Managing third party bribery and corruption risk can be one of the more challenging aspects of both overall anti-bribery and anti-corruption (ABAC) and third-party risk management (TPRM) programs. They are also closely intertwined. Organizational stakeholders – shareholders, regulators, customers, and interested bodies such as pressure groups – are focusing on both of these areas with increased intensity today. This is not surprising, as third parties represent one of the largest areas of ABAC risk exposure to a company, and their compliance failure can result in significant financial and reputational damage for the organization.
However, getting an ABAC program for third parties right – greatly reducing the probability of a risk event occurring – can often mean the need for an organization to substantially raise its game. Applying focus on ABAC compliance after an investigation or enforcement action is never the best approach, as the damage is already done.
Below are 5 important best practices that organizations around the globe are implementing within their ABAC third-party risk management programs today:
- Aligning policies and processes to recognized standards and guidance – Organizations usually have ABAC regulations that they must adhere to when structuring their ABAC programs. However, organizations should also seek to align their ABAC programs to at least one of the standards that exist today. These standards provide important guidance and best practices for ABAC programs, including how assessments and due diligence should be structured. Some firms adopt several standards to be sure they are implementing a truly best practice approach to ABAC, particularly around third-party ABAC risks. Key standards include ISO 37001, Transparency International’s Business Principles for Countering Bribery, the Wolfsberg Anti-Bribery and Corruption Compliance Program Guidance, and the World Economic Forum’s PACI Principles for Countering Bribery.
- Integrating with third-party intelligence content – Connecting directly with data and information feeds – which provide intelligence on third-party corporate performance, financial crime, and fourth parties – is essential today for an ABAC program. It is almost impossible for an ABAC team to source and input this information manually. There is simply too much information being produced too quickly for ABAC teams to be able to keep up with manual research and inputting. Failing to have access to this data in a timely way could result in the organization being exposed to risk unnecessarily. Having a manual process can also slow down the third-party approval process, hampering the business. Good third party data feeds with ABAC components include Refinitiv, Arachnys, Dow Jones, the Red Flag Group, and LexisNexis.
- Performing assessments on all third parties, segmented by risk exposure – It’s very important for organizations to screen all of their third parties and to understand their inherent risk associated with bribery and corruption exposure. First, without inherent risk assessment information, it’s impossible for a company to truly understand its overall inherent ABAC risk position from a portfolio perspective. Second, third parties also have third parties – often referred to as fourth parties. It’s important for organizations to know if any of these fourth parties are a bribery or corruption risk, especially if they undertake work associated with an organization’s contract. Third, it is important that the entire assessment program is risk-based – that is, the level of detail required by the assessment is in line with the level of risk the third party presents. Organizations should segment their third parties by risk profile and criticality to ensure that higher risk relationships receive a more in-depth review, while those that don’t meet risk thresholds aren’t required to go through unnecessary processes.
- Scoping the level of due diligence by risk – ABAC checks can be a particularly challenging aspect of third-party onboarding because of the complexity of ownership structures, various regulatory requirements, and the volume of data that often has to be collected. Different third parties will require varying levels of due diligence. Some will require enhanced due diligence, while others will require less intense vetting. Organizations should be able to determine the level of due diligence required for a new third party relationship, based on set criteria such as a risk score or criticality. Being able to adjust third-party due diligence levels by risk will help make the overall onboarding process more efficient and a better experience. As a result, it should reduce overall cycle times, helping the business to better meet its goals.
- Maintaining automated continuous monitoring – A third party’s risk profile can change overnight, exposing the organization to unanticipated risk. For example, a change in ownership, the exposure of a bribery scandal, or a corruption event at a fourth party could have an enormous impact on the third party’s ABAC risk score. Organizations need to be immediately aware of significant changes in the ABAC position of their third parties, including risk non-compliance and negative headlines. Attempting to undertake continuous monitoring manually is extremely difficult. This approach is time and resource consuming and prone to error. Automating continuous monitoring through the use of information feeds and third-party risk management software makes notification immediate and actionable. Automated, continuous monitoring for changes in risk profile can then be used to trigger incident reports as well as remediation or termination plans as required.
Finally, ensuring all of this action is auditable is also extremely important, as it will help you report and demonstrate compliance to auditors and examiners. Taking a proactive approach to third-party ABAC compliance that follows best-practice helps ensure that your business and its reputation are protected and that you are operating with the level of ethical integrity your stakeholders and the wider community expect. And if that’s not enough, it also helps keep your name off the ever-growing list of enforcement actions.