Which resources are required for a third party compliance programme?

When The Red Flag Group is assisting companies to roll out third party compliance programmes, the firm is often asked which resources will be required to oversee and maintain those programmes.

The answer to this question is quite complex and depends on the type of company and the way it is structured. It also depends on the type of due diligence each company is conducting and the volume of the installed due diligence base. There are, however, some key commonalities between all companies that build and roll out their programmes, which can provide a rough guide on the number of resources required.

For the purposes of this article, we will base our discussion on a Fortune 500 company that trades in international markets through distributors and resellers (together known as channel partners). We will look at the resources needed to launch and roll out a programme for these channel partners. From a volume perspective, we can assume that the number of first- and second-tier channel partners is going to be in the thousands (likely to be close to 10,000 globally).

Central programme management resources

In almost every situation – whether the programme is operated centrally or is distributed – there is likely to be two people that work the programme at a ‘corporate’ level. These are generally fairly senior people that understand the compliance risks of the company and will own and manage the third party compliance, programme. They will primarily be responsible for running the programme internally, gaining buy-in from countries, and signing on various vendors to provide due diligence and technology.

Two full-time employees will usually be required in central programme management roles. In some cases, these people might have a dual responsibility with another compliance programme (like anti-corruption). In most cases, however, the third party compliance programme is large enough to justify dedicating two people solely to it. These resources will typically report
to the chief compliance officer.

Central legal resources

A member of the legal team is often involved in setting up the programme. He or she advises on issues such as vendor contracts, due diligence protocols, investigation techniques, and privacy issues surrounding collecting data in emerging markets and the storage of and access to that data.

This role will often only require one part-time resource for three to six months, until the               programme is up and running.

Central administrative and technology resources

Assuming some technology is being used (such as The Red Flag Group’s ComplianceDesktop® Compliance Technology Platform), there is likely to be one person at a corporate or centralised level who is the system administrator. This is often an administrative or junior compliance person, rather than someone with direct reports or who is responsible for running the compliance programme.

The system administrator’s role is primarily to operate the system, oversee the training of users and manage the reporting, in an effort to tune reports from the system and track how the programme is being implemented in each country. They are also the central point of contact for IT vendors and the internal IT team. At an estimate, one full-time system administrator will be required in the compliance function. They are likely to report to the central programme managers.

Role of local compliance staff

A Fortune 500 company – such as the one in our example – would require a team of compliance people around the world. These staff would be members of the global compliance team and would report to the chief compliance officer. They would be spread across various geographical regions and would be the local team to manage compliance in those jurisdictions.

Managing the third party channel compliance programme would probably take up around 25 to 50 percent of their time. This would involve setting up the programme in each country, working with the business teams there and working through the local legal issues surrounding the programme.

Around four or five full-time employees will be required as local compliance employees, each in a different region. If the volume of due diligence is substantial in a certain country, it may be necessary to add junior compliance people to specifically focus on due diligence. This may happen in countries such as China, Brazil, India and Russia, where there are more risks and high
volumes of partners.

Role of local business staff

Local business units may also offer some resources to assist in managing the programme. These resources are often business people who manage the channel partners: channel operations, channel management, distributor managers and distributor excellence. Although not part of compliance, they are tasked with rolling out the programmes in their respective regions with the support of the compliance function.

It is not unusual for a global company to have ten or 20 people globally supporting these efforts. Their role is primarily to identify new partners, enter them into the technology platform, launch questionnaires and chase their return. They are then responsible for checking the questionnaires, ordering due diligence and then reading and acting on the findings of the due diligence. Conducting due diligence makes up around 25 to 50 percent of their role, but this may be higher in the early stages of the roll-out. Where appropriate, they will consult their regional compliance leads regarding findings and next steps.

Approximately five to ten full-time employees will be required in the channel operations or management functions.

Previous Article
China has made a major change to the way companies sell drugs and medical devices
China has made a major change to the way companies sell drugs and medical devices

The Chinese government has changed the way medical devices and drugs are sold to hospitals, clinics and sta...

Next Article
Participate: Compliance budgets survey 2017
Participate: Compliance budgets survey 2017

A company’s compliance budget tells a lot about the company and its stance on compliance.

Looking to build a perfect due diligence programme for your business?

Contact us