2. Table of contents
1. Foreword
2. Context:
increasingly demanding regulations
and aggressive enforcement
3. Risks:
concrete third-party risks that businesses face
4. Symptoms:
things that keep us awake at night
5. Guidance:
risk rating your third parties
6. Challenges:
disconnected approach to
third-party management
7. Solution:
Control Risks and GAN Integrity
vantage
3. Control Risks and GAN Integrity are
pleased to present A Compliance
Officer’s Guide to Third-Party
Risk Management. It has been
created for compliance professionals
who want to implement a risk based
approach to third-party due diligence.
The guide starts with an overview of the
regulatory environment, then touches on the
compliance issues keeping us awake at night. It
then focuses on risk rating third parties who are
critical to the success of your business.
Most organizations rely on laborious manual
processes, juggle multiple vendors and lack
sufficient local insight to mitigate risk. There’s
a better way. Read on to learn more.
1. Foreword
1 2
vantage
5. Significant risks and increasingly demanding regulations
Reputational Risk
Modern Slavery
Trade Sanctions Tax Evasion PEP Risk
Environmental Risk Corruption
5 6
vantage
6. The global anti-corruption framework
Apply to you
01 Global reach
Global anti-corruption laws can apply to companies and individuals both
within and outside your jurisdiction.
Direct and indirect bribery applies
Companies need to take care in managing third-party
relationships. Most enforcement cases involve third parties.
Bribery and facilitation payments
Those who offer or pay bribes, financial or other, are in breach.
Facilitation payments also breach some regulations.
Aggressive enforcement
Large fines, imprisonment of directors.
Prevention is more cost effective and may be used as a defence.
Your
third parties
02
Know
your stuff
03
Prevention
is essential
04
7 8
vantage
12. Am I allowed to do
business with that
third party?
Am I confident that
this third party is in
good standing and will
not create a legal or
reputational liability?
Can I explain and
document my decision
if something bad
happens?
?
19 20
vantage
14. A risk based approach
to third-party due
diligence:
The method by
which compliance
professionals can
determine what level
of due diligence to
complete and how
much resource to
commit, based upon
the level of risk posed
by a third party.
Number
of
vendors
Risk rating
Low High
Risk tolerance
D
i
s
t
r
i
b
u
t
i
o
n
o
f
b
u
d
g
e
t
Screening only
How do we allocate appropriate compliance
resource for the number and variety of third
parties we work with?
23 24
vantage
16. Risk rating:
develop a process to identify the risk rating
of every third party you do business with
Risk Rating
Third-Party
Profile
Exposure
Risk
27 28
vantage
18. Step 1
Screen all third parties:
can we do business with them?
31 32
vantage
19. Perform initial due diligence by screening all existing and
potential clients, agents and business partners. Check all
third parties against key risk categories such as:
Government, Regulatory,
Disciplinary Lists
400+ lists: global sanctions,
securities exchange actions,
fugitives, exclusions, fraud warnings,
debarment, disciplinary actions, law
enforcement etc.
Adverse Media and
Press Coverage
100K+ sources & 2.5B+ articles: daily
media scanning includes newspapers,
magazines, TV, radio, transcripts etc.
Politically Exposed Persons
Government officials, senior legislative
branch, military and judicial figures,
state-controlled businesses and
key executives, ambassadors
and top diplomatic officials, family,
associates and advisors, multi-national
organizations and associated leadership.
33 34
vantage
Enquire here
21. Collect information from your business to determine the degree
of exposure
Country risk
(of services)
Role of
third party
Criticality of
contract/relationship
Transactional
red flags
Liaising with
government bodies
1
via an internal questionnaire
2 3 4 5
37 38
vantage
23. Collect information to build a profile of the third party
via an external questionnaire
Country risk
(of company footprint)
Ownership
& governance
Political
exposure
Entity
type
Reputation
& standing
41 42
vantage
24. Step 4
Decide on risk rating and conduct
appropriate level of due diligence
43 44
vantage
25. Assessing third parties with high risk ratings
Level 3 Bespoke
Bespoke Bespoke
Bespoke
Bespoke
Investigative Investigative
Investigative
Level 3
Level 2
Level 2
Level 1
Level 3 Level 3
Level 3
Level 2
Level 3
Level 2 Level 3
Exposure Risk (contract value, criticality etc.)
Third-Party Profile
Risk (ownership,
entity type etc.)
Use a scoring system
to plot the exposure risk
against the third-party
profile risk, and work out
the appropriate level of
due diligence.
45 46
vantage
Enquire here
consulting
vantage
26. Step 5
Third-party
training
?
Additional
mitigation
= Yes
Apply the right next steps based on risk level
Step 3
External
questionnaire
Step 2
Internal
questionnaire
Step 4
Enhanced due
diligence
Step 1
Screening
Risk
Low High
?
Match
= Yes
?
Acceptable
exposure
= No
?
Risk
= Yes
Scrutiny
Low High
47 48
vantage
Enquire here
28. A disconnected approach
Email from the
business to
Compliance when
the third party
needs to be paid
Compliance asks
for more info,
performs database
screenings,
compiles a file
The file is saved
by Compliance in
a shared drive
Compliance issues
a recommendation
to business,
business decides
51 52
vantage
29. ““
Personal judgment
Key challenges faced by CCOs
Unstructured
record keeping
Opaque jurisdictions or
lack of public information
Scattered information that’s
difficult to compile/retrieve
Proportionality
Reactive behavior
Maintaining oversight
Lack of consistent
methodology
53 54
vantage
30. Digitize your
processes into
workflows
Evaluate the
level of risks
consistently
Ensure decisions
are made at the
right level
Monitoring
your third parties
over time
Allocate
resources to
the risks
Automating your risk based approach can
solve these challenges and bring improvements:
55 56
vantage
35. A strategic partnership
to help compliance teams across the
globe manage third-party risk
65 66
vantage
vantage
36. The VANTAGE Suite
Third parties are critical to your business. They can also be the single greatest source of risk
exposure. Most organizations rely on laborious manual processes, juggle multiple vendors,
and lack sufficient local insight to mitigate risk. There’s a better way. Discover VANTAGE:
67 68
vantage
The product range
Effective third-party screening
using the industry’s largest
risk intelligence databases
platform
vantage diligence
vantage
screening
vantage consulting
vantage
Automated workflow solution to
manage third-party relationships
Standardised third-party due
diligence reports, compiled by
in-country experts
Professional third-party risk
management consulting,
delivered by experienced experts
37. To find out more about our joint offering, please visit:
www.discover-vantage.com