With increased exposure to anti-corruption laws and investigations, and defined anti-corruption practices, how does an organization go about using technology to manage anti-corruption compliance?

Compliance needs to be an active part of the organization and culture to prevent and detect corruption, bribery, and fraud. This continuous and ongoing process must be monitored, maintained, and nurtured. The challenge is establishing corruption prevention and detection activities that move the organization from a reactive fire-fighting mode to one that actively manages, monitors, prevents, and detects risk. This requires the organization to implement technology to manage anti-corruption compliance.

• Compliance program management: The organization needs a 360-degree view of compliance activities and reporting. This requires an end-to-end system for managing compliance activities, metrics, and reports. From this system the organization should be able to produce reports and metrics relevant to the board of directors and executives, to assure them they are meeting fiduciary obligations to have a compliance program for anti- corruption in place. All compliance management personnel and employees should be able to access the system and see contextually relevant tasks and items.

• Regulatory intelligence and change management: The integration of regulatory content feeds and technology enables the compliance program to monitor changes in anti-corruption laws, requirements, and cases to determine how new developments impact the business. The organizations must use technology to take in legal and regulatory feeds and route them to the correct subject matter expert for review and business impact analysis.

• Compliance risk assessment: Risk assessments are mandatory for compliance initiatives. The organization needs a technology platform to manage risk surveys, assessments, and related risk information and report, analyze and model risk.

• Policy and procedure management: A core process of a compliance program is the ability to document policies and procedures to maintain a state of compliance. All relevant policies related to anti-corruption should be documented, maintained, communicated, and attested to within a technology platform with a robust audit trail and content management capability. This includes code of conduct, anti-corruption, and other related policies.

• Training and communication: It is not enough to make written policies available — the organization also needs to train individuals on policies. Organizations are increasingly using the economies of online training to deliver courses on anti-corruption, and to test employee understanding of policies and requirements.

• Third-party management: Central to an anti-corruption compliance program is the ability to manage the risk of third-party entities you interact and do business with. Technology, and the integration of content feeds, enables the ongoing due diligence effort to monitor and score vendor/third-party risk, communicate policies to vendors, track attestations, and deliver surveys and assessments.

• Forms processing and automation: A critical component of an anti-corruption program is the ability to process and automate forms related to compliance policies and procedures. Interactions for contributions, gift, entertainment, and facilitated payments should be managed through online forms and workflow for approval or disapproval.

• Investigations management: Technology enables the organization to manage and monitor issues and incidents, and collaborate and document investigations. This includes the ability to record the range of issues reported from hotlines and other mechanisms, what actions were taken, and the results of the investigation.

Businesses are engaged in a continuous struggle to grasp the intricacies of risk management in an interconnected environment. The focus during the past few years has been on operational risk management — managing risk to business operations and processes. However, the standard definition used for operational risk management is flawed:

Operational Risk Management: “. . . the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.”

What is wrong with this definition? It completely ignores the impact of extended business relationships on operations. Properly revised, it would read “the risk of loss resulting from inadequate or failed internal processes, people, systems, and business relationships, or from external events.”

No organization is an island unto itself. Risk and compliance challenges do not stop at the traditional organizational boundaries. Organization area complex and diverse system of processes and business relationships that cross countries or span the globe. Organizations struggle to identify, manage, and control governance, risk management, and corporate compliance (GRC) across extended business relationships. Adding to this is the growth and focus on corporate social responsibility (CSR) initiatives that force organizations to determine if business partners hold the same values, practices, and ethics communicated to stakeholders, customers, and the world.

The bottom line: Organizations are complex entities that extend to hundreds or thousands of business relationships around the world. Even the smallest organization can have diverse global business relationships. The impact of the extended enterprise is significant for business. Organizations must actively manage and monitor risk and compliance across the lifecycle of a business relationship.

Any given organization stands in the shoes of its vendors and delegated partners/entities – their problems are your problems and their issues can directly impact your brand and reputation. The challenge before organizations is “Can you attest to an in-compliance status of your extended business relationships across the range of risk issues that can impact your business operations and brand?” . . .

This posting has been an excerpt of Corporate Integrity’s published research, Managing Risk & Compliance Across the Extended Enterprise.

Corporate Integrity is also delivering a full-day workshop on this topic:

Chicago, IL, USA – Managing Compliance Risk Across Extended Business Relationships

I would love to hear your thoughts on the topic of Managing Risk & Compliance Across Extended Business Relationships. Please feel free to comment in this forum, or send me an e-mail.

Friend,

Frédéric Bastiat in the 19th century could have been talking (see quote above) about the complexity of managing risk and compliance across business in the 21st century.  So often organizations look at the surface of a relationship and fail to see the significance and exposure that can cascade across the organizations causing severe damage to reputation and exposure to legal and operational risks.

A chain is only as strong as its weakest link . . . in the case of business relationships this could be an organization’s supply-”chain” or other business relationship such as vendors, outsourcers, and service providers that bring increased risk and exposure to the organization.

Today’s organization is a complex diversity of processes and business relationships that span the globe. Organizations struggle to identify, manage, and control Governance, Risk Management, and Corporate Compliance (GRC) across extended business relationships. Whether it is called 3rd party, vendor, or supply-chain – risk and compliance challenges do not stop at the traditional boundaries of the organization. Adding to this is the growth and focus of Corporate Social Responsibility (CSR) initiatives that are forcing organizations to determine if their business partners hold the same values and ethics that the organization communicates to its stakeholders and customers. Further, there are specific pressures within vertical industries to formally manage 3rd party risk (i.e., the FDIC released guidance this past summer requiring banks to manage 3rd party risk).

The issues organizations face in managing risk and compliance across business relationships include:

• Code of conduct. Communicating and validating that the business partner and its employees share the same values and ethics as the organization.
• Labor standards. Managing adherence to a complex array of international laws while validating that the business partner has proper controls to ensure compliance to policies on working hours, forced labor, child labor, wage, discrimination/harassment, and benefits.
• Corporate social responsibility. Ensuring that the business partner is communicating and reporting similar corporate values on social, environmental, and financial practices (e.g., global reporting initiative).
• Anti-corruption. Conveying policies and training while validating compliance to anti-corruption and bribery statutes and standards (e.g., Foreign Corrupt Practices Act, OECD Anti-Bribery Convention).
• Operational risks. Identification, assessment, management, and monitoring of operational risks across business relationships and their impact on the organization.
• Supply-chain risks. The management and monitoring of specific risks within supply-chains and their impact on the organization and its products.
• Environmental. Ongoing monitoring of business partners commitment to environmental standards as well as compliance with laws and regulations that impact environmental responsibility.
• Health and safety. Ensuring that business partners are committed to safe working environments free from hazards.
• Security. Validating that business partners are meeting obligations to protect the physical and information technology environments.
• Privacy. Enforcing privacy requirements on personal information as well as sensitive corporate information across business partner relationships.
• Quality. Providing for ongoing monitoring to ensure that quality and/or service level agreements are met in adherence to contract and expectations of the business relationship.

The ultimate platform to manage risk and compliance across 3rd party relationships has the abilities of:

• Definition and modeling of relationship, risks, compliance issues, and controls across extended business relationships;
• Communication and attestation of policies, procedures, and code of conduct;
• Delivery of training on code of conduct, compliance, policies, and procedures;
• Integration of risk and compliance intelligence that alerts the organization to new developments and issues that could impact specific relationships and/or geographies;
• Self-assessment by each business partner of the risk and compliance requirements within that particular business relationships;
• Providing for independent audits to validate controls, risk, and compliance to laws and contractual requirements; and,
• Scoring of risk based on the business relationship and status of assessment and audit findings. 

Large organizations around the world struggle and are actively looking for solutions and service offerings to answer these 3rd party risk and compliance obligations. Just in the past few months Corporate Integrity has interacted with over two dozen of the Fortune 500 looking for solutions and professional services to assist them in their 3rd party risk and compliance strategies. Within one organization, I have sat on a social accountability advisory board aimed at managing international labor standards, workplace safety, and code of conduct across 5000+ vendors in a global supply chain. 

This is a particular golden opportunity for technology providers that provide a Software as a Service (SaaS) offering allowing organizations to have a software platform hosted on the Internet and not open up internal networks to hundreds or thousands of business relationships. 

Specific solutions in the 3rd party risk and compliance space include:

• Outsourced GRC process management. Organizations such as Intertek are providing a full-service offering to outsource management and monitoring of 3rd party/supply-chain risk and compliance. This includes a software platform hosted in a SaaS model to communicate policies, deliver training, and assess risk while also providing for independent validation through onsite audits.
• Code of conduct and policy communication. Communication, attestation, and training on code of conduct and specific policies is critical to managing compliance across business relationships. Axentis offers the strongest platform for the ongoing communication and training of policies and procedures. Integrity Interactive is another vendor offering a subscription platform
• Compliance & risk assessment. To manage risk, organizations need a platform that allows it to push self-assessments on risks, controls, and compliance to business partners. This is further enhanced by allowing independent auditors also use the platform to assess business relationships. Archer Technologies, Axentis, and Compliance 360 have focused solutions to manage a full risk and compliance process across 3rd party relationships.

Third party risk and compliance issues are significant, overwhelming, growing, getting more complex, and not going away. Corporate Integrity sees 3rd party risk and compliance management as one of the most challenging GRC issues facing organizations across industries over the next 18 months.