Third parties require comprehensive due diligence, says expert panel
Third parties are both a necessity and a burden that requires comprehensive due diligence, according to a panel of third-party compliance and risk management experts.
The webinar panel consists of Sam Abadir, VP of Industry Solutions with Lockpath, Michael H. Huneke and Ernest J. Alvarado, partner and associate respectively in the Anti-Corruption & Internal Investigations practice group at Hughes Hubbard & Reed LLP and Irene Pasternak, Director of the Anti-Bribery & Corruption division for Navigant Consulting.
If you manage third-party risk or comply with regulations like the Foreign Corrupt Practices Act (FCPA), the webinar offers straightforward guidance on key topics specific to third parties. You’ll need a subscription or pass to watch the webinar recording. Here are some key takeaways:
Paint a contextual picture
The due diligence process differs from vendor to vendor, according to Abadir. What’s important is bringing into focus a contextual picture of what your third party will do for your organization. You should map your third party’s capabilities and deliverables back to your processes. This way, you’ll know the inherent risk a third party poses your organization, so that can be addressed during planning.
Double down on due diligence
Huneke presented case studies of notable FCPA fines and settlements related to third parties, including consultants, vendors, agents, distributors and lobbyists. Panasonic Corp, for example, paid $280 million to resolve FCPA offenses resulting from bribes disguised as consulting fees. Panasonic addressed the issue at the corporate office and severed ties with sales agents. However, local offices kept bribing. It reflects the need for comprehensive due diligence of third parties with regular assessments.
Look for red flags
Third parties are essential for organizations, but in certain situations, third parties can be corrupt. It’s often the local counterpart to foreign officials where bribes and FCPA infractions occur. Alvarado pointed out how organizations can spot the red flags, indicating issues of a heightened concern. It’s not yet time to pull the plug on the operation but opportune for asking questions. Typical red flags involve financial transactions like inflated payments, invoices and expenses.
Prioritize third parties based on risk
Organizations should dedicate the lion’s share of resources on the third parties that present the highest risk, according to Pasternak. Not every vendor needs the same scrutiny. Automation can also free up resources to focus on the highest third-party risk concerns. Whether the goal is complying with a regulation, managing risk, preventing incidents or all the above, prioritization plays the percentages that favor success.
Document, never ignore
All webinar panelists offered smart strategies for third-party risk mitigation. One key point stressed by Huneke and Alvarado is the importance of documentation to protect the individual as well as the organization. We don’t always know when or if an action or incident will be reviewed, so detailed and organized documentation of who was involved, details and recordkeeping is extremely important.
There’s no shortage of webinars on managing third-party risk. This webinar focused on strategy, technology and FCPA is essential for organizations with high-risk third parties and utilizing entities outside the organization for foreign markets. Organizations need third parties to do business globally. What they don’t need is headaches caused by third parties.
Read about some of the highlights from our expert panel discussion.
Read on for our top five strategies for shoring up your company’s third-party cybersecurity defenses.
“If it sounds too good to be true, it probably is.” That helps explain the attraction and danger with assessment exchanges for third-party risk management.