Learn about different aspects of structuring an effective third-party risk due diligence program.
What is the Best Structure for a Due Diligence Program - Transcript
Elliot Berman: Hi, I'm Elliot Berman from AML RightSource, and I want to welcome you to this episode of Blue Umbrella, Third Party Risk Perspectives. And I'm here with my colleague, Chris Sindik. Chris, why don't you introduce yourself?
Chris Sindik: Sure. My name is Chris Sindik. I'm the Director of Third Party Risk and Due Diligence here at Blue Umbrella.
Elliot Berman: And today we're here to talk about what are the best structures for a due diligence program. I'll start out, Chris, with the big picture, and that is, is it better to do a centralized or decentralized third party risk management program?
Chris Sindik: I think that the answer to that question, it's a, you can't say necessarily one is better than the other. As you can imagine, there's not one magic bullet or one size fits all when it comes to building a third party risk management program or due diligence program. What do we mean by a centralized versus a decentralized program.
In my career, I've worked with a lot of companies in sort of an advisory capacity as they look to build their process and policies from the ground up or change it. For various reasons, whether it's to be in line with government guidance or an acquisition or divestiture or a new leadership regime, whatever it might be.
But really what we mean when it comes to a centralized program is there's one head office if you will. And most of the decisions, if not all of the decisions, would need to go through the Legal and Compliance Office or the Procurement Office or, the Ethics Office, whatever it might be, but really having everything flow through one centralized group or process and policies, and it all goes through the same track.
Generally this can be for a company that might be a little bit smaller or one that just wants to have a really strong leadership and oversight from that perspective. With decentralized as I'm sure our listeners can gather it's where you might have sort of an overarching guidance to a company or group of companies, but depending on which business unit they're in or which location they're in, they might have a unique way of doing things. It would still be in line with sort of the overall risk appetite of the organization and philosophy, if you will, for third party risk management and due diligence, but there's more freedom to have their own systems. So in terms of which one's better I think it can really just depend on the organization.
As I mentioned a little bit previously if it is maybe a smaller organization that's only, a hundred or a couple hundred people, it would almost be difficult to have that be decentralized since it would only typically be one or two people that would be onboarding third parties, conducting training, whatever it might be. But for organizations that have dozens or even hundreds of different business units or operations globally, decentralized has some certain benefits to it.
I think one of the benefits of a decentralized program is that you can account for the nuances of that business. Sometimes if it is head office, dictating things down to all the different business units and do it this way. And there's only one right way to do it and it's our way. That may not work as well in a lot of different ways for those different locations or those different companies.
Not to say that just because something has always been done a certain way, that's the right way to do it. But entrusting the business that they know their program. Certainly there are some things that you want to, have a firm prohibition on or allow just because you want to be in line with the law and good practices and certainly work backwards from the perspective of if there was a compliance issue, what would you do about it?
But it can create some efficiencies to have things be more decentralized and have that pathway up to escalation if needed to. Which one's better? I think that a lot of times it depends on the circumstances for the company if maybe they're starting things out for the very first time and compliance is a relatively new concept.
If the company for whatever reason that's when you can have, I think, a little bit more of a centralized approach people that really know the subject matter well, they can have their arms wrapped around it and control it, and there's a little bit more confidence that things are going to go well, knock on wood if there is just a singular approach to it, and there's that customize oversight on a case by case basis that you may not get from the decentralized model.
Elliot Berman: Besides what you've already talked about, which to some extent seems to be driven by size and complexity, are there other factors supporting each of the approaches?
Chris Sindik: I think one of the big variables, is a couple of them that I'll point out. One is the maturity of the program, and I think the other is just the resourcing of the program.
Again, as I mentioned, is it might be a smaller company, or maybe one that's venturing out into compliance and starting to take it seriously for whatever reason, whether it's a legal obligation or thinking of compliance as more of a competitive advantage. Having that centralized approach, it's a little bit more reassurance that things are going to go right from the start.
Because with that decentralized model, I think that inherently there's a little bit more trust in those different business units to know what is the appropriate way to go about it. And maybe third party risk management is not something that's a core part of their responsibilities, or it's not the main part of their day job where they're assisting as best they can.
For example, it might be someone in sales that's looking to onboard a new distributor of products and they want to, ask certain questions, find things out about a third party. They can do that, but do they know what to look for in terms of red flags? Oh, this third party allows facilitation payments. Okay, is that okay or not? Is it legal or not? May not be things that you necessarily want to have them opine on and make a decision that, could eventually get the the company in hot water.
Two, looking at the decentralized approach when it comes to a maturity perspective. If a company has been around for, 20, 50, 100, 200 years you figure that they might have grown over that time, certainly, and might have a very large global reach and have been building their program up for many decades.
Because the program is larger and it extends into different markets and sometimes via acquisition. When you acquire a new company, you're not just acquiring that company alone, but all their third parties, their customers, et cetera, too. So they may have a very unique way of handling third party risk management that is different from the acquiring company. So with that, it can be difficult to drop the hammer and change everything in a day and shift that culture too.
So I think that's, definitely another factor to consider is, the culture shock going from one to the next when you're bringing on other companies, new markets, new employees, there's a lot for them to handle and although it may change over time, it can make sense to stick with that decentralized approach. Certainly have oversight to make sure things are going well and that they were reporting lines up to the ultimate parent company and, the most senior members of the ethics and compliance team. But at the same time, understanding that they have that for a reason and understanding that and seeing perhaps what you can take from these little bits and bobbins from other parts of the program to improve things overall. Just because they're doing things one way that's different doesn't mean it's necessarily worse or better, but understanding that and taking the best from both worlds can be a good way to go about it.
The other point that I mentioned in terms of resourcing. If you only have one or two people that are leading up the third party risk management program, it might be a little bit more centralized in that approach. Or if you don't have very many resources, it can be a case of deputizing other functions and other responsible individuals to carry out tasks of the compliance team. Generally, as I mentioned with the example of the salesperson bringing on a new distributor, you can have them do some parts of the process that maybe are a little bit more administrative in nature to where they don't need to make a judgment call about a high risk third party or, some of the other factors that you really want a subject matter expert to make a decision on ultimately.
But there are some certainly very large companies out there that have more people in the compliance and ethics and legal space than there are employees at some company, hundreds or possibly even thousands in that regard. So when you have those resources at your fingertips, whether it's acquisition or just global reach you can have some more of those responsible individuals, compliance champions in various locations that can help to run the program on a day to day basis. I think the maturity of the program, the resourcing, just the size as well can be some real big factors when it comes to a centralized or decentralized program.
Elliot Berman: And irrespective of which model you follow a core set of guidelines and principles is required. If it's a smaller program, either because of size or maturity or a big complex program, there's still risk appetite, ethics guidelines within the company or at the parent level, and things like that. So again, the centralized versus decentralized is more on the operating side, as opposed to the, what are we really going to tolerate side?
Chris Sindik: Yeah, definitely. There needs to be senior leadership, the board at times opining on and really dictating what those controls need to be. And there's no sort of deviating from those, overriding principles that are there. And it needs to be done, whether it's the centralized or decentralized model to not dip below certain standards and make sure that they're in line. But yes, regardless of if you're using either one of the approaches, there needs to be that senior leadership buy in.
And I think there's a little bit more flexibility on the day to day, if everyone's going to use one software platform, or maybe there's a couple different ones that can be used. Ultimately, if you find that you're using a dozen different tools, a dozen different ways, logic would dictate, maybe we can cut this down.
There's overlap because, this company is using using system A versus system B, it finds out that there's a lot of overlap and you're doubling up on work sometimes too. I think philosophically there needs to be an alignment at the board level, going down to senior leadership, middle management, so on and so forth. But in terms of the day to day, there should be a little bit more flexibility with that decentralized model to, address the needs of the business.
Elliot Berman: Chris, thank you very much for chatting about this element of the third party risk management puzzle that companies have to deal with. And I look forward to our next conversation.
Chris Sindik: Yeah, me too, Elliot. Thank you.