Which resources are required for a third-party compliance programme?
When The Red Flag Group is assisting companies to roll out third-party compliance programmes, the firm is often asked which resources will be required to oversee and maintain those programmes.
The answer to this question is quite complex and depends on the type of company and the way it is structured. It also depends on the type of due diligence each company is conducting and the volume of the installed due diligence base. There are, however, some key commonalities between all companies that build and roll out their programmes, which can provide a rough guide on the number of resources required.
For the purposes of this article, we will base our discussion on a Fortune 500 company that trades in international markets through distributors and resellers (together known as channel partners). We will look at the resources needed to launch and roll out a programme for these channel partners. From a volume perspective, we can assume that the number of first- and second-tier channel partners is going to be in the thousands (likely to be close to 10,000 globally).
Central programme management resources
In almost every situation – whether the programme is operated centrally or is distributed – there is likely to be two people that work the programme at a ‘corporate’ level. These are generally fairly senior people that understand the compliance risks of the company and will own and manage the third party compliance, programme. They will primarily be responsible for running the programme internally, gaining buy-in from countries, and signing on various vendors to provide due diligence and technology.
Two full-time employees will usually be required in central programme management roles. In some cases, these people might have a dual responsibility with another compliance programme (like anti-corruption). In most cases, however, the third party compliance programme is large enough to justify dedicating two people solely to it. These resources will typically report
to the chief compliance officer.
Central legal resources
A member of the legal team is often involved in setting up the programme. He or she advises on issues such as vendor contracts, due diligence protocols, investigation techniques, and privacy issues surrounding collecting data in emerging markets and the storage of and access to that data.
This role will often only require one part-time resource for three to six months, until the programme is up and running.
Central administrative and technology resources
Assuming some technology is being used (such as The Red Flag Group’s ComplianceDesktop® Compliance Technology Platform), there is likely to be one person at a corporate or centralised level who is the system administrator. This is often an administrative or junior compliance person, rather than someone with direct reports or who is responsible for running the compliance programme.
The system administrator’s role is primarily to operate the system, oversee the training of users and manage the reporting, in an effort to tune reports from the system and track how the programme is being implemented in each country. They are also the central point of contact for IT vendors and the internal IT team. At an estimate, one full-time system administrator will be required in the compliance function. They are likely to report to the central programme managers.
Role of local compliance staff
A Fortune 500 company – such as the one in our example – would require a team of compliance people around the world. These staff would be members of the global compliance team and would report to the chief compliance officer. They would be spread across various geographical regions and would be the local team to manage compliance in those jurisdictions.
Managing the third-party channel compliance programme would probably take up around 25 to 50 percent of their time. This would involve setting up the programme in each country, working with the business teams there and working through the local legal issues surrounding the programme.
Around four or five full-time employees will be required as local compliance employees, each in a different region. If the volume of due diligence is substantial in a certain country, it may be necessary to add junior compliance people to specifically focus on due diligence. This may happen in countries such as China, Brazil, India and Russia, where there are more risks and high volumes of partners.
Role of local business staff
Local business units may also offer some resources to assist in managing the programme. These resources are often business people who manage the channel partners: channel operations, channel management, distributor managers and distributor excellence. Although not part of compliance, they are tasked with rolling out the programmes in their respective regions with the support of the compliance function.
It is not unusual for a global company to have 10 or 20 people globally supporting these efforts. Their role is primarily to identify new partners, enter them into the technology platform, launch questionnaires and chase their return. They are then responsible for checking the questionnaires, ordering due diligence and then reading and acting on the findings of the due diligence. Conducting due diligence makes up around 25 to 50 percent of their role, but this may be higher in the early stages of the roll-out. Where appropriate, they will consult their regional compliance leads regarding findings and next steps.
Approximately five to ten full-time employees will be required in the channel operations or management functions.
HOW TO REDUCE THIRD-PARTY RISKS
Third-party due diligence
Whenever your company enters into a transaction with a supplier, agent or vendor, it comes with statutory requirements as well as considerable risks. In order to ensure the longevity of the business, companies need to protect their brand and business by managing and mitigating third-party risks.
In order to achieve third-party diligence, companies need to have robust third-party risk management processes, controls, audits and swift remediation processes as well as training controls, due diligence processes, audits, and swift issue remediation. All the processes need to be effective in order to achieve third-party diligence.
Key components of third-party risk compliance
The key components of a third-party risk compliance are as follows:
1. Risk assessment
2. Review due diligence
3. Contract structure review
The benefits of third-party diligence
No matter how careful your company may be, it will only ever be as good as the associated third parties. If the associated third parties fail to protect your data, engage in unethical practices, fail to maintain a safe and healthy working environment, or expose the business to unacceptable risks, your company will be exposed to similar risks.
When managed well, third-party relationships can promote competition, provide diversity and encourage business development. However, failure to manage the risks can result in litigation, financial loss and reputational damage.
Unfortunately, many companies seem incapable of putting in place the necessary diligence measures to compete with the ever increasing complexity and size of the third party network, leaving the company exposed to risk.
Using technology to manage third-party risks
Technology is increasingly being used to manage third-party relationships effectively in order to mitigate risk. Having an automated risk assessment system has many benefits. It allows the compliance team to focus with strategic aspects.
Since incremental change can be done with minimal effort, this can be used to evaluate the impact of increasing risks.
Using an automated system provides consistency and demonstrates to regulators that the process is operational and in place. An automated system offers a clear audit system. In addition to this, it can be interrogated quickly allowing the company to respond to any regulatory requirements or requests from the Board of Directors.
Given the high costs of breaching the anti-bribery or corruption legislation, the costs of adopting and running a third party compliance management system pale into insignificance.