It’s November, which for many, means ski season is near. I love to ski, and I’m not alone. An estimated 130 million people ski and snowboard throughout the world. Skiing is great, but it can also be dangerous. Because of this, people have devised ways to lessen the likelihood of something going wrong. People wear hats to avoid frostbite, helmets to avoid brain injury, and releases so that their skis will detach from their boots if they fall. Skiers mitigate against the risk of things going wrong so they can enjoy the activity they love.
Businesses must do the same thing. The use of third-parties comes with tremendous upside. Third-party sales agents and distributors may hold the keys to new markets and dramatically increased revenue. New acquisitions may double or triple the size of a business. But these third-parties often come with risk.
Risk mitigation is part and parcel of a compliance officer’s job. Because greater than 90% of FCPA cases involve the use of a third-party, third-party risk mitigation is key to having a successful compliance program. But how is third-party risk mitigated? And how do we know if we’re doing it effectively?
In honor of this week’s launch of the Focus Series course on Creating a TRULY Risk-Based Third-Party Program (information HERE), let’s go through the ultimate mitigation toolkit. The following are ten different ways that third-party risk can be mitigated, along with a description of the activity, and an example of how they’ve been used by clients of Spark Compliance Consulting.
When to Use Mitigation
There are two different times to use mitigation. First, one or more of the tools above should be used as part of the standard escalating due diligence process. This means that various mitigating activities will be automatically assigned depending on whether a third-party is categorized as low, medium, or high-risk.
Let’s take an example. Allyn Co. has a risk-based due diligence process. When a third-party scores as low risk, it receives a sanctions check and basic compliance-related contract terms. When a third-party scores as medium risk, it receives a sanctions check, politically exposed persons check, and an adverse media screening, as well as basic compliance-related contract terms. When a third-party scores as high-risk, it receives everything the medium risk third-party receives as well as contract terms that include audit and termination rights. There is an automatic escalation of risk mitigating techniques built into the program that is applied systematically.
The other time that these mitigation techniques should be applied is on a case-by-case basis to reduce risk when a red flag is found or a concern is raised. Let’s go back to Allyn Co. If one of its third-parties scored medium risk but was found through an adverse media story to have been accused of bribery, then Allyn should apply additional risk mitigation measures. For instance, Allyn could require live training on an annual basis to increase mitigating efforts.
Skiing may always be dangerous but, in some ways, that’s part of the draw. By wearing the right clothing and ensuring your equipment is maintained properly, you can have a great time without being overly concerned about things going wrong. The same is true with your third-parties. By using mitigation techniques and strategies effectively, you can manage your third-party risk while allowing the business to soar to new heights.
To celebrate the launch of the Focus Series Course, you can download our complete Mitigation Toolkit HERE. The Mitigation Toolkit is one of several great resources available as part of the Focus Series Course on Creating a TRULY Risk-Based Third-Party Program (20% discount code “CL” available through next Thursday).