By Sanday Chongo Kabange, The Red Flag Group®
Compliance and legal teams are managing larger and more complex tasks beyond their traditional responsibilities. This is partly because of the changing landscape of the compliance industry as well as the introduction of new legislation, new risks, changes to their businesses and increased enforcement actions by regulators. It is not news that the compliance and legal teams are looking to do more with less.
Despite these ever increasing roles, the risks at a company need to be properly managed. Government regulators do not care that you were “too busy” when your third parties pay bribes to win your company business. Nearly every department at a company has the potential to expose your company to third party risks. Processes and procedures need to be in place to identify, manage and mitigate those risks before they impact your organisation.
Although nearly every function in the company is using third parties, it often falls to compliance and legal to own or at least manage those risks. This way of thinking is not sustainable or practical given today’s business environment of decentralisation with thousands of third parties and the frequent doling out of fines.
The various other functions at a company need to own and manage their own risks.
Compliance and legal are there to build a framework for risk management, provide the right tools and offer guidance when difficult situations present themselves. They are not the risk-owning department.
There is an increasing trend for each function to make use of background checks, due diligence and business intelligence directly and pay for it out of their own budgets.
For instance, HR interacts with potential executives during pre-hiring screening, some of whom may have questionable pasts or connections. Similarly, channel teams engage with potential resellers and agents, some of who may have questionable integrity or reputational issues. For many of these third parties, these functions can look to handle the process of gathering business intelligence of their own under a framework that was constructed by the compliance and/or legal departments.
It’s important to understand how your teams engage and interact with your prospective partners so that you have a clear view of the areas where risks may creep into your organisation.
The aim is having a better understanding of how each of your teams interacts with outside parties then rolling out control measures applicable to each team. This can be done by conducting an internal risk assessment to determine your high risk third parties then prioritising risk mitigation tactics.
Conducting background checks or due diligence does not only apply only to compliance and legal functions, and neither should this be solely owned by these two functions.
Due diligence can be used by every department of your organisation that engage or interact with parties outside of your organisation. Even though the end use or screening may differ slightly from team to team, the ultimate goal is ensuring that you make informed decisions when engaging with your partners.
Once you have identified your organisation’s high-risk functions and approved budget requirements, you can work with an outside vendor to help you conduct background checks on your partners. There are pros and cons to using in-house and third-party due diligence and business intelligence vendors. While in-house resources can be cheaper in some situations, there can be a conflict of vested interest, lack of expertise, reach, specialisation, language barriers and in some cases limited access to business intelligence, local insights and independent recommendations.
On the other hand, having an outside vendor conduct background checks on outside parties ensures more independence, access to enriched data, expertise, specialisation, advice and business intelligence is much wider. Outsourcing your due diligence needs to an external vendor ensures that you have a wide reach to many jurisdictions you do business in and in-country specialists that are able to provide better local insights and context on some of the common issues or inherit risk concerns in that country or industry. For example, if you were to enter a new market in Tajikistan, Thailand or Belize, would there be competent in-house resources at the ready?
Outsourcing can provide more access to open source, subscribed and proprietary data and independent recommendations on issues identified, allowing you to make better and well-informed decisions.
Your teams; compliance, legal, HR, sales, IT, procurement, business development, distribution management and other high risk teams must partner and coordinate risk management efforts, ensuring that all your potential pain points are sealed off. Your team must supplement and complement each other to avoid a siloed and perilous view of third-party risk. The goal of any due diligence or business intelligent effort is to answer the question “how can this other party harm us?” That is a question that every department at your company should be asking themselves.