As companies grow, they face an ever-increasing number of third-party providers. Learn how to scale your third-party risk management program effectively to meet this challenge.
The Challenges of Handling Large Populations of Third Parties - Transcript
Elliot Berman: Hi, welcome to this episode of Blue Umbrella Third Party Risk Perspectives. I'm Elliot Berman from AML RightSource, and I'm here with my colleague Chris Sindik. Chris, do you want to introduce yourself?
Chris Sindik: Sure. Hi everyone. My name is Chris Sindik. I'm the Director of Third Party Risk and Due Diligence here at Blue Umbrella.
Elliot Berman: Today we're going to talk about challenges of handling large populations of third parties. So Chris some of your clients probably have relatively smaller populations of vendors and other third parties. But as you get to bigger corporates and bigger FIs for that matter, they get a much larger number of third parties that they're dealing with. What are some of the steps for organizations like that to move to a technology based due diligence solution?
Chris Sindik: It's interesting how different companies will come into owning and realizing that they have to deal with a large population of third parties. Sometimes it can be a new head of a compliance or an ethics program or AML, whatever it might be coming into the company and looking at the third parties that they have taking stock and realizing suddenly, Oh, goodness we should have been doing screening this whole time, or we should have been doing due diligence, or something of that nature and just turning over a rock and saying, wow, I didn't realize these 10,000 third parties have never been even screened for sanctions. So that's one of the interesting ways that clients find themselves in this situation.
Another one is through more organic growth of the company. And they were doing things for a while with, Excel spreadsheets and SharePoints and emails back and forth, databases, things like that. And that can work when you have 20 a week. But when you have 200 a week or suddenly 2,000 a week it turns into a much different process. And it breaks down because of it.
I think that regardless of how companies come into this situation of having a list of thousands or tens of thousands the third parties is that they suddenly need to remediate and analyze and investigate the steps can look the same. A lot of times the first step is just where's the data? Is it in SAP, is it in Salesforce? Is it in Excel sheets? Is it in some legacy system that was shut down six months ago and it was archived and it's a zip file. So it's a lot of different things that can come into play there just to know what your population is. And it's amazing the amount of that just goes into this first step one.
So I think it's getting it all in one place having that list of here's everyone who could be in consideration. And then from there, it's really a matter of filtering it down, taking a risk based approach. And I think a part of that too is, looking at some really key factors, what data do you have on hand? If it's just a name and an address, maybe a phone number, maybe a website, it can be difficult to, determine what they're doing for you. Are they still active? That's a big question too. Just cause they're on this list have we ever used them? Maybe they're just there for bench strength.
Any data that you have that can help to create even a basic risk matrix around these third parties can help a lot. The country that they're in. Looking at things like a CPI, the Corruption Perception Index, to see where they are. If they're in a low risk jurisdiction, okay, maybe not one that you want to address right away versus one that would be perhaps in a sanctioned country, which is a red flag for a lot of organizations.
Is it spend? Are we spending $5 a year with them or $5 million? That certainly comes into play. So I think if you have that information on hand along with the type of work that they're doing, taking spend into account, maybe it's a few thousand dollars a year. But if they have access to certain types of your data, if they're an IT company, for example, or they're a marketing partner and they have access to email addresses and personally identifiable information, spend becomes irrelevant.
So I'd say just get the data in place, clean it up as best you can, remove duplicates, remove those that are inactive, maybe the company's folded and just do a basic risk ranking to start out with, so you can align with the approach of a risk based methodology whenever you can.
Elliot Berman: As you've already alluded when you either have rapid growth, or as you say, turn over a rock and 10,000 vendors crawl out or whatever it might be, that can be a very difficult process to manage because of the rapid change in the population. What are some of the ways beyond what you've already talked about that are helpful to make it manageable?
Chris Sindik: I think a big part of it is the technology. Because when you are getting past the offline documents and moving to a platform or a solution that can help you with resources, there's generally not going to be an additional few head count higher. When you find these new third parties, it's just, hey, do the best you can with what we have right now.
So luckily technology can help to bridge that gap in a much more streamlined fashion that people can do. But once you have that risk based approach I think it is being realistic from the start. Sometimes I've talked to clients and they want to gather all this information, get media screening, get sanction screening, get litigation information about it, social media profiles, cybersecurity, et cetera, down the line.
And while I think that, that's certainly useful information and it's valuable. You have to be prepared to think about what you're going to do with it at the end of the day. Because if you gather this information, you have to act on it. A good way to think about things sometimes is that if the worst happens say a third party that you're working with pays a bribe on your behalf and the DOJ or the SEC come knocking and they ask what you knew when and what did you do about it, you don't want to have a big profile or a big record that the third party, for example, disclosed to you that they were making these payments or that they were in the media where their CEO got thrown in jail. And it was just sitting there and you never acted on it.
You can become quickly overwhelmed by the information. Again, taking the theoretical number of 10,000, if there are a hundred hits on each one of those third parties, and some are false positives, obviously it's just a lot to sort through at the same time. Again, it's about that risk based approach. There are some things that I believe, and I think a lot of regulators believe, and a lot of other compliance practitioners believe that you should be doing for everyone. Which is something like a sanctions and a watch list screening. That's a stop sign if someone is on that list genuinely. And if you don't do that it's what are you guys doing over there with your program situation if something were to happen.
I think starting with those baseline checks, it's a good thing to do. I also think that, once you have that list down, focusing on your riskiest third parties, perhaps sending them a questionnaire. Learning a little bit more about who their owners are. If they have certain compliance controls in place. If they have any ongoing litigation right now, if they've had any enforcement actions. You can certainly go out and find those things in most jurisdictions yourself, but that comes with an effort.
So just asking third parties about them can be a way to, put the ball in their court and take some of the the burden off of the team and hoping that they're going to be truthful it's that old adage of trust, but verify. So also making sure that you're going through and not just taking their word for granted. But that can be a really good starting place to jump off and find out some more information about these third parties that you don't know anything about to start with.
Elliot Berman: You talked about sanctions and watchlist screening as the bare minimum. And one of the reasons for that is you want to know who you're doing business with. The other is depending on where you're located, there are implications for failing to do that on your part. In the US in addition to the sanctioned party being, watched by the government or pursued by the government, failure to do a sanction screening puts your own company at risk. But once you get past those basic must dos, when would you introduce media screening?
Chris Sindik: It's a good question because in the time and the age that we're at right now, legal risks are certainly the baseline standard for a lot of companies and, they're always going to be there and they're the risks that have a lot of zeros behind them but the same is true for reputational risks. Although someone's not on a sanction list or a watch list, it doesn't mean that they're A-OK, thumbs up, green light, foot on the gas pedal, let's go with them. Absolutely not.
I think that once you have a risk framework in place that you're comfortable with for determining who's low risk, who's medium risk, who's high risk. It might be a single factor that would put someone into that high risk category. For example, if they're working in like a sales agent, that's typically pretty high risk work, securing business for the company and being a part of a commission base and not necessarily an employee of your company. We've seen a lot of failures with that in the past too.
I think focusing on those high risk areas and really specific when it comes to media too, I would say that companies need to look at the the transparency and the media integrity, for the third parties that they are thinking about putting through a media screening or even a litigation screening. Because sometimes there's really not a lot out there on these companies. So you don't want to necessarily go and look for some media reports in a part of the world where the media really can't be relied on as much.
I was talking to some of my colleagues that work in the Chinese market specifically where we do a lot of our work, and they were talking about how media reports that are there sometimes can vary wildly depending on the source. And it's difficult to know if it's a real, genuine, report of facts, or if it's opinion, or if it's politically motivated sometimes. These are things that need to be taken into consideration.
I would say again, it's that risk based approach that's true for nearly every part, if not every part of the compliance and risk and ethics program. But also just the specifics of the situation and thinking about the value that you're going to get out of it. I will say, too, that there are times we need to step back and say, okay, is there going to be a media report or, a litigation report that's really going to keep us from doing work with this company? And that sounds horrible to say, but I say this in the context if you were to do a media check on some of the largest companies in the world, you're going to find things that are negative. You're going to find things that are adverse media. But are things of that nature going to necessarily stop you from doing business with that company?
Perhaps. It all depends on the risk appetite of our clients. But at the same time, be realistic with what you're going to find and how that might impact the relationship too. So it's not that someone's so big that they're immune from the process, but be realistic about what you're going to do with those findings. It's about the risk appetite. Thinking about the relationship with that third party specifically, and, thinking about what you're really going to do with those media reports and if you can trust them.
Elliot Berman: Chris thanks for this chat. This is one of the many challenges in handling third party risk management. And I'm sure our audience found this to be really useful. So you have a good day and we'll talk again soon.
Chris Sindik: Thanks so much, Elliot.