Congratulations! After spending lots of time and money, your due diligence program to onboard third parties is running and works like a charm. Now you need to build a monitoring program to match.
How hard could that be, right?
In truth, one portion of monitoring is straightforward: the monitoring activities themselves. They can take the form of annual certifications, adverse media reports, new background checks, or even full audits. Monitoring activities are simply onboarding activities repeated on your third parties at regular intervals after those parties onboarded.
The trick is knowing which activities to use, under what circumstances, and who performs them. Compliance officers must take a risk-based approach to monitoring, as they are supposed to do with third party onboarding.
To begin, then, a compliance officer can look at a newly onboarded third party and ask: What changes in that party’s circumstance would change our company’s risk? A few come to mind:
- Change in ownership or leadership. A third party could be acquired by a state-owned business (FCPA risk) or a competitor (antitrust or supply chain risk). Or it could hire a new executive with a checkered past, who could bring bad behavior along with him or her.
- Change in conduct. The third party might commit misconduct after onboarding, whether working for your firm or another customer.
- Change in duties. A party might have been onboarded as a reseller, and the relationship succeeds so well your firm enters into a joint venture. Or an agent handling one type of transaction (real estate closings) might start handling others (sales contract negotiations).
- Change in technology. The third party might adopt new IT systems that jeopardize the security or privacy of your firm’s data — or worse, of your customers’ data).
A successful monitoring program will know what triggering events should bring concern for each third party. Ideally, those triggering events should be identified during onboarding, so compliance officers aren’t scrambling to defuse a difficult situation after it arises.
Then compliance officers need to match the best monitoring activities for each risk. For example, you could require all third parties to disclose changes in ownership when such changes happen. But — surprise! — some parties will ignore your request. So you might also want to perform background checks on all third parties annually, and on significant third parties in high-corruption countries quarterly.
Can some monitoring tasks be automated? Sure; usually they’re the same tasks you can automate during onboarding.
A critical question, however, is how your firm responds after monitoring identifies something that might be amiss. The company cannot ignore an issue once it’s discovered. So an important challenge for a compliance officer is to develop a process for digesting the discoveries you make.
This is where you want to assign follow-up duties back to the operations executive working with the third party. (The executive, of course, is eager to help, because he or she is trained on the importance of ethics and compliance regularly.) So we’re back to processes and procedures for governing third parties: how to remediate weaknesses in their business practices, or whether to introduce more controls into your organization because the party is important enough that you need to continue the relationship anyway.
After all, a company can work with high-risk third parties. You just need to monitor them closely.