For global enterprises, compliance with anti-corruption laws in the United States and other countries is not just a matter of employees abiding by these laws — multinationals can have many thousands of relationships with vendors, distributors, contractors, agents, and other third parties. Malfeasance on the part of any of these parties could lead to potentially severe legal, financial and reputational consequences.
Companies today typically vet new vendors during the onboarding process to assess potential risks associated with those parties. But how can they improve processes for monitoring risks associated with existing third parties? Many companies have turned to data. Large volumes of data exist both within and outside the enterprise that organizations can use strategically to conduct ongoing third-party intelligence.
Integrating this disparate data into a centralized platform can facilitate the application of powerful analytics to develop a revealing profile of a third party’s potential risk. Such analysis can provide insights for organizations to decide whether to continue, adjust or terminate relationships with specific third parties in order to reduce the risk of fraud or regulatory violations.
Amassing and preparing data
Both internal and external data are important in assessing third party risk.
Internal data sources can include third party vendor master data, transaction activity and on- boarding questionnaires completed by third parties.
- Third party master data should ideally be derived from a single third party master list or vendor master file containing a unique listing of all vendors and third parties. Some companies may need to cleanse and consolidate multiple vendor master lists across the enterprise.
- Transaction data may originate from multiple systems used for processing transactions throughout the procure-to-pay cycle. An important challenge is how to efficiently gather and integrate data from disparate enterprise resource planning (ERP) systems into a central data repository.
- Third party questionnaires used during the onboarding process may contain responses about a third party’s adherence to anti-corruption related policies and procedures, and may include confirmation of related compliance training.
External data sources can consist of watch lists, country risk resources and information captured from public records.
- Sanctions and watch lists can include sources such as the Office of Foreign Assets Control (OFAC), the UN Oil for Food Program, the United Kingdom Her Majesty’s Treasury, the European Union and others — these lists may need to be integrated with company data to cross-check with vendor and other third party lists.
- Country risk data may include corruption indices such as Transparency International’s Corruption Perception Index (CPI), country databases such as lists of politically exposed persons (PEP) and data sources for validating business and individual addresses.
- Other public records can be obtained from search engine and media resources (including social media streams) as well as civil, criminal, bankruptcy and other court or regulatory filings.
To manage costs effectively, companies should determine the desired level of detail when consolidating these various data sources into a data warehouse. Development of a clear data integration plan will be a key first step, along with anticipating the challenges of merging data from scattered systems around the world, evaluating relevant data privacy policies, and selecting appropriate tools for handling the complexity of unstructured data (e.g. contracts and scanned invoices).
With the data integrated into a central platform, companies can begin mining it to identify trends and patterns that can help develop a more comprehensive view of their third party relationships.
Interpreting the data and establishing risk indicators
Deciding how to leverage third party data can be just as daunting as collecting it in the first place. Whether a company performs basic analyses in spreadsheets, writes queries in relational databases, uses data visualization software, or employs more sophisticated analytic tools to create predictive models, the goal should be to create a risk-based, repeatable process that allows for the prioritization of third party due diligence efforts.
An important step in building a risk-based approach is to establish risk indicators. For example, common risk indicators found in a company's internal transactional data might include round-dollar transactions, payment amounts greater than invoice amounts, payments that circumvented established approval protocols, transactions paid through miscellaneous accounts, or accounts tied to a third party that was discovered, through public sources, to be under criminal investigation.
Outliers are another form of risk indicator. Examples include one-time vendors receiving a single large payment, small consulting firms receiving large payments in round amounts, or payments being made to a jurisdiction other than the location of the third party. Examining service descriptions for words such as “gifts,” “donations,” or “facilitate” may also serve as useful indicators.
Information provided by in-country teams and departments can also be helpful in identifying potential areas of risk. Local teams or departments can provide valuable intelligence regarding country practices, recent corruption trends, latest developments in the region, and other factors. Further, external risk indicators may include ties to government officials, types of services (e.g. customs agents), or country CPI rankings.
With risk indicators established, companies can begin prioritizing their diligence efforts by developing data models and third party risk profiles across different countries. They may leverage advanced analytics to uncover new insights as they transition to a data-driven process for assessing third party risk globally. In Part 2 of this two-part series, we will examine how these indicators can be utilized to create risk profiles and help enhance third party risk monitoring.