A refreshed approach to monitoring
Corporate compliance programs have many moving parts, but perhaps none are as difficult to master as monitoring your third-party risks over time.
This is unfortunate, because as the modern business landscape becomes ever more complicated, monitoring becomes an increasingly important element of your program’s success. Businesses today have more third-party relationships than ever, and the nature of those relationships can change due to new regulations, technology shifts, market expansions, or more.
Any of those forces can change the compliance risks that your company faces. Monitoring helps to bring those changes to your attention, so you can respond accordingly.
What’s needed today, however, is a better approach to monitoring — one that embraces automation and scalability, and can encompass the wide range of compliance risks that might suddenly erupt at your business. This paper explores what that next-generation monitoring capability might look like, and how compliance officers can integrate it into their programs.
Monitoring 101: What it is and why it matters
To understand what monitoring is, compliance officers can begin by studying the U.S. Justice Department’s guidance for effective compliance programs. The guidelines never actually provide a formal definition of monitoring. Instead, they describe the monitoring activities that a corporate compliance program should be able to do. For example:
- The company should “engage in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, or annual compliance certifications by the third party.”
- Compliance teams should have access to all necessary data “to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.”
- The company should have “a process for monitoring the outcome of investigations and ensuring accountability” for any compliance program findings or recommendations.
Those examples help us understand that monitoring is a continuous process to identify new compliance risks, and then to relay that information to the proper people within the organization so that they can respond appropriately.
That is, monitoring helps a compliance officer to discover when a third party’s risk profile has changed, and then to assure that the company acts on that knowledge. The change might be a questionable executive taking charge at the third party, allegations of corruption streaking across the news, a new anti-trafficking law that requires more documentation of your supply chain’s activities, a change in services that changes the scope of the engagement and associated transactions, or some other change in circumstance. Likewise, your company’s response might be an investigation, enhanced approval processes, cutting ties with the vendor, or other steps.
Those details don’t matter to the broader point: monitoring is about discovering compliance risks quickly and acting on them as necessary.
In that case, vendor onboarding and screening are vital steps for monitoring to succeed, but they are precursors to monitoring. Monitoring itself requires a different set of tools and technologies to succeed.
Solution
Dynamic monitoring
TPRM on the Integrity Platform is a closed-loop workflow solution where every capability directed at uncovering risk at the start of the relationship is kept on during the execution of it.
Learn more
What we should be monitoring and why
Monitoring can intimidate compliance officers because the concept seems to encompass so much; when guidance casually speaks of monitoring “relationships,” “transactions,” or “risks” — well, those words could mean anything.
Fear not. Monitoring does touch on a wide range of issues, but we can classify them into several fundamental categories.
Risk factors. Risk factors are the basic information about a third party that your company gathers during the onboarding process: ownership, past enforcement actions, relationships with politically exposed persons, geographic areas of operations, payment terms, and the like. Your company should monitor these factors to see whether (and how) they have changed from one period to the next.
Relationship status. The status of the relationship you have with a third party might change for any number of reasons. For example, a professional services firm might first scout real estate locations for your company in overseas markets, then start offering legal services, and ultimately contract negotiation. Your company might even request those changes. Nevertheless, that evolution in the business relationship does change the risks at hand. Monitoring should bring such changes to the compliance officer’s attention.
Transactions. Transactions are the lifeblood of every business relationship, but a sudden change in transaction size, frequency, currency, or even bank account could indicate new risks. Monitoring should be able to identify transactions that depart from “baseline” transaction patterns defined during third-party onboarding.
Some may wonder why we haven’t listed corruption, sanctions, human trafficking, cybersecurity, or other risks that so often lurk in third-party relationships. That confuses two related concepts. Monitoring helps to detect evidence of those risks — not the risks themselves. Once that evidence is collected and brought into the light, a compliance officer can then reach better judgments about the severity of those risks and how best to respond.
Technology capabilities for monitoring
Given the volume of data and third-party relationships that must be monitored, technology must play a central role in a compliance program’s monitoring efforts. Each business will need to find its own technology solution that works best for its unique characteristics, but we can articulate several capabilities that all monitoring solutions must have if they’re to succeed.
Integrating with enterprise data and systems. Many corporations will already have a considerable amount of data necessary for monitoring and TPRM programs generally. The challenge is in developing a monitoring program that can collect that data automatically — from contract management platforms, SAP or Oracle business management software, and other pockets of the enterprise. This assures that when your company’s relationship with a third party “updates” (a new contract, a new payment, and so forth), that latest information is reflected in your monitoring environment.
We should also remember, however, that this “data conversation” should flow both ways. That is, when monitoring identifies some troublesome event, that fact should flow back to the rest of the enterprise; so that business units can take proper steps (for example, halting payments or adding new approval steps) to deal with the risk.
Connecting internal risks to monitoring. Along similar lines, monitoring procedures should connect any internal risks to your TPRM program as necessary. For example, internal procedures should require employees to disclose donations or gift and entertainment spending on vendors. If that spending becomes problematic and triggers investigations, your monitoring system should incorporate that information into the risk profiles of the vendors.
The same holds true for potential conflicts of interest (say, an employee marrying someone at a vendor), accounting investigations, or other internal issues that might have TPRM repercussions; all of that data should be integrated seamlessly into your monitoring program. For example, if your TPRM program cannot ingest data from, say, your conflicts-of-interest program, the compliance team might miss conflicts reported internally that involve a supposedly low-risk third party.
Automation as much as possible. Monitoring must embrace automated workflows whenever possible — and this depends on the enterprise integration mentioned above. For example, when a business unit changes the value of a contract or the services engaged with a third party, that should trigger real-time alerts to the compliance team and the “risk owner” for that third-party relationship, so that either one can reassess the risk. That same principle could be applied to, say, employee gift and entertainment spending: when spending exceeds certain thresholds, that triggers an automatic review; or if the employee spends on a new third party, that automatically triggers creation of a new third-party profile.
The goal here is to move beyond monitoring at fixed time intervals, to real-time compliance reviews of triggering events. Monitoring processes should be integrated into workflows across the enterprise, so that any time a triggering event happens — a new acquisition, a new employee conflict of interest, a new threshold of spending, and so forth — the appropriate compliance and operations leaders automatically receive an alert and are compelled to review the new risk.
Conclusion: A more seamless approach
The reality of modern business is that corporations will continue to use more third parties for more reasons; and in today’s globalized world, those parties will also be scattered across more locations. At the same time, more governments will continue to add regulations about how corporations can work— everything from anti-corruption, to economic sanctions, to cybersecurity and privacy, to human-trafficking and other sustainability issues.
All of this will require more monitoring, but manual processes are no longer a tenable way to manage that part of a corporate compliance program. Monitoring must embrace a new approach that embraces automation and integration across the entire “data ecosystem” of the company.
Once a company completes that transformation, however, the benefits will be many. It allows for monitoring that is scalable as the business grows, and versatile as new third-party risks come and go. Compliance officers and business unit leaders alike can be more responsive to third-party risk without operating bogging down in tedious manual effort.
Then a culture of compliance can be a competitive advantage, rather than a drag on operations — and that is what modern corporations need to thrive today.