Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 0
A Layered Approach to Third-Party
Due DiligencePresented by
Michael Olver & Alex Wilkinson
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 1www.navexglobal.com
Presenters
Michael OlverManaging Director, PSA Group Advisor, Third-Party Risk Management,
NAVEX Global
Alex Wilkinson
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 3www.navexglobal.com
• Introduction
• Defining Due Diligence
• Standard Risk-Based Workflow
• Your Tools & Their Limitations
• The Wildcard of Jurisdiction
• Conclusion & Key Takeaways
Agenda
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 4www.navexglobal.com
Defining Due Diligence
A Risk-Based Approach
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 5www.navexglobal.com
Defining Due Diligence
• Due Diligence is the level of judgment, prudence and care to be exercised by a reasonable person in a similar situation
However there is…
• No absolute standard
• No defined maximum or minimum
• Only industry norms, best practices, informed interpretations and relevant guidance to help determine what due diligence is to you
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 6www.navexglobal.com
Defining Due Diligence
• Given this flexibility, an essential aspect of defining due diligence to your company is understanding:
1. The desired outcome – what do you want to accomplish?
2. Defining your “risk remit” – what risks and concerns are you responsible for mitigating in your role and with this programme?
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 7www.navexglobal.com
Defining Due Diligence
• For the purpose of this conversation, we understand the roles to be:
− Compliance and legal professionals – “Defenders of the Realm”
− FCPA & UKBA will be the overriding concerns
− Your programmatic aim will be the identification and mitigation of bribery and corruption risk inherent in dealing with third parties
− Your remit will be to uncover any risks associated with third parties that present a bribery or corruption risk to your company
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 8www.navexglobal.com
Defining the Risk-Based Approach
• With this in mind, the following are the standard leading indicators of risk:
− Local perceived corruption risk in jurisdiction (CPI)
− Level of expenditure with third party
− Third-party industry
− Type of relationship
− Intent of relationship
− Other factors specific to the company or overriding legislation
• However, we would argue that key to a cost effective and robust programme is ALSO the incorporation of the level of information obtainable in each jurisdiction into both the risk calculation and the internally mandated response
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 9www.navexglobal.com
Defining the “Risk Base”
• The simplest means of initiation is to ascribe a value to each indicator
• This does not need to be complicated and can be as simple as a 1-5 value
• The assessment methodology and each assessment will need to be documented
• The process flow needs to be based and to be able to pivot based on the “Risk Base”
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 10www.navexglobal.com
Applying the “Risk Base”
• In order to ensure even application, it is ideal that the defined risk-response:
− Is centrally defined and mandated
− Is an automated process to an extent
− Creates an audit trail, especially of any exceptions is rigorously maintained
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 11www.navexglobal.com
Standard Risk-Based Flow
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 12www.navexglobal.com
Approach to Conducting Due Diligence
Questionnaire• Collects basic and self-declared
information. The review should trigger any disclosed instances of bribery, existence of a compliance programme, PEP’s or conflicts of interest
Organise Data• Understand how third parties
are touching your company and the implications it may have
Triage & Address• Prioritise and adequately
address the risks posed by the third parties
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 13www.navexglobal.com
Approach to Conducting Due Diligence
Initiate Due Diligence• Based on the “Risk Base” score,
initiate the appropriate level of due diligence
Review Data• Review findings and either
accept and progress, or request further information disclosure or additional inquires
Further Due Diligence• Expand the remit of the
inquiry or conduct targeted research into issues of concern
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 14www.navexglobal.com
Your Tools & Their Limitations
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 15www.navexglobal.com
Informing the Approach
• While the above slides should be familiar to any compliance professional, greater knowledge drives a more effective process
• To be effective you need to know:
− What are the tools available to you?
− What are their limitations?
− What are the inherent limitations in each specific environment?
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 16www.navexglobal.com
Due Diligence Tools
Broadly speaking the tools available are:
1. Databases
2. Risk reviews
3. OSINT: Open Source Intelligent
4. OSINT in English and local language
5. Enhanced due diligence with local reach
6. Source commentary within the local market
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 17www.navexglobal.com
Important Limitations
Databases:
• Once thought to be the ultimate industry direction and a “magic bullet” inherent problems persist from:
− False positives
− Local character search limitations (Chinese, Thai, Arabic)
− Supporting algorithms
− Overwhelming or underwhelming baseline databases
− Potential for user error
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 18www.navexglobal.com
Important Limitations
Risk Reviews:
• A creative middle ground, this is the professional review of the disclosure documents combined with database searches and research for risk remediation
• Limitations:
− Limited to what is disclosed and database returns only, no additional research or sourcing
− Based only on self-reported information, with no ability to independently collect
− No ability to go further in identification of risk
− Inherits the limitations of database usage with no ability to mitigate through further research into issue of concern
− Reactive, rather than active
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 19www.navexglobal.com
Important Limitations
OSINT (English Only):
• This allows professional researchers a free hand to apply a process of searches against specialist database and all public domain sources in English in order to identify issues of concern
• Limitations:
− What is reported is only what is in the public domain, and what is in the public domain in English
− The key limitation is language and the information available within the local environment
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 20www.navexglobal.com
Important Limitations
OSINT (English & Local Language):
• Much better in that it allows the professional researcher a broader base of sources to draw from in conducting their searches, and is essential in non-English dominated environments (China)
• Limitations:
− This type of report is limited to what is available electronically within the local environment
− Often this means that it is not possible to recover meaningful litigations searches, reputational research or in some cases basic registration and ownership information
− This can result in substantive gaps in achieving coverage against programme mandates
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 21www.navexglobal.com
Important Limitations
In Country EDD with Source Commentary:
• Further expands what is available to include commentary from people in position of knowledge. Useful in identifying the information that is not reported on but that “everyone knows” such as whose company this is
• In jurisdictions in which there is limited public domain information, this is the only means of meaningful coverage
• Limitations:
− Time – 10-15 days and possibly longer to network into good sourcing
− Budget – sourcing is usually worth exactly what you pay for it
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 22www.navexglobal.com
The Wildcard of Jurisdiction
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 23www.navexglobal.com
Impact of CPI Overlay
• The Corruption Perception Index is taken into account in most workflow programmes associated with risk-based due diligence
• Companies operating in countries in which there is low incidences of bribery and corruption can be generally considered to be lower risk of this behaviour for social
• Inversely, in countries like Afghanistan, even the smallest transaction comes with the risk of corruption
− Example: A third party that is a furniture store in Denmark supplying USD 2,000 of tables as part of a yearly transaction managed by London HQ
− The elicited compliance response should therefore be in line with defined Low Risk practice
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 24www.navexglobal.com
Impact of Freedom of the Press Overlay
• An effective compliance process should take into account the freedom of the press and access to information in each jurisdiction
− Example: A third party in Saudi Arabia that is engaged to develop an online marketing programme making your products more appealing in the region
− While on the face of it, this is a Low Risk third party, the functional limitations of the environment means that OSINT only is likely to be ineffective
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 25www.navexglobal.com
Implications
• This does not mean that you must conduct the highest level of due diligence on all locations in which there is limited information in the public domain
• This does mean you need to be selective about what you do in these jurisdictions and incorporate knowledge of the environment and risk-based feedback
• This may include running initial reports, requesting greater disclosure or selectively engaging commentary only into issues of concern
• But it is important to document why you have taken these steps or why you chose not too
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 26www.navexglobal.com
Key Recommendations & Takeaways
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 27www.navexglobal.com
Recommendations
• Know the mechanical limitations of the report types you have available
• Incorporate an honest appraisal of the limitations of these report types in the process flow
• Incorporate the limitations of the Open Source in each jurisdiction in your process
• Never be afraid to ask more of your process or your diligence provider, as a risk-based approach is not a one-size-fits-all approach and neither should your compliance programme
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 28www.navexglobal.com
Questions?
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 29www.navexglobal.com
Thank You