third party due diligence and remediationgo.redflaggroup.com/rs/489-kre-151/images/third-party...
TRANSCRIPT
www.redflaggroup.comwww.redflaggroup.com
THIRD PARTYDUE DILIGENCE AND
REMEDIATION
1 June 2017
Andrew HendersonDIRECTOR OF SOLUTIONS
www.redflaggroup.com
Presenter
About The Red Flag Group
The Red Flag Group is a global professional services firm specialising in integrity and compliance risk. We have completed over 500,000 due diligence reports in the past 10 years and work with many Fortune 500 companies.
Andrew HendersonDirector of SolutionsThe Red Flag Group
Andrew has experience in the assessment, design, implementation and management of complex compliance programmes for multinational corporations across a wide range of industries.
www.redflaggroup.com
Agenda
PART 1
PART 2
PART 3
PART 4
DUE DILIGENCE
ANALYSIS OF FINDINGS
REMEDIATION OPTIONS
CONCLUSIONS AND Q&A
www.redflaggroup.comwww.redflaggroup.com
DUE DILIGENCE
www.redflaggroup.com
Why conduct Due Diligence on partners?
It’s mandated
To gatherinformation
To make a good business decision
To predict the future
www.redflaggroup.com
Where can you gather information?
LOW COST:
• Government issued lists
• Open Media
MEDIUM COST:
• Proprietary databases
• Official filings
HIGH COST:
• Interviews
• On-site reviews
Typically sources of information include:
In addition, much information can be found by asking:
Contacts in your company
The third party themselves
www.redflaggroup.com
Risk based
A balance is needed between a desire to assess the specific diligence needs for each subject entity with the overall aim for a standard process.
Media research in countries with limited press freedom will not result in any useful information, so even low risk entities might need higher cost methods.
High cost sources
Low risk
Low cost sources
High risk
Sometimes the lowest risk requires no further diligence steps at all.
Lower and higher risk are relative. Your lowest risk might be a high risk when considered by itself.
Countries which are culturally averse to speaking negatively about colleagues may not provide valuable reputation information.
Highest risk entity
Lowest risk entity
www.redflaggroup.com
What skills are needed?
• Research
• Source knowledge
• Languages
• Risk knowledge
• Business knowledge
• Country knowledge
• Prioritisation
• Time management
Where to source them?
• Legal/ Compliance
• In the business
• External
Resources
www.redflaggroup.com
Poll 1
2. Each due diligence exercise is based on its own meritsHow does your
company decide what scope of due diligence to perform?
3. We perform the same scope for all partners
1. We have clear risk-based rules which provides the scope in all cases
5. None of the above
4. Majority of cases are dealt with in a standard process, but some are handled differently
www.redflaggroup.comwww.redflaggroup.com
ANALYSIS
www.redflaggroup.com
What does the information gathered tell you about the partner in the circumstance of your business with that partner?
Analysis – What is the aim?
• Start with your prior knowledge and expectations
• Consider how the new information changes your view.
• How does the issue relate to the services or transactions you are using the third party for?
o Supplier or channel partner?
o Reseller or distributor?
o Post sales support?
o Long term relationship?
www.redflaggroup.com
What skills are needed?
• Sources
• Languages
• Country / Culture knowledge
• Risk knowledge
• Business knowledge
Where to source them?
• Legal/ Compliance
• In the business
• External
Resources
www.redflaggroup.com
Top 10 risks*
Politics
Intellectual Property Infringement
Sanctions & Exclusions
Corruption & Bribery
Employee Rights
Serious & Organised Crime
Fraud, Money Laundering & Financial Irregularities
Health & Safety
*Source: 14,080 cases conducted by RFG in 2016.
Anti-Competitive Behaviour
Product & Business Regulations
www.redflaggroup.comwww.redflaggroup.com
REMEDIATION
www.redflaggroup.com
Remediation options
What choices are available?
To not mitigate, but refuse to work with the third party. This requires you have all the information you think necessary to convince your business that this is the appropriate option.
To do nothing further. The aim of the due diligence process is to make decisions about a third party, so approval without the need for any further work is a good outcome.
To do deeper research. Diligence is part of an ongoing risk analysis process. When diligence on low risk entities identifies issues they are no longer low risk!
To recommend going ahead with the third party, but subject to conditions.
www.redflaggroup.com
Remediation options
Can you remediate (remove) or manage (accept) risk
Not aware of how you do business
Missing information
Ongoing litigation
Political connections
Conflicts of interest
Policies, code, training, contract
Written undertakings, interviews, site visits
Media monitoring
Internal controls (financial, sign-off)
Internal controls (financial, sign-off)
www.redflaggroup.com
Remediation options
What are the issues?
What options will remediate or manage the issues?• Who decides• Standard vs bespoke
How is it recorded and actioned?• Who does the
activities
Did it work?Were the options chosen correct?
Was it carried out?
www.redflaggroup.com
Poll 2
2. Each remediation is decided on its own merits
How does your company decide what form of remediation actions to undertake?
3. We perform the same actions for all partners
1. We have clear risk-based rules which provides the scope in all cases
5. None of the above
4. Majority of cases are dealt with in a standard process, but some are handled differently
www.redflaggroup.comwww.redflaggroup.com
RECOMMENDATIONS
www.redflaggroup.com
Conclusion
Understand why you need the information so you can justify to your business.
Adapt to different locations to ensure you get the most value for the time and money you invest.
Determine what information you need to make a good decision, then look at the cost to deliver that in the regions you operate.
DUE DILIGENCE
www.redflaggroup.com
Conclusion
Be aware of what your business is wanting to do with the partner.
Assess against what you expected the findings to be.
Ensure that the analysis is performed by people with the appropriate training.
ANALYSIS
www.redflaggroup.com
Conclusion
Aim for a consistent approach, but have a plan for what remediation approaches will be acceptable in what circumstances.
Document and follow up on the actions
It’s ok to not do further remediation when the risk is understood and acceptable.
REMEDIATION
Some risks can’t be remediated – only accepted and managed
www.redflaggroup.com
Integrity due diligence reports
Compliance technology solutions
Supply chain risk management solutions
Compliance outsourcing services
Other solutions and services
Please select the areas you would like us to provide more information on:
Questions and more information?
www.redflaggroup.com
Connect
Websitewww.redflaggroup.com
[email protected]@redflaggroup.com
Webinar schedule and recordings www.redflaggroup.com/webinars
Follow us Twitter: @redflaggroup LinkedIn: The Red Flag Group
Email your feedback or submit webinar topics to: [email protected]