Which resources are required for a third party compliance programme?

March 14, 2017

When The Red Flag Group is assisting companies to roll out third party compliance programmes, the firm is often asked which resources will be required to oversee and
maintain those programmes.

The answer to this question is quite complex and depends on the type of company
and the way it is structured. It also depends on the type of due diligence each
company is conducting and the volume of the installed due diligence base. There
are, however, some key commonalities between all companies that build and roll
out their programmes, which can provide a rough guide on the number of resources
required.

For the purposes of this article, we will base our discussion on a Fortune 500
company that trades in international markets through distributors and resellers
(together known as channel partners). We will look at the resources needed to
launch and roll out a programme for these channel partners. From a volume
perspective, we can assume that the number of first- and second-tier channel
partners is going to be in the thousands (likely to be close to 10,000 globally).

Central programme management resources

In almost every situation – whether the programme is operated centrally or is distributed – there is likely to be two people that work the programme at a ‘corporate’ level. These are generally fairly senior people that understand the compliance risks of the company and will own and manage the third party compliance, programme. They will primarily be responsible for running the programme internally, gaining buy-in from countries, and signing on various vendors to provide due diligence and technology.

Two full-time employees will usually be required in central programme management roles. In some cases, these people might have a dual responsibility with another compliance programme (like anti-corruption). In most cases, however, the third party compliance programme is large enough to justify dedicating two people solely to it. These resources will typically report
to the chief compliance officer.

Central legal resources

A member of the legal team is often involved in setting up the programme. He or she advises on issues such as vendor contracts, due diligence protocols, investigation techniques, and privacy issues surrounding collecting data in emerging markets and the storage of and access to that data.

This role will often only require one part-time resource for three to six months, until the programme is up and running.

Central administrative and technology resources

Assuming some technology is being used (such as The Red Flag Group’s ComplianceDesktop® Technology Platform), there is likely to be one person at a corporate or centralised level who is the system administrator. This is often an administrative or junior compliance person, rather than someone with direct reports or who is responsible for running the compliance programme.

The system administrator’s role is primarily to operate the system, oversee the training of users and manage the reporting, in an effort to tune reports from the system and track how the programme is being implemented in each country. They are also the central point of contact for IT vendors and the internal IT team. At an estimate, one full-time system administrator will be required in the compliance function. They are likely to report to the central programme managers.

Role of local compliance staff

A Fortune 500 company – such as the one in our example – would require a team of compliance people around the world. These staff would be members of the global compliance team and would report to the chief compliance officer. They would be spread across various geographical regions and would be the local team to manage compliance in those jurisdictions.

Managing the third party channel compliance programme would probably take up around 25 to 50 percent of their time. This would involve setting up the programme in each country, working with the business teams there and working through the local legal issues surrounding the programme.

Around four or five full-time employees will be required as local compliance employees, each in a different region. If the volume of due diligence is substantial in a certain country, it may be necessary to add junior compliance people to specifically focus on due diligence. This may happen in countries such as China, Brazil, India and Russia, where there are more risks and high
volumes of partners.

Role of local business staff
Local business units may also offer some resources to assist in managing the programme. These resources are often business people who manage the channel partners: channel operations, channel management, distributor managers and distributor excellence. Although not part of compliance, they are tasked with rolling out the programmes in their respective regions with the support of the compliance function.

It is not unusual for a global company to have ten or 20 people globally supporting these efforts. Their role is primarily to identify new partners, enter them into the technology platform, launch questionnaires and chase their return. They are then responsible for checking the questionnaires, ordering due diligence and then reading and acting on the findings of the due diligence. Conducting due diligence makes up around 25 to 50 percent of their role, but this may be higher in the early stages of the roll-out. Where appropriate, they will consult their regional compliance leads regarding findings and next steps.

Approximately five to ten full-time employees will be required in the channel operations or management functions.

Previous Article
Ten soft skills of a compliance officer as a change agent
Ten soft skills of a compliance officer as a change agent

Introducing change also needs to rely on a cohesive company culture. Before launching any new programme, co...

Next Article
The Red Flag Group: Letter from the CEO
The Red Flag Group: Letter from the CEO

Quarterly newsletter containing the latest Firm news from our regions and product development teams.