When it comes to imposition on the business, third-party due diligence programs often rank highest on the list. Third-party program rollouts or expansions are frequently fraught with challenges. One of the greatest challenges is deciding what to do with third-parties that the business is already using, frequently referred to as “legacy third-parties.”

Part one of this blog series reviewed the considerations compliance officers should mull over when determining what to do with legacy third-parties. Part two below describes various options available to deal with legacy third-party challenges. As you’ll see, there is no one-size-fits-all answer to the third-party conundrum.

The Choices

There are several ways of dealing with legacy third-parties. You can…

Go All In

Want to rip off the bandage? Go all in and include the whole gambit of legacy third-parties in your new or expanded program. The benefits of this approach are numerous. First, although the business will likely complain, the bulk of the third-party review will be done all at once, meaning that once the initial discomfort is over, the third-party program will be significantly less onerous. Second, the business won’t suffer fatigue as the third-party program continuously expands, with businesspeople being repeatedly called upon to give information about new categories of their currently-used third-parties. Third, this approach is usually the most efficient. Doing the work all at once means that it goes quickly.

On the downside, going all-in may create a giant bottleneck of false positives and potential hits to clear. If you have a small team or little capacity, this could take months (see Part I for more details on capacity considerations).

Only Screen at Contract Renewal or if the Contract is Amended…

“We finally got the budget to start a proper third-party program!” my client exclaimed. “Great!” I said, “How many third-parties will you be starting with?” “Ten thousand.” Alarm bells went off in my head. I could already see the problems. How would she find reliable data? How would she and her team of three deal with the hundreds, if not thousands, of immediate false positives that typically come from that volume of screening? And most importantly, how would she deal with the businesspeople already using those ten thousand third-parties inevitably pushing back saying “but we’ve used them for years!”

Whether implementing a third-party program for the first time or expanding an existing one, the issue of legacy third-parties inevitably brings up monumental challenges. A “legacy third-party” is one that is already in use by the business that has not undergone due diligence. Bringing in or expanding a third-party program is already difficult. Deciding what to do with legacy third-parties can be a nightmare.

In part one of this two-part series, we’ll review the issues to consider before deciding what to do with legacy third-parties. In part two, we’ll go over different approaches to managing this challenge to help you decide the best path forward.

Considerations

There are several issues with legacy third-parties, each of which should be considered when determining the best path forward. These include…

The launch of the Focus Course: Create a TRULY Risk-Based Third-Party program has been phenomenal. The early reviews are terrific, and I couldn’t be happier. If you haven’t taken advantage of our 20% off launch pricing, the time to do so is TODAY. Use discount code “CL” at checkout to receive 20% off.

Regulators have been 100% clear – you need a risk-based third-party program. But what does that mean in practice? Do you TRULY have a risk-based third-party program? In this Focus Series Course, you’ll learn exactly how to build a risk-based program and how to refine the program you have to meet regulatory expectations, best practices, and the needs of your business. Already have a program? Fantastic – test it out to find out if it meets regulatory expectations, and find out how to strengthen it so it is truly risk-based.

Find out more HERE. You can see some of our reviews below. We can’t wait to have you.

“Risk-based approach” may be the three most over-used and least understood buzzwords in compliance in the past two years. The DOJ talked at length about using a risk-based approach to third-party due diligence and risk management in its Evaluation of Corporate Compliance Program guidance, going so far as to give examples of what they mean. And yet, nearly every client I work with has blind spots when it comes to implementing a truly risk-based due diligence program. Why? Because “risk-based” is easy to say but difficult to implement.

There are four distinct places that a risk-based approach should be implemented during your third-party due diligence process. Let’s look at each in turn.

No. 1: Scoping

The first place to apply a risk-based approach is in scoping. Scoping should result in one of two outcomes for each third-party: you’re in or you’re out. Applying a risk-based approach to scoping is critical because if every possible third-party is in-scope, your program is probably overly broad and doesn’t address the true risk to the company.

Let’s be honest, do you really need to score and review paperclip vendors? How about one-off customers or distributors selling less than $500 of your products annually? Don’t laugh, I’ve seen every one of those third-party types in scope at different companies.

Here’s my top tip for scoping: if you can’t come up with a plausible scenario where the third-party would violate the rules, the third-party type should be out of scope. This determination rests on which risk types you are reviewing in your due diligence program.

For example, let’s say that in your program, you’re reviewing third-parties solely for bribery risk, and you need to determine whether suppliers should be in-scope. Try to come up with a plausible scenario about how a supplier could bribe someone on your company’s behalf. Well, they’re not going to bribe a customer on your behalf. The only scenario in which a bribe would be made by a supplier is the attempt to bribe your employees, who should be trained to avoid this situation. After this analysis, suppliers should be kept out of scope for this third-party program.

Remove third-parties from the scope when there is little or no chance that they could create a problem for you based on the risk areas you’re reviewing.

No. 2: Initial Risk Ranking…

It’s November, which for many, means ski season is near. I love to ski, and I’m not alone. An estimated 130 million people ski and snowboard throughout the world. Skiing is great, but it can also be dangerous. Because of this, people have devised ways to lessen the likelihood of something going wrong. People wear hats to avoid frostbite, helmets to avoid brain injury, and releases so that their skis will detach from their boots if they fall. Skiers mitigate against the risk of things going wrong so they can enjoy the activity they love.

Businesses must do the same thing. The use of third-parties comes with tremendous upside. Third-party sales agents and distributors may hold the keys to new markets and dramatically increased revenue. New acquisitions may double or triple the size of a business. But these third-parties often come with risk.

Risk mitigation is part and parcel of a compliance officer’s job. Because greater than 90% of FCPA cases involve the use of a third-party, third-party risk mitigation is key to having a successful compliance program. But how is third-party risk mitigated? And how do we know if we’re doing it effectively?

In honor of this week’s launch of the Focus Series course on Creating a TRULY Risk-Based Third-Party Program (information HERE), let’s go through the ultimate mitigation toolkit. The following are ten different ways that third-party risk can be mitigated, along with a description of the activity, and an example of how they’ve been used by clients of Spark Compliance Consulting…