April 20, 2017

Day 14 of One Month to Better 3rd Party Management-Third Party Program Check-Up

11 minutes

When was the last time you considered the health of your company’s third party management program? A good way to test that well-being is to perform a check-up on your third party program. An article entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, provided a manner for the compliance practitioner to test an “organizations health status concerning your relationship to your third parties.” The article provided seven points that you can consider in a self-assessment:

Do you have a list or database of all your third parties and their information? Does your company have a full list of all third parties including such basic information as name, location, type of services provided, contract files and dates, principals of the third party and primary contact, due diligence files and any other information you might need to manage the third party relationship going forward? When was the last time this list was checked or updated?

Have you done a risk assessment of your third parties and prioritized them by level of risk? You need to check and double-check which third party services present the greatest risk to your company by asking some of the following questions: (a) Is the third party’s service critical to your business?; (b) Is the third party’s service performed with little company supervision or oversight?; (c) Does the third party have access to any company funds, resources or assets?; (d) Can the third party fund the company contractually?; and (e) Does the third party obtain any foreign governmental licenses, certifications or other approvals for your company? When was the last time you asked these questions of the Business Sponsor or Relationship Manager.

Do you have a due diligence process for the selection of third parties, based on the risk assessment? You should use the information determined through the risk assessment to “tailor the level of diligence to the level of risk.” Assign a risk profile to categories, such as high, medium and low. The higher the risk, the more due diligence will be required to vet the third party. Do you receive updated due diligence reports on a quarterly, semi-annual or annual basis?

Once the risk categories have been determined, create a written due diligence process. Obviously you need to have a written policy and defined procedures to implement your due diligence policy. However, when was the last time it was reviewed or updated? What happens if you the compliance professional is hit by a bus coming to work? Would a substitute know what to do or would there be a written reference for your replacement? You should consider the following: (a) who is responsible for implementation; (b) list of red flags and how such red flags are to be dealt with and cleared; (c) a procedure to pay for any due diligence performed; (d) reference checks on third parties; (e) procedures for in-person interviews for third parties in a high risk category; (f) conflicts of interest checks, and (g) process for documentation and storage of all of the above information.

Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations? When was the last time you considered your compliance terms and conditions or reviewed all of your third party contracts to ascertain if they include compliance terms and conditions: (a) anti-corruption and anti-bribery certification; (b)requirement that the third party maintain accurate books and records and that your company has audit rights; (c) indemnity rights; (d) anti-corruption and anti-bribery training for the third party’s employees; (e) an anonymous

...more