Certa: Automating & Streamlining your Corporate Third-Party Compliance Program
I. State of Corporate Third-Party Risk Management
Corporate enterprises are now more global andheavily relianton third partiesthan ever before to operate their business. However, the use of third parties does not diminish the responsibilityof a company’s Directors and Senior Management to ensure that its operations are performed in compliance with applicable laws. Regulators such as the Department of Justice (“DOJ”), the Securities and Exchange Commission (“SEC”)[i], and Office of the Comptroller of the Currency(“OCC”)[ii]are concerned that the quality of risk managementover third-parties may not be keeping pacewith the level of reliance, risk and complexity of these relationships.
Enterprises must practice effective third-party risk management (“TPRM”) regardless of whether the company performs the activity internally or through a third party. Prosecutors expect companies to have risk management processes that are commensurate with the level of risk and complexity of its third-party relationships and the company’s organizational structures. Therefore, they expect more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities including:
● Clearly articulated compliance policies and Code of Conduct;
● Establishing clear roles and responsibilities for overseeing and managing the relationship and risk management process;
● Conducting risk assessments and proper due diligence in selecting third parties;
● Executing written contracts that outline the rights and responsibilities of all parties;
● Conducting periodic training;
● Performing ongoing monitoring of the third party’s activities and performance; and
● Managing documentation and reporting that facilitates oversight, accountability, monitoring, and risk management.
All of these expectations reinforce the need for companies to hire, train, and manage adequate resources in order to maintain effective risk management practices over third-party relationships. Companies often have departments with dozens, if not hundreds, of employees dedicated to manually gathering third party information, performing due diligence procedures, performing continuous monitoring, contract maintenance, and reporting to Senior Management. There are employees performing manual processes at each step of the way to keep up with ever increasing scrutiny from regulators.
In the end, how successful are you at measuring whether your company’s compliance and procurement processes are effectively managing their third-party risk?
Is your TPRM compliance program well designed?
Is it implemented effectively, in earnest and good faith?
Does your TPRM program work in practice?
II. Certa’s Value & Impact in Managing Third Party Programs
I.
Certa’s Software as a Service (SaaS) platformcan help automate, implement, and enforce your TPRM Compliance Program to allow your company to prevent violations, detect those that do occur, and remediate them properly and appropriately. Certa is a personalized, intelligent due diligence platform for on-boarding, risk management, compliance and monitoring of third parties. It is a personalized solution that adapts and configures to your specific processes with intuitive and automated workflows for internal and external users. By relying on Certa to help efficiently and easily connect enterprises with their suppliers, clients, partners, and freelancers across the globe, companies can focus on their people and executing their business strategy.
Code of Conduct and Compliance Policies
A company’s code of conduct is often the foundation upon which an effective compliance program is built. Most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.
By leveraging our powerful workflow engine, you can reinforce through your internal control system, a roll out of policies and procedures in a way that ensures your third parties receive, acknowledge, and certify to your company’s way of doing business. Our workflow engine allows you to digitally manage all documentations, certifications, and contracts needed to do business with your third parties. We then also assist you in monitoring your third parties’ certification to your policies by automatically alerting you when re-certifications are required based on company specific business rules (e.g., by risk score, geography, upon contract renewal). Through our platform, you can also send ad hoc recertification requests to third parties, as needed, to enable your third parties to adhere to changes and updates regarding your policies and procedures.
Oversight, Autonomy, and Resources
The amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, regulators typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.This means you need resources each step of the way.
Through our platform, you can assign clear roles and responsibilities for managing each area of the TPRM Compliance Program. Our platform is multilingual and can also integrate with your enterprise risk management framework which enables continuous oversight and accountability. This provides end-to-end transparency across staff, business units, geographies, and technology systems. Our automated due diligence and AI monitoring capabilities also means less resources are required to manage your program.
Risk Assessment
Assessment of risk is fundamental to developing a strong compliance program and is another factor regulators evaluate when assessing a company’s compliance program. Similarly, performing identical due diligence on all third-party agents, irrespective of risk factors, is often counterproductive, diverting attention and resources away from those third parties that pose the most significant risks.
The degree of appropriate due diligence is fact-specific and should vary based on industry, country, size, and nature of the transaction, and the method and amount of third-party compensation. Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs andimmigration in conducting business affairs.
The Certa platform, through business rules specific to your current due diligence process, can perform custom configured risk scoring on your third parties. Our risk scoring engine can automatically perform risk scoring for third parties and use those scores to drive different levels of due diligence, adjudication steps, approval escalations across business units, contract reviews and monitoring rules. The risk scores can also automatically determine when a third party may need to certify to policies and training requirements. Your risk profile will evolve over time as your business strategy and operations change. Our platform can evolve with you by easily tailoring your risk assessment process to address your changing risks.
Due Diligence and Contracting
Conducting a review of a potential third party before signing a contract helps ensure that company’s select an appropriate third party and understands and controls the risks posed by the relationship, consistent with the company’s risk appetite.
The company should consider the following during due diligence:
● third party’s strategies and goals
● legal and regulatory compliance program
● financial condition
● business experience, qualifications and reputation
● fee structure and incentives
● reliance on subcontractors
● risk management
● information management and security
Senior management should review the results of the due diligence to determine whether the third party is able to meet the company’s expectations and whether the company should proceed with the third-party relationship. If the results do not meet expectations, management should recommend that the third party makes appropriate changes, find an alternate third party, conduct the activity in-house, or discontinue the activity. As part of any recommended changes, the company may need to supplement the third party’s resources or increase or implement new controls to manage the risks.
Developing a contract that clearly defines expectations and responsibilities of the third party helps to ensure the contract’s enforceability, limit the company’s liability, and mitigate disputes about performance.
Self Service Forms Wizard- Certa’ easy self-service forms wizard allows suppliers to be invited to our portal via email link to answer questionnaires and upload documentation. We can replicate your internal templates for any and all necessary documentation, and ensure those documents are digitally populated through our custom workflows. You can also upload additional documents necessary to perform due diligence procedures (i.e., Audited Financials, Articles of Incorporation). Our portal automatically verifies and authenticates documents and data including banking information and tax information.
Data Enrichment Integrations — The Certa portal integrates with 50+ data sources to automatically provide a holistic company profile including information such as Legal Name, Tradestyles, Total Employees, Time in Business, Organization Type, Primary Industry Classification, social media presence, Ultimate Beneficial Owners, and members of the Board of Directors. You can therefore vet not only your partner companies, but also the directors and owners affiliated with those companies.
Screening Integration — Our portal integrates with screening providers and an AI open search function that enables you to automate due diligence screening such as sanctions, watchlists, PEP, adverse media screenings, and open search. We can also integrate with a due diligence provider of your choice and host due diligence reports directly within our portal.
Adjudication — With our powerful AI enabled adjudication workflow, analysts can perform their adjudication responsibilities without being burdened by false positives and duplicate information all in a clean and intuitive user interface. The Adjudication workflow allows Adjudicators to be notified via email, enter the system to approve, decline, or escalate the request to other stakeholders within the organization.
Training
Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, regulators will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, third parties and business partners. Such measures will help ensure that the compliance program is understood and followed appropriately at all levels of the company.
Certa can assist by leveraging our workflow engine to directly provide your training requirements to your third parties in the form and language appropriate for you specific audiences. Through our platform, you can also send ad hoc requests to third parties, as needed, to enable your third parties to adhere to changes and updates regarding your training requirements.
Gifts, Travel, and Entertainment
As part of an effective compliance program, a company should have clear and easily accessible guidelines and processes in place for gift-giving by the company’s directors, officers, employees, and agents. Though not necessarily appropriate for every business, many larger companies have automated gift-giving clearance processes and have set clear monetary thresholds for gifts along with annual limitations, with limited exceptions for gifts approved by appropriate management.
Our Certa platform can configure workflows that would allow employees to submit pre-approval requests for incurring gifts, travel, and entertainment expenses. Requests can be escalated to proper management and business units for approval. Configure rules whereby requests involving interactions with government officials and other high risk third parties would require specific information, escalations, and approval decisions. Integrate with your T&E system to block expenses until pre-approved in our platform and track pre-approved amounts against actual expenses incurred to identify violations of your policy.
Monitoring
Performing ongoing monitoring of the third-party relationship once the contract is in place is essential to the company’s ability to manage risk of the third-party relationship.
Ongoing monitoring for the duration of the third-party relationship is an essential component of the company’s risk management process. More comprehensive monitoring is necessary when the third-party relationship involves critical activities. After entering into a contract with a third party, management should ensure that employees that directly manage third-party relationships monitor the third party’s activities and performance.
Regulators expects the company’s ongoing monitoring of third-party relationships to cover the due diligence activities discussed earlier. Because both the level and types of risks may change over the lifetime of third-party relationships, a company should ensure that its ongoing monitoring adapts accordingly. Some consideration for ongoing monitoring may include assessing changes to the third parties, compliance with legal and regulatory requirements, financial condition, and key personnel and ownership.
Certa’s dynamic portfolio monitoring framework automatically alerts users when screening results change or when due diligence needs to be refreshed. Through our data integrations, you will receive an alert when changes in a third party’s business profile occur such as change in business ownership or structure. Review prior adjudication comments and decisions before updating your third party’s risk profile.
Reporting & Documentation
Proper documentation and reporting facilitate oversight, accountability, monitoring, and risk management associated with third-party relationships. A company should have policies and procedures that outline responsibilities for compliance in regard to auditing practices, and documentation retention. Other companies periodically test their internal controls with targeted audits to make certain that controls on paper are working in practice.
The Certa platform includes complete audit trail functionality that allows users to identify which data and decisions were approved by who and when. Our forms version functionality allows companies to see when information was changed in a form, who changed it, and when which allows for complete transparency and visibility into compliance audit trails in accordance with regulatory requirements. We also have reporting capabilities whereby you can extract data and use a dashboard to pull custom reports that suit your compliance needs.
III. Takeaways: Why Certa?
● The Certa Platform is a single place to deploy, automate, and monitor all third-party workflows for procurement, compliance, and risk management.
● We bring all stakeholder resources into one platform while configuring their processes into flexible workflows that meet your ever-changing business needs.
● Our business rules engine and API integrations, allow for instant validations, escalations and approvals, giving you a 360 view into your third-party ecosystem.
