Building a Resilient and Defensible Third-Party Risk Management Compliance Program
Third-Party Risk Management Compliance Program:
Does your business have a Third-Party Risk Management (TPRM) Compliance Program? Are you establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business?
It’s highly probable that, at some point, organizations that affiliate with outside providers will eventually have to deal with an operational interruption resulting from third-party related issues and inappropriate conduct. The risks involved in partnering with outsiders hasn’t changed over the centuries. It’s the potential liability that’s been ratcheted up several notches. International borders have been ripped down. Technology has improved the way businesses communicate.
Easy access to data and information enables the media to report on business news before a business can properly respond. And the markets are quick to form opinions based on a 24/7 on-demand news cycle. The result of this increased liability is problematic. Business litigation has skyrocketed. Corporate reputations are constantly being assaulted. Business strategies are forever shifting. Board members are increasingly subjected to intense scrutiny from outside critics, and a highly educated market responds immediately with their pocketbooks.
Discover How to Demonstrate a Resilient and Defensible Third-party Risk Management Compliance (TPRM) Program with 3PRM™ Services
CRI® Group has a network of local subject specialist operatives across the Middle East, Europe, South American and Asian regions to extend a helping hand and offer enhanced integrity due diligence being pre-emptive measures against:
- Experiencing financial loss when a third-party provider failed.
- Losing customers because of poor-quality service from a third party.
- Exposing breaches to data systems because of poor information security practices by a third party.
- Experiencing supply chain issues due to poor disaster recovery procedures by the third party.
- Being exposed to litigation because of relationships with an outside provider significantly violated contractual terms, potentially resulting in regulatory exposure.
When Working with third-party providers, CRI® Group designed a solution: 3PRM-Certified™. This proactive approach includes Integrity Due Diligence, Enhanced Due Diligence, Anti-Bribery and Anti-Corruption Compliance Solutions (incorporating ISO 37001 Anti-Bribery Management System accredited certification and training) to mitigating the risks involved with third-party affiliations to protect the organization from liability, business interruption and brand damage.
You may also like this article:
WHEN TO CONDUCT THIRD-PARTY SCREENING?
3PRM-Certified™ A Third-party Compliance Verification and Certification Program
As the risk for data breaches and supply chain disruption continues to rise with COVID-19, so does the need for effective third-party risk management (TPRM) programs. Whether you’re a TPRM professional looking for a certification to advance your skillset, or the leader of your organization considering how to better equip your team with the best knowledge and skills, the 3PRM-Certified™ program is an all-in solution.
Our 3PRM™ service is flexible, and we tailor our scope to address an organization’s specific concerns and risk areas. Our extensive solutions include due diligence, employee pre- and post-background screening, business intelligence and compliance, facilitating any decision-making across your business no matter what area or department. Get ahead of any potential problems down the road with suppliers, contractors, and other third-party partners. Contact CRI® Group today and learn more about our third-party due diligence and risk management solutions.
CRI® Group’s exclusive 3PRM-Certified™ solution provides the very best in third-party risk management. Our 3PRM-Certified™ program provides a proactive approach to mitigating risks from third-party affiliations, protecting the organization from liability, brand damage and harm to the business. The 3PRM-Certified™ program includes a focus on the following:
- Providing third-party risk assessments
- Meeting contracting requirements
- Conducting due diligence
- Identifying potential fraud risks
- Providing management oversight
Utilizing a network of trained professionals positioned across five continents, CRI Group’s 3PRM services utilise one of the largest multi-national fraud investigation teams the industry has to offer. The 3PRM-Certified™ program is especially critical when your business is performing pre-merger and acquisition research and pre-IPO due diligence, engages new clients, employs, contracts or retains foreign business partners and requires a consistent and audit-worthy AML and anti-corruption compliance program.
This TRM Strategy program will help organizations establish the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. Third-party relationships are critical in business today and include partnerships with suppliers, distributors, consultants, agents and other contractors. While such affiliations are essential to the success of your organization, the business cannot overestimate the consequences of inadequate due diligence.
Inadequate Procedure
December 2013: Over US$2.8 million for failing to have in place appropriate checks and controls to guard against the risk of bribery or corruption when making payments to overseas third parties, breaching the FCA’s principle on management and control. Between 19th February 2009 and 9th May 2012, the organisation received almost $33 million in gross commission from business provided by overseas introducers and paid them over $18 million in return.
Inadequate systems around these payments created an unacceptable risk that overseas introducers could use the payments made for corrupt purposes, including paying bribes to people connected with the insured clients and/or public officials.
Regulatory action is not a US or UK phenomenon alone but is increasingly becoming a global issue. Regulatory thinking around third-party risks in some other jurisdictions is highlighted below:
- Singapore: The Monetary Authority of Singapore (MAS) has stated that it “is particularly interested in material outsourcing which, if disrupted, has the potential to significantly impact an institution’s business operations, reputation or profitability and which may have systemic implications.”
- Australia: The Australian Prudential Regulatory Authority (APRA) aims to ensure that all outsourcing arrangements involving material business activities entered into by a regulated institution are subject to appropriate due diligence, approval, and ongoing monitoring.
- Hong Kong: The Hong Kong Monetary Authority (HKMA) states that institutions “should not enter into, or continue, any outsourcing arrangements [that] may result in their internal control systems or business conduct being compromised or weakened after the activity has been outsourced.” – Source: Deloitte Report
Let’s Talk! If you have any further questions or interest in implementing compliance solutions, please contact us.
About CRI® Group
Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence and other professional Investigative Research solutions provider.
We have the largest proprietary network of background screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are, we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.
In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification.
ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI® Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organizations. Contact ABAC® for more on ISO Certification and training.
10 Ways to Maintain GDPR Compliance
In 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) came into force. The GDPR was a response to massive worldwide data breaches that were undermining the trust and security of private citizens whose personal information was at stake. As this data was exposed by both hackers and, in some cases, simply through poor security measures, governments of the EU felt it was time to create a strong piece of governance to bolster protection. While the initial rollout of GDPR held some uncertainty and unknowns for organisations subject to its guidelines, there is now a much clearer picture of how its standards apply. The punishments for being caught out of compliance can be severe: Violators of the GDPR may be fined up to €20 million or up to 4 percent of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (European Commission, 2020, GDPR.eu, 2020). At CRI Group, our integrity due diligence experts are trained at helping organisatons achieve and maintain compliance with GDPR. Our leading risk management and compliance agents provide the following top 10 GDPR best practices for any business or entity that deals with collecting, storing or using personal information:
1. Employ a Data Protection Officer (DPO)
It is a GDPR requirement that entities who carry out regular and systematic monitoring of individuals on a large scale, or large-scale processing of certain special categories of data, have an assigned DPO. It is also recommended, however, for all other entities to help ensure data security. While the GDPR does not specifically list the necessary training or qualifications of a DPO, the regulation does require the DPO to have “expert knowledge of data protection law and practices” (Digital Guardian, 2019). Implement thorough background screening processes and make sure they are trained and qualified to be your DPO.
2. Train your employees
Ensure that all personnel are aware of the GDPR and your organisation’s commitment to compliance. Make sure that all leaders, and especially key personnel charged with collecting, handling or storing data, understand their responsibilities under GDPR. Make date protection training a regular part of your employee curriculum.
3. Confirm the legality of your data collection
GDPR requires that you have a legal basis to collect personal data. For most businesses, the following are the most likely to be applicable:
- The information is necessary to perform a contract between the organisation and the individual;
- You have a legal obligation to process the data (such as a court order);
- The organisation has a legitimate interest in collecting and processing the data – in other words, there needs to be a relationship and business reason to collect the date (it cannot be random);
- The individual has provided direct consent to the processing of the data.
4. Maintain thorough records
For larger organisations (more than 250 employees), GDPR requires that records of data collection and processing be maintained. Again, this is also a best practice for smaller organisations, as well. It can help establish that the organisation is dutifully complying with the data protection principles in GDPR. Take inventory and make a record of the data you have collected and are storing to date. Create a detailed matrix to understand what types of data you are holding, where/how it as collected, how and where it is held, and whether it is still needed. Based on this information, you can also develop a data-retention policy to govern how long personal data is kept and stored. Keeping data on file longer than needed is a liability, and serves no business purpose.
5. Establish consent policies for data
For some of your records, consent is your lawful basis for holding it. Under GDPR, it is no longer acceptable to assume consent in your collected data, or treat silence as consent. Create clear and unambiguous consent forms for your data collection that demonstrate adherence to GDPR principles. And remember, under GDPR, you must make it a simple process for an individual to withdraw their consent at any time.
6. Perform due diligence on third-parties
Under GDPR, your organisation is responsible if third-party partners collect, store or manage data for your organisation. You must ensure their compliance with GDPR as if it is your own, since they are responsible for your data. This is the time to update your contracts with them to include compliance measures, as needed. It is also important that you review their control systems and their data handling processes. They must be comprehensive and meet all of the GDPR requirements to keep data secure. CRI Group’s third-party risk management experts can help you conduct effective reviews of your partners and their processes.
7. Be responsive
Under GDPR, your organisation must respond to requests from individuals whose data you have collected and/or are storing. These requests are spelled out as individuals rights in regards to their personal data and they include the following:
- Right to be informed about what data is collected and why;
- Right of access to data that has been collected;
- Right to rectification/correction of inaccurate data;
- Right to erasure of data (“right to be forgotten”);
- Right to restrict processing of personal data;
- Right to data portability;
- Right to object to use of data; and
- Right not to be subject to automated decision making, including profiling.
Have a process in place to timely respond to requests and provide data when requested in order to stay in compliance.
8. Have written policies in place
Develop your internal policies in regards to GDPR and how you protect personal data, and communicate them across your organisation. Take special note to spell out policies on data retention, cross-border processing of date, and how you collect and handle data for persons under the age of 16, as GDPR has special requirements in regards to children’s data.
9. Conduct risk assessments
GDPR requires Data Protection Impact Assessments in certain cases. These assessments measure your organisation’s ability to protect personal data, and risks associated with that protection. If your data processing is considered high-risk, uses new technology, or deals in large-scale processing of data in certain categories, the assessments are required – but in for any organisation, they are recommended. Data protection experts at an outside firm like CRI Group can help you prepare robust risk assessments and follow-up plans to address their results.
10. Be prepared for a breach
A worst-case scenario in data security is a breach that exposes personal information. Under the steps above, your organisation should be well-positioned to prevent or limit any breach to your data security. However, you should always have a contingency plan in place to immediately respond to a breach should it occur. Understand that GDPR requires that the applicable EU data protection supervisory authority be notified within 72 hours of a breach. Gone are the days where a company can announce it weeks or even months after the fact. Be ready to notify the affected individuals that their data has been compromised, so that they can take the appropriate steps to respond.
Organisations don’t like to think about the impact of a data breach – but major cases have pushed governments to act in the public’s interest. Perhaps nowhere is this more true than in the EU, where the GDPR is now the governing policy for organisations that deal with individuals’ personal data. By being proactive with the steps above, your organisation can be better prepared and maintain compliance with the GDPR. Most importantly, you will have the confidence and trust of your consumers through effective best practices in handling and protecting their data. CRI Group’s experts are here to help. Contact us today so that we can walk you through the steps of GDPR compliance.
Let’s Talk!
If you have any further questions or interest in implementing compliance solutions, please contact us.
CRI Group has safeguarded businesses from any risks, providing investigations (i.e. insurance fraud), employee background screening, investigative due diligence, business intelligence, third-party risk management, forensic accounting, compliance and other professional investigative research services. In 2016, CRI Group launched Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. Contact ABAC® for more on ISO Certification and training.
Due Diligence: 4 Red Flags of Collusion
One of the many schemes that can cause serious legal and financial consequences is collusion in business. While some business leaders might wonder what separates collusion from other types of fraud and how to identify it, there is a key factor: secrecy.
Collusion involves at least two parties (sometimes more) who collaborate to deceive others, usually for financial or market gain. Due to its secretive nature, collusion can be difficult to detect and weed out. This poses a serious problem because the consequences of noncompliance for an organisation are often severe.
According to the Wall Street Journal, the U.S. Department of Justice (DOJ) is “preparing to tackle competition issues in several important markets, including alleged price-fixing in the generic-drug industry, rules for music licensing and purported employer collusion that limits options for sought-after workers” (Wall Street Journal, 2020). Indeed, these are the types of schemes that are most often associated with collusion. Price fixing is a global problem found in many different industries, for example. However it’s important to note that collusion is just as common at the local level – for example, where contractors bid to provide goods or services regularly. Sometimes competitors will engage in collusion by making secret arrangements to rotate bids or share bid details to artificially deflate prices.
In one recent case, the branch manager for a U.S.-based insulation contractor pleaded guilty in a scheme to rig bids and commit other forms of fraud on insulation contracts. The DOJ had launched an investigation into the branch manager’s actions from 2011 to 2018, finding that he “conspired with other insulation installation contractors to rig bids and engage in fraud on insulation installation contracts in Connecticut, New York, and Massachusetts. Insulation installation contractors install insulation around pipes and ducts on renovation and new construction projects at universities, hospitals, and other public and private entities. In addition to his guilty plea, DeVoe has agreed to pay restitution” (DOJ, 2020). “Free and open markets are the foundation of a vibrant economy. For years, the defendant illegally coordinated bids on construction projects to enhance his profits, eliminate competition, and ultimately steal from public and private customers,” said Brian C. Turner, Special Agent in Charge of FBI’s New Haven Field Office.
The DOJ noted in its press release that this crime hurt the hospitals, universities and businesses that solicit and pay for the contractor’s services under the expectation that the bidding process is fair and above board, not rigged to benefit a contractor at their expense. The money lost in such schemes (through paying inflated contracts) often represents taxpayer dollars. The fact that collusion, in this case, lasted for at least seven years indicates that tens of thousands of dollars (or more) were likely lost through fraud.
So, what can organisations do to be better protected from collusion schemes – whether from inside their own company or perpetrated against them by outside partners/contractors? While collusion is secretive by its very nature and can be difficult to detect, red flags can indicate that something might be amiss. CRI® Group’s integrity due diligence experts are specially trained to uncover collusion in all its forms, and they describe the following as some of the signs to watch for when dealing with competitive bid contracts:
A high percentage of awards go to the same company
If a single bidder is winning most of the contracts for a particular set of goods or services, there might be something wrong despite several other contractors involved in the bidding. This is especially true if there are any issues or complaints around the bidder, such as poor quality products or services, they are late in delivering on their contracts, etc.
Lowest bidders are not winning awards
Suppose the contracts are consistently going to bidders other than the lowest bidder. In that case, this might warrant further investigation – as most contracts are considered “low bid” and would reasonably go to the lowest bidder. Also, if there is a higher-than-average range or spread between bidders, that could signal that something is off.
There is a high number of late bidders
Late bids can be a sign of collusion if bidders, or an agent at the organisation soliciting bids, are sharing bid information – such as the highest bid (so far) in an award process. This is especially true when the winning bidder is consistently the last one to submit bids. If late bidders are being approved regularly, you need to know why.
Bidders share (or have similar) names, addresses, or other information
This is an obvious red flag. In some cases, bids from two different contractors have been submitted from the same fax machine! This indicates that parties might be colluding in their bid submissions, and you need to look further.
Other countries’ DOJ and enforcement bodies have demonstrated their willingness to detect, investigate, and punish collusion. For the sake of your organisation, it is best to be proactive when it comes to your bidding and contract processes. CRI® Group’s integrity due diligence services can help you identify the above red flags. Our experts also conduct risk assessments to help find weaknesses in your business process and controls that might make your organisation vulnerable to collusion. This holds whether you need the goods or services or are a supplier or contractor submitting bids. The secret crime of collusion causes financial harm through inflated costs, representing a legal and financial liability to your organisation and/or clients. By being attuned to spot red flags, you’ll be more likely to notice the smoke …. before it turns into a fire.
Take a proactive stance with the highest integrity due diligence as a part of your essential business strategy. Contact us today to learn more about our full range of services to help your organisation stay protected. Get a FREE QUOTE
About Us
CRI® Group has safeguarded businesses from any risks, providing investigations (i.e. insurance fraud), employee background screening, investigative due diligence, business intelligence, third-party risk management, forensic accounting, compliance and other professional investigative research services. In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management Systems, ISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. Contact ABAC® for more on ISO Certification and training.
CONTACT US
Headquarter: +44 7588 454959
Local: +971 800 274552
Email: info@crigroup.com
Headquarter: 454959 7588 44
Local: 274552 800 971
Email: info@crigroup.com
NEWSLETTER SUBSCRIPTION