third party due diligence and remediationgo.redflaggroup.com/rs/489-kre-151/images/third-party...

www.redflaggroup.comwww.redflaggroup.com

THIRD PARTYDUE DILIGENCE AND

REMEDIATION

1 June 2017

Andrew HendersonDIRECTOR OF SOLUTIONS

www.redflaggroup.com

Presenter

About The Red Flag Group

The Red Flag Group is a global professional services firm specialising in integrity and compliance risk. We have completed over 500,000 due diligence reports in the past 10 years and work with many Fortune 500 companies.

Andrew HendersonDirector of SolutionsThe Red Flag Group

Andrew has experience in the assessment, design, implementation and management of complex compliance programmes for multinational corporations across a wide range of industries.


Agenda

PART 1

PART 2

PART 3

PART 4

DUE DILIGENCE

ANALYSIS OF FINDINGS

REMEDIATION OPTIONS

CONCLUSIONS AND Q&A


DUE DILIGENCE


Why conduct Due Diligence on partners?

It’s mandated

To gatherinformation

To make a good business decision

To predict the future


Where can you gather information?

LOW COST:

• Government issued lists

• Open Media

MEDIUM COST:

• Proprietary databases

• Official filings

HIGH COST:

• Interviews

• On-site reviews

Typically sources of information include:

In addition, much information can be found by asking:

Contacts in your company

The third party themselves


Risk based

A balance is needed between a desire to assess the specific diligence needs for each subject entity with the overall aim for a standard process.

Media research in countries with limited press freedom will not result in any useful information, so even low risk entities might need higher cost methods.

High cost sources

Low risk

Low cost sources

High risk

Sometimes the lowest risk requires no further diligence steps at all.

Lower and higher risk are relative. Your lowest risk might be a high risk when considered by itself.

Countries which are culturally averse to speaking negatively about colleagues may not provide valuable reputation information.

Highest risk entity

Lowest risk entity


What skills are needed?

• Research

• Source knowledge

• Languages

• Risk knowledge

• Business knowledge

• Country knowledge

• Prioritisation

• Time management

Where to source them?

• Legal/ Compliance

• In the business

• External

Resources


Poll 1

2. Each due diligence exercise is based on its own meritsHow does your

company decide what scope of due diligence to perform?

3. We perform the same scope for all partners

1. We have clear risk-based rules which provides the scope in all cases

5. None of the above

4. Majority of cases are dealt with in a standard process, but some are handled differently


ANALYSIS


What does the information gathered tell you about the partner in the circumstance of your business with that partner?

Analysis – What is the aim?

• Start with your prior knowledge and expectations

• Consider how the new information changes your view.

• How does the issue relate to the services or transactions you are using the third party for?

o Supplier or channel partner?

o Reseller or distributor?

o Post sales support?

o Long term relationship?


What skills are needed?

• Sources

• Languages

• Country / Culture knowledge

• Risk knowledge

• Business knowledge

Where to source them?

• Legal/ Compliance

• In the business

• External

Resources


Top 10 risks*

Politics

Intellectual Property Infringement

Sanctions & Exclusions

Corruption & Bribery

Employee Rights

Serious & Organised Crime

Fraud, Money Laundering & Financial Irregularities

Health & Safety

*Source: 14,080 cases conducted by RFG in 2016.

Anti-Competitive Behaviour

Product & Business Regulations


REMEDIATION


Remediation options

What choices are available?

To not mitigate, but refuse to work with the third party. This requires you have all the information you think necessary to convince your business that this is the appropriate option.

To do nothing further. The aim of the due diligence process is to make decisions about a third party, so approval without the need for any further work is a good outcome.

To do deeper research. Diligence is part of an ongoing risk analysis process. When diligence on low risk entities identifies issues they are no longer low risk!

To recommend going ahead with the third party, but subject to conditions.


Remediation options

Can you remediate (remove) or manage (accept) risk

Not aware of how you do business

Missing information

Ongoing litigation

Political connections

Conflicts of interest

Policies, code, training, contract

Written undertakings, interviews, site visits

Media monitoring

Internal controls (financial, sign-off)

Internal controls (financial, sign-off)


Remediation options

What are the issues?

What options will remediate or manage the issues?• Who decides• Standard vs bespoke

How is it recorded and actioned?• Who does the

activities

Did it work?Were the options chosen correct?

Was it carried out?


Poll 2

2. Each remediation is decided on its own merits

How does your company decide what form of remediation actions to undertake?

3. We perform the same actions for all partners

1. We have clear risk-based rules which provides the scope in all cases

5. None of the above

4. Majority of cases are dealt with in a standard process, but some are handled differently


RECOMMENDATIONS


Conclusion

Understand why you need the information so you can justify to your business.

Adapt to different locations to ensure you get the most value for the time and money you invest.

Determine what information you need to make a good decision, then look at the cost to deliver that in the regions you operate.

DUE DILIGENCE


Conclusion

Be aware of what your business is wanting to do with the partner.

Assess against what you expected the findings to be.

Ensure that the analysis is performed by people with the appropriate training.

ANALYSIS


Conclusion

Aim for a consistent approach, but have a plan for what remediation approaches will be acceptable in what circumstances.

Document and follow up on the actions

It’s ok to not do further remediation when the risk is understood and acceptable.

REMEDIATION

Some risks can’t be remediated – only accepted and managed


Integrity due diligence reports

Compliance technology solutions

Supply chain risk management solutions

Compliance outsourcing services

Other solutions and services

Please select the areas you would like us to provide more information on:

Questions and more information?


Connect

Websitewww.redflaggroup.com

[email protected]@redflaggroup.com

Webinar schedule and recordings www.redflaggroup.com/webinars

Follow us Twitter: @redflaggroup LinkedIn: The Red Flag Group

Email your feedback or submit webinar topics to: [email protected]

third party due diligence and remediationgo.redflaggroup.com/rs/489-kre-151/images/third-party...

Documents