Technology for third party risk management: striking a balance
July 2015 | SPECIAL REPORT: WHITE-COLLAR CRIME
Financier Worldwide Magazine
Multinational companies are well aware of the growing need to design and implement risk-based third party due diligence programs. The requirement is regularly called out in statements by US government regulators, e.g., the 2012 ‘A Resource Guide To The U.S. Foreign Corrupt Practices Act’ issued by the US Department of Justice and Securities and Exchange Commission sets expectations that companies: (i) understand the qualifications and associations of their third party partners, including their business reputation and relationship with government officials; (ii) have a bona fide business purpose for their dealings with a third party; and (iii) monitor their third party relationships once they begin.
As many chief compliance officers and general counsels will tell you: easier said than done. Effective third party diligence and monitoring is burdened by myriad external and operational challenges. Externally, information availability varies widely from market to market. Global watch lists of restricted entities are in a state of continuous change. Information privacy laws are also different across (and sometimes within) jurisdictions, and in some cases are quickly evolving without clear direction.
Within the company, third party risk management (3PRM) has multiple cross-disciplinary stakeholders with different priorities (legal, compliance, operations, procurement, finance) and responsibilities. Relevant internal systems (such as ERP, purchasing, HR and other operational systems) are often both locally and globally fragmented and do not lend themselves to consolidation, transparency and monitoring. For large organisations, which can be tracking tens to hundreds of thousands of third parties, the sheer volume of data poses formidable challenges and has moved beyond the point of effective manual review.
Clearly, there is a need for technology that can help automate and standardise this process, and many tools have been developed to address this demand. But, as any experienced practitioner of due diligence knows, there remains a degree of art that must complement the science. The task is in finding the proper balance and understanding the limitations of both.
So what are some technological categories that are currently at hand for 3PRM? The first major category is ‘data aggregation’ – i.e., information sources that compile large amounts of disparate background data on entities and individuals into a usable, relevant summary. The capabilities of these tools are tied to the availability of electronic records. The earliest data aggregators were focused on the compilation of names from the multitude of watch lists or sanctions lists issued by governments and multilateral organisations around the world.
Over time, data aggregators have been enhanced by the addition of public domain media information. Today, new platforms are going further and assembling data from harder to access national or regional sources around the world to offer a broader range of corporate and individual background information. The Holy Grail (not yet reached) of these tools is a real-time, comprehensive dossier generator that provides all the information needed for the experienced practitioner to make effective compliance decisions.
The second major category is in ‘process workflow management’. These online tools address the administrative burden of managing complex diligence programs on a global scale. They provide a centralised mechanism for tracking the information generated at every phase of the third party lifecycle – onboarding, engagement and monitoring and termination. They also automate the standard operating procedures related to diligence, risk evaluation and approvals. The objective is to minimise process variation across markets and encourage transparency and individual accountability.
The major contributors to process workflow management are the company, the third party and the information provider. The third party uploads self-reported background information, which is then cross-referenced by external information, while the company oversees the risk ranking of the third party and makes decisions based on the diligence results. This platform then serves as a centralised archive which can be easily accessed whenever information on the third party, diligence process or approvals is required.
The third major category is ‘data analytics’. This suite of tools and techniques, designed to detect risk in large pools of data, has been developing the most quickly of all categories due to its wide range of potential business applications. If you have been contacted by your bank regarding suspicious activity on your account, you have seen fraud detection analytics at work. Data analytics refers to various combinations of hardware, software and customised algorithms designed to detect certain patterns (positive or negative) in data. They are deployed primarily as monitoring and reporting tools (in this context fraud and corruption risk monitoring) since they rely on large quantities of historical activity to generate meaningful results.
In the 3PRM context, data analytics has normally meant analysis of third party payment history, as well as overlays of vendor and employee identifying information, to pinpoint third parties exhibiting high risk patterns. Today’s data analytics models are adding new detection techniques, such as unstructured data (e.g., communications) review and predictive analysis to better anticipate emerging risks in your third party universe.
So where is this all heading? As with most technologies, you can expect these three parallel 3PRM categories to move towards convergence. Companies need to continue to streamline the number of individual systems and processes related to 3PRM, so the target is increasingly a ‘super portal’ of third party information, linked to the company ERP system, which contains multi-sourced diligence data, workflow tracking and continuous monitoring dashboards. Those ultimately responsible for third party risk ultimately want a one-stop shop for relevant information.
So back to our central question: When does 3PRM technology help and where are its limitations? The benefits of information technology are clear in all business processes, including 3PRM; automated tools offer the advantages of speed, consistency and scale for high volume workflow management and information tracking. For a large global organisation, it is not an exaggeration to say that without these tools, effective compliance in this area will become cost-prohibitive. The alternative is large scale manual processing.
But, as mentioned above, pure reliance on a technological solution is itself a risk. With most of these technologies, there is a point where human input is needed to complete the review process. With data aggregators, the key limitation is the lack of smart disaggregation, i.e., false positives. As an illustration, roughly 7 percent of the Chinese population are surnamed Wang, and 10 percent of the Brazilian population are surnamed Silva. One may be a restricted person; the other may be a legitimate counterparty. To eliminate false positive information on target entities requires sophisticated analysis of context, something that current technologies still cannot adequately perform. The price of mistaken identification can be significant.
As for 3PRM workflow tools, process automation can encourage a passive ‘box checking’ mentality among process owners. This is a mistake, as there still needs to be experienced judgmental review of third party data to have an effective diligence program. Finally, the most common weakness of data analytics programs is the lack of synthesis, or data for data’s sake. The most sophisticated analytics models are useless without the ability to present the results in a manner that decision makers can use. Currently, this step still needs to be performed by humans. Finally, risk indicators are just that – indicators. To reach a point where a company can take action on a misbehaving third party, there still needs to be some old-fashioned human investigation to get to the facts.
So, the prudent way to view this relationship is to consider 3PRM technology as an enabler, not the endgame. The deployment strategy for these tools should consider them an extension of, rather than a replacement for, an informed 3PRM function and front line business. The tools allow skilled professionals to cover an ever broader range of third parties in a more automated manner. But for the immediate future, your program’s success will still hinge on the judgment of that person at the desk.
John C. Auerbach is a principal at Ernst & Young LLP. He can be contacted on +1 (212) 773 3181 or by email: john.auerbach@ey.com.
© Financier Worldwide
BY
John C. Auerbach
Ernst & Young LLP
FORUM: Third party corruption and fraud
Recent actions confirm FinCEN’s aggressive anti-money laundering enforcement agenda
The SEC’s renewed focus on accounting fraud and how it is leveraging technology to tip the scales
The SEC is looking at your employee confidentiality agreements, and you should too
Avoiding minefields: managing cross-border investigations
Technology for third party risk management: striking a balance
Australia tells OECD it is getting serious about foreign bribery
Law reform in New Zealand: creeping criminalisation?
Information sharing between securities regulators