Resilience sector insights - Forensics

There are many different challenges and opportunities for clients – all of which are influenced by their size, the sector they operate in, whether they operate across multiple jurisdictions, and the regulatory environment.

In terms of challenges, three important ones to consider are the organisation’s risk appetite and risk requirements, the cost of a solution, and the culture required to make it work.

Risk requirements - every organisation will have a different risk appetite. You should be aware about the risks your business faces and the actions necessary to mitigate them – this includes the risks associated with doing business with third parties.

There are so many ways - reputationally, financially, and operationally – that third parties can impact your business and your ability to provide your customers with products or services. When onboarding a third party, organisations need to be aware of the risks. For example, are there allegations of bribery or corruption? Are they the defendant in lawsuits? Do they adhere to modern slavery requirements or are there allegations of employee discrimination?

In recent times the number of risks has expanded to also include areas such as cyber and data security and ESG. Further, as the business grows, its risk requirements may change too.

Cost - The cost of implementing appropriate and relevant third party risk management and due diligence programmes, processes and systems is also a constraint. This can mean that the work becomes reactive, i.e. it is addressed when a problem is discovered, rather than proactive, which gives the organisation the opportunity to take a holistic view and approach in a much more thoughtful and measured way.

Culture – It may seem at times that commercial priorities can diverge from those associated with risk and compliance. Therefore, assessing risk can require a cultural change within an organisation so that its importance can be addressed with the due care and attention it deserves.

The vast amounts of data and information online, or stored on company networks, means that clients need to use platforms that enable them to manage and search this data efficiently and effectively. When providing third-party risk management and third-party due diligence services, we use the latest technology platforms. For example, we use proven industry leading technology solutions such as Insight 3PM and DDIQ. Insight 3PM allows us to fully manage the TPRM process including questionnaires, risk models and risk assessment. DDIQ allows us to identify red flags related to sanctions, watchlists, PEPs and adverse media covering a variety of risks such as bribery, corruption, money laundering, litigation, labour and human rights and data security plus many more. Our solutions can be tailored to clients’ risk appetite so that they receive the most appropriate solution for their risk requirements.

In the medium term, clients should focus on getting their house in order, making sure that they have the foundations in place in terms of systems, processes, and procedures. There will be various regulatory and legal updates, revisions and changes in coming years as greater focus is placed on knowing who your third parties are and being responsible for them. Areas of interest include modern slavery, human rights, ESG, cyber security and anti-bribery and anti-corruption. Increasingly, companies will be made responsible for the actions of others in their supply chain and greater emphasis and scrutiny will be placed on relationships with other third parties.

Companies therefore need to consider a variety of factors and activities, such as:

i. integrating their end-to-end process

ii. covering all the relevant and necessary risks including prioritising those that are most significant to the business

iii. simplifying and avoiding duplication and overlap where possible in terms of resources

iv. introducing automation to drive efficiencies and effectiveness.

At the heart of it all though will be their culture, and the people within the organisation will set the tone. They must take risk and compliance seriously, understanding the positive impact that it can have on a company’s financial performance, its reputation and its key stakeholders.

Companies should have internal discussions with key stakeholders with the aim of identifying and agreeing their risk appetite. For example, in terms of risk and compliance, they should address questions such as

i. What matters to us as an organisation?

ii. Where are we vulnerable? Do we meet regulatory and legal requirements?

iii. Are the third parties that we conduct business with the ones that we want to have relationships with?

iv. Are there potential conflicts of interest?

v. Do the key individuals in those third parties pose a risk?

Following this, they can then implement an appropriate and relevant risk management system that is fit for purpose and meets their requirements.