framework incorporates and organizes a wide variety of programmatic requirements guidance and expectations into a holistic meaningful model The framework rationalizes and
summarizes these drivers in a proprietary manner
ISO 370012016
The organization has a governing body that body shall demonstrate leadership and commitment with respect to the anti-bribery management system
Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system
Federal Sentencing Guidelines
The organizationrsquos governing authority shall be knowledgeable about the
content and operation of the compliance and ethics program and shall
exercise reasonable oversight with respect to the implementation and
effectiveness of the compliance and ethics program
High-level personnel of the organization shall ensure that the organization
has an effective compliance and ethics program as described in this
guideline Specific individuals within high-level personnel shall be
assigned overall responsibility for the compliance and ethics program
DOJ SEC Guidance
Within a business organization compliance begins with the board of
directors and senior executives setting the proper tone for the rest of the
company
OECD Framework
Oversight of ethics and compliance programs or measures regarding foreign bribery including the authority to report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or at supervisory boards is the duty of one or more senior corporate officers with an adequate level of autonomy from management resources and authority
Governance and Oversight
Governing Authority Oversight Organizations should
have a governing authority (typically the Board of Directors
or a Committee of the Board) that exercises high-level
oversight of all elements of the organizationrsquos ethics and
compliance program and is knowledgeable about the
content and operation of the program
Executive Level Oversight Organizations should have a
senior member of management who (1) oversees the
development implementation and maintenance of the
organizations ethics and compliance program (2)
collaborates with functional and geographic leaders to help
integrate ethics and compliance activities within the
business and (3) provides ethics and compliance program
related updates to the board or one of its committees
directly and on a regular basis
Day-to-day Oversight Organizations should identify
compliance risk owners (eg anti-bribery and anti-
corruption etc) across the functions geographies and
business units who are responsible for working
collaboratively with the organizations head of compliance
and centralized compliance function to support the
organizations ethics and compliance activities and to
implement the organizations anti-bribery and anti-
corruption framework in a consistent manner
Anti-Bribery Anti-Corruption Compliance Program Framework
Risk Assessments and
Due Diligence
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
12
EXAMPLES OF ABAC COMPLIANCE PROGRAM ldquoDRIVERSrdquo RESULTING LEADING PRACTICES
The framework is predicated on a variety of legal requirements (eg
Department of Justice Guidance Officer of Inspector General
Guidance) and other drivers as well (eg US Federal Sentencing
Guidelines Foreign Corrupt Practice Act ISO 37001)
The framework incorporates and organizes a wide variety of programmatic requirements guidance and expectations into a holistic meaningful model The framework rationalizes and
summarizes these drivers in a proprietary manner
ISO 370012016
The organization has a governing body that body shall demonstrate leadership and commitment with respect to the anti-bribery management system
Top management shall demonstrate leadership and commitment with respect to the anti-bribery management system
Federal Sentencing Guidelines
The organizationrsquos governing authority shall be knowledgeable about the
content and operation of the compliance and ethics program and shall
exercise reasonable oversight with respect to the implementation and
effectiveness of the compliance and ethics program
High-level personnel of the organization shall ensure that the organization
has an effective compliance and ethics program as described in this
guideline Specific individuals within high-level personnel shall be
assigned overall responsibility for the compliance and ethics program
DOJ SEC Guidance
Within a business organization compliance begins with the board of
directors and senior executives setting the proper tone for the rest of the
company
OECD Framework
Oversight of ethics and compliance programs or measures regarding foreign bribery including the authority to report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or at supervisory boards is the duty of one or more senior corporate officers with an adequate level of autonomy from management resources and authority
Governance and Oversight
Governing Authority Oversight Organizations should
have a governing authority (typically the Board of Directors
or a Committee of the Board) that exercises high-level
oversight of all elements of the organizationrsquos ethics and
compliance program and is knowledgeable about the
content and operation of the program
Executive Level Oversight Organizations should have a
senior member of management who (1) oversees the
development implementation and maintenance of the
organizations ethics and compliance program (2)
collaborates with functional and geographic leaders to help
integrate ethics and compliance activities within the
business and (3) provides ethics and compliance program
related updates to the board or one of its committees
directly and on a regular basis
Day-to-day Oversight Organizations should identify
compliance risk owners (eg anti-bribery and anti-
corruption etc) across the functions geographies and
business units who are responsible for working
collaboratively with the organizations head of compliance
and centralized compliance function to support the
organizations ethics and compliance activities and to
implement the organizations anti-bribery and anti-
corruption framework in a consistent manner
Anti-Bribery Anti-Corruption Compliance Program Framework
Risk Assessments and
Due Diligence
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
Risk Assessments and
Due Diligence
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
14
Risk Assessments and Due Diligence
Risk Assessments Organizations should develop enterprise-wide risk mitigation methodologies and strategies for managing in a consistent manner
across functions geographies and business units ethics and compliance risks that are determined to be of top priority based on the results of the
compliance risk assessment
Risk Assessments Organizations should take steps to integrate other risk assessment activities (eg enterprise risk management fraud risk
assessments and internal audit risk assessments) with their compliance risk assessments so as to avoid duplicative risk assessment efforts and to
maximize efficiencies
Due Diligence Organizations should conduct additional due diligence on personnel possessing substantial authority and identify any individual
whom the organization knows or should have known has engaged in illegal activities
Due Diligence Organizations should conduct comprehensive due diligence on any current or potential targets of a merger or acquisition This due
diligence should include the evaluation of the target companys compliance program employee training third party relationships etc
Due Diligence Organizations should incorporate acquired companies into its internal control structure and compliance program in a timely manner
Organizations should consider training new employees re-evaluating third parties under the organizations standards and as necessary conduct
audits on new business units
Some leading practices that organizations with mature compliance programs find to be effective in the
area of Risk Assessments and Due Diligence include
Risk Assessments Organizations should take a consistent definition of ethics and compliance
risksrdquo which are existing or emerging threats to the organization (across all functional areas) related
to potential legal regulatory or policy non-compliance and unethical conduct ndash resulting in
Civil or criminal fines or penalties
Reputational brand damage
Negative financial impact
Negative operational impact
Risk Assessments Organizations should develop implement and periodically conduct a
focused ethics and compliance risk assessment designed to (1) identify (2) prioritize and (3)
assign responsibility for managing ethics and compliance risks
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
15
Risk Assessments and Due Diligence
1
5
The image below is an example of a risk assessment heat map that displays residual ethics and compliance risk
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
Codes Policies and Procedures
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
17
Codes Policies and Procedures
Some leading practices that organizations with mature ethics and compliance programs
find to be effective in the area of Codes Policies and Procedures include
Organizations should develop comprehensive codes of conduct that serve as the
centerpiece of the ethics and compliance program Codes of conduct should be
designed leading practice principles (detailed on the following slide)
Organizations should have policies and procedures regarding the creation and
maintenance of resources that serve as guidance for personnel when they need advice
about ethics and compliance
Organizations should establish compliance-related risk management controls that are
designed implemented and maintained in a consistent manner across the
organization Controls should be well-documented and technology should be leveraged
to help maximize compliance promote efficiency and reduce costs
Organizations should have a process whereby compliance policy owners review and update compliance policies and standard
operating procedures (ldquoSOPsrdquo) on a periodic basis (eg annually) and establish new policies or SOPs when necessary
Organizations should implement procedures such that personnel will not suffer retaliation discrimination or disciplinary action for
refusing to participate in activities that pose a risk of noncompliance with ethics and compliance programs or for raising concerns on
the basis of a reasonable belief of actual or suspected noncompliance
Organizations should ensure policies are clearly articulated concise visible and accessible to all employees and those conducting
business on the companyrsquos behalf
Organizations should translate policies into relevant languages and tailor the policies to the unique cultural environment of the local
operation
Organizations should make certain that policies and procedures remain current and effective and are periodically reviewed
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
18
Organizations should develop codes policies and procedures in line with the following
principles
Values-based
Risk-based covering the waterfront of ethics and compliance risks
Promotes the minimum standards requirements and expectations that apply
everywhere the organization operates
Use of plain-language writing principles which include
bull utilizing short declarative sentences writing in the active voice versus the
passive voice incorporating bullet points to deliver user-friendliness and improve
reading comprehension designing pages in a way that incorporates graphics
photos and images content and white space and incorporating FAQs to further
employee understanding
bull Built on an ethical framework these documents contain guidance for employees
to help employees spot issues and resolve ethical dilemmas
bull Utilizing a branding layout and design that engages employees is easy to
navigate and is branded in a manner that is consistent with the organizations
ethics and compliance program
Codes Policies and Procedures
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
Auditing and Monitoring
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
20
Auditing and Monitoring
Some leading practices that organizations with mature compliance programs find to be
effective in the area of Auditing and Monitoring include
Organizations should conduct internal audits with regard to key aspects of the organizationrsquos
compliance program Specific areas of potential audit include
General program audit Audit to confirm that the compliance program contains essential
programmatic elements as outlined in the US Federal Sentencing Guidelines key
regulations and other evaluative criteria
Risk assessment Audit to confirm that the organization has conducted a compliance risk
assessment and to confirm that top risks have associated action plans and ldquoownersrdquo
Code of conduct Audit to confirm that the code addresses all salient risk areas and that the
code is reviewed and updated periodically
Policies and procedures Audit to confirm that that policies have been reviewed and updated
periodically with accurate version control
Training Audit to confirm that (1) employees who should have been invited to complete certain risk-based training programs were in fact
invited and (2) employees invited to complete training programs actually completed those programs
Organizations should conduct internal audits at planned intervals to provide information on whether the compliance program meets the expectations
set forth by the organizations own documentation which defines the compliance program and if the program is effectively implemented and
maintained
Organizations should conduct audits that are reasonable proportionate and risk-based Such audits should consist of internal audit procedures
controls and systems that cover the full waterfront of compliance risks that the organization might face Additionally organizations should review and
test controls across all risk areas in order to analyze potential opportunities for improvement
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
21
Auditing and Monitoring
Define Framework
Initial Analysis
Meeting with Management
Evaluate Assessment
Results
Design Internal Audit
Plan
Audit Committee Approval
The compliance auditing and monitoring program strategy can be broken down into the following steps
Step 1 Define Framework - Identify audit universe and establish common risk assessment definitions
Step 2 Initial Analysis - Perform an initial analysis of risk with input from the Companys executivemanagement team
Step 3 Meeting with Management - Obtain input from key risk assessment participants includingmembers of executive and senior management and process owners in order to rank risks accordingto established inherent and residual risk factors using methodology definitions and guidance
Step 4 Evaluate Assessment Results - Evaluate the collective results from risk assessment participantsand calibrate ratings for both inherent and residual risk
Step 5 Design Internal Audit Plan - Design a proposed go-forward internal audit plan which correlateseffort and internal audit frequency with the assessment results based on severity of perceived risk
Step 6 Audit Committee Approval - Present internal audit plan to Audit Committee for review andapproval making any updates as necessary
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
Third Party Due Diligence
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
23
Third Party Due Diligence
Some leading practices that organizations with mature compliance programs find
to be effective in the area of Third Party Risk Management include
Organizations should develop and implement comprehensive due diligence
vetting and screening processes related to the potential third parties (eg
suppliers agents contractors business partners etc) with which the
organization may potentially partner so as to identify and manage relevant
compliance risks (eg Bribery and Corruption Information Security Product
Quality etc)
Organizations should develop and implement a comprehensive process by
which a determination can be made of when and to what extent to involve
third parties in business activities The organization should assign
responsibility for these decisions to personnel with the appropriate skills and
knowledge The third partys role and access to organizational information
should be contractually and clearly defined
Organizations should have a set of standards and expectations (eg A Third Party Code of Conduct) with which
suppliers are expected to comply
Organizations should inform third parties of the organizationrsquos ethics and compliance program and the commitment to
ethical and lawful business practices and expect the same of third parties
Organizations should ensure that third-party personnel are aware of and comply with the companys ethics and
compliance programs and the companys commitment to ethical and lawful business practices
Organizations should take steps to confirm that agents and business partners have been apprised of the
organizations policies and procedures and expectations to conduct business in an ethical manner
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
24
Third Party Due Diligence
Third Party Risk Management Leading Practices
bull Taking a tiered-based approach to managing risk
throughout the lifecycle of third party relationships
bull Training third parties on what is expected of them
when representing your organization
bull Fully integrating the program into other functions
(contracts audit procurement training finance etc)
bull Pushing accountability and ownership down into the
business
bull Sharing data through reporting and dashboards
bull Applying analytics to comprehensive third party
population to provide benefits to the organization
Organizations should develop a consistent approach to
defining and prioritizing third party risk based on third-party
attributes such as
bull Excessive discounts and
commissions
bull Continuity risk
bull Access to sensitive
information
bull supporting critical business
functions
bull Financial stability
bull Performance history
bull Operating geographies
bull Contractual value and
duration
bull Past compliance failures
bull Fourth party relationships
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
25
bull Research shows that 90 of the enforcement actions brought under the Foreign Corrupt Practices Act involved the
misconduct of third parties
bull Therefore organizations should take steps to design and enhance its approach to managing key third party risks
including risk areas such as
bull Bribery and corruption
bull Cybersecurity
bull Fraud
bull Import export compliance
bull Organizations should strive to manage these risks throughout the entire lifecycle of third party relationships
bull Organizations might view the lifecycle of its third party relationships as follows
Third Party Due Diligence
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
26
Low Risk Due Diligence
1 Published penalties convictions
2 PEP Screening and Watch list Checks
3 Negative News Searching
4 Not reviewed by compliance personnel
Medium Risk Due Diligence
1 Low Risk checks PLUS
2 Collect supporting documentation
3 Open Source Investigation by a due
diligence provider on both the
organization and key employeesowners
4 Results reviewed by compliance
personnel to make gono-go decision
High Risk Due Diligence
1 Low and Medium Risk Checks PLUS
2 Audit and Review Financials
3 Interview references political and
business associates
4 Field Investigative background reports
using local data sources
APPROVE
APPROVE with CONTROLS
NOT APPROVED
Collect all
Materials and
Document
Decisions
Enhanced
Due
Diligence
Due Diligence Screening Background Checks
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
ABAC Compliance Monitoring
Leveraging Analytics
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
28
Compliance Monitoring Overview
Third-party partner compliance monitoring
Organization
Local Response
Team and Single
Point of Contact
Global
Reach with
Subject
Matter
Expertise
Committed
Business
Advisor
High-Quality
Services at Cost-
Efficient Pricing
1Collaborative process involving clear identification of scope and early development of a risk
focused execution strategy to fit an organizations requirements
2Innovative approaches use anti-briberyanti-corruption compliance analytics and visualizations
models focused on assessing 100 of a data population to identify the transactions that pose the
greatest risk to an organization
3Clear and constant communication to ensure focused execution while delivering in an efficient
manner with consistent quality
4 Full results reporting of identified risks and observations along with recommendations for
enhancement
Phase 3
Fieldwork
Sampling Interviewing
amp Transaction Testing
Phase 4
Evaluation and Closing
Analyze Findings
Risks amp Close Out
Meeting
Phase 1
Audit Initiation
Planning
Education Kick-off
Meeting
Phase 5
Reporting
Critical issues
Observations and
Enhancement
Opportunities
Phase 2
Pre-fieldwork Scoping
Operational Assessment
amp Third Party
Intelligence Check
Project Management Office
Project Coordination Education Quality Assurance amp Reporting
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
29
1 Hundreds of business
partners exist and are
theoretically equal
opportunities
2 Qualitative and Quantitative factors
are considered to determine risk
ranking
3 Review options are determined
through a data-driven model
and comprehensive analysis
C
AB
D
E
F
HI
JG
CA B DHigh
Medium
Low
GE F
H I
Performed Simultaneously
TBD - Review
Options
1 Level 1
2 Level 2
3 Level 3
Business Partner SelectionComprehensive Risk Assessment
Continuous Monitoring Transaction Testing Data Analytics
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
Case Study ndash
TE Connectivity Ltd
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
TE Connectivity Ltd ndash
Overview
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
32
TE Connectivity Ltd - Overview
TE Connectivity Ltd is a $14 billion global technology and manufacturing leader
creating a safer sustainable productive and connected future For more than
75 years our connectivity and sensor solutions proven in the harshest
environments have enabled advancements in transportation industrial
applications medical technology energy data communications and the home
With 80000 employees including more than 8000 engineers working alongside
customers in approximately 140 countries TE ensures that EVERY
CONNECTION COUNTS Learn more at wwwtecom and
on LinkedIn Facebook WeChat and Twitter
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
33
ABAC Program Design Assessment (Phase 1)
bull Design of TErsquos ABAC Programhellip
bull Generally aligns with current standards (FCPA UK Bribery Act US Federal
Sentencing Guidelines DOJSEC Guidance ISO 37001 OECD etc)
bull Is generally mature with many critical components of the program
ldquopeeringrdquo or ldquoleadingrdquo
bull TE promotes a culture wherehellip
bull Ethics and Compliance is central to the way business is conducted
bull there is positive Tone at the Top and
bull employees are encouraged to speak up with questions and concerns
bull TErsquos Board and Executive Teamhellip
bull Champion the Ethics and Compliance Program providing adequate
resources and holding the EampC function accountable through various
reporting processes
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
34
bull Business Partner Management Program Enhancementbull Conduct ongoing monitoring to review performance and enable alerts of negative
Business Partner (BP) information
bull Collectanalyze BP data (distributors) and develop dashboards to assess and prioritize BP
risk
bull Develop sampling methodology and select transactions for testing Establish risk-based
work plans testing due diligence renewals amp training
bull ABAC Policy Enhancementbull Review policies and procedures for content relevance readability consistency etc
bull Simplify framework and update ABAC and COI policies and processes
bull ABAC Risk Assessment Process Enhancementbull Developed risk assessment to identify ABAC risks and prioritize mitigation activities in
high risk businesses and regions Pilot with ADM BU
bull Internal Audit Collaboration and Planning
bull Defined and prioritized current auditing and monitoring activities
bull Assigned responsibilities to Ethics and Compliance and IA teams
ABAC Planned Program Enhancements (Phase 2)
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
35
bull As part of an assessment of the anti-bribery and anti-corruption compliance program at TE Connectivity we enhanced the anti-bribery and
anti-corruption monitoring of third-parties Our Chief Compliance Officer requested that we develop data analytics (and an accompanying
visualization model) to identify bribery-risk indicators across the TEs network of third-party distributors
bull We worked with the risk department at TE to identify various risk indicators from the business These indicators were then mapped to the
specific datasets that could provide meaningful analytics Leveraging SQL Python and ultimately Tableau we transitioned these analytics
into dynamic visualizations that allowed the client to identify geographies business units third parties and transactions that potentially posed
the greatest risk of fraud and bribery to the organization (see sample dashboards) With this information the CCO was able to help inform the
organizations internal audit strategy and plan We then further refined the analytics model and underlying logic to incorporate feedback from
internal audit observations
bull TE developed an end-to-end methodology for identifying high-risk third parties Together the anti-bribery and anti-corruption technical and
data analytics capabilities enabled TE to provide a streamlined and efficient project management process TE continues to work to produce
additional dynamic analytics and visualizations that allow for proactive and ongoing monitoring rather than a one-time analysis
ABAC Third Party Risk Management Analytics (Phase 3)
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
36
bull Risk Ranking In-Scope Business Partnersbull Reduce Risk Levels from 4 to 3 by removing MediumHigh Risk rating
bull 3 Levels Scoring Low Risk (0-49 points) Medium Risk (50-79 points) and High Risk (80-100 points)
bull Proposed adjustments to current risk scoring methodology assign lower weight to Corruption Perception Index (from 40 to 30) assign higher weight to
responses on Business Partner Questionnaire (BPQ)(from 10 to 20)
bull Frequency amp Scope of Due Diligence and Renewal of Business Partners bull Low Risk Initial Global Database Check (GDC) Renewupdate BPQ every 3 years with GDC performed
bull Medium Risk Initial Open Source Investigation (OSI) Renewupdate BPQ every 3 years with OSI performed
bull High Risk Initial Enhanced Due Diligence (EDD) Renew BPQ annually OSI performed upon renewal except EDD conducted every ~6 years ldquoRed flagsrdquo
may require further review through EDD or audit
bull Business Partner Training and ABAC Declarations bull Annual Anti-Corruption Compliance Declarations still required for every in-scope active Business Partner
bull Online training to be assigned annually to High Risk Business Partners ndash can accompany annual Declaration
Key Enhancements of the BPM Program (Phase 4)
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
Questions and Discussion
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations
38
TELL US WHAT YOU THINK
Evaluate this session right in the
IIA Conference App
Not using the conference app
Visit iccnfio to complete
your session evaluations