How do your peers conceptualize their homogeneous groups of third parties?
In April 2024, the AFA (French Anti-Corruption Agency) published the results of its third-party assessment survey. This enables all companies wishing to set up such an anti-corruption system to find out about the difficulties and best practices of their peers. This is very useful when you consider that the third-party assessment pillar is considered the most difficult to implement among the 8 original pillars of the Sapin 2 law (cf AFA 2022 study; the AFA obtained 414 responses to its questionnaire).
A plebiscite on the approach
90% of respondents consider the creation of homogeneous groups of third parties with comparable risk profiles to be an effective approach for determining the nature and depth of the assessments to be carried out.
As a reminder, the AFA recommends that the nature and depth of the assessments to be carried out - and therefore of the information to be gathered - should be determined according to the different groups of third parties with comparable risk profiles, as identified by risk mapping. These are known as Third-Party Risk Groups (TPRGs). It is also specified that groups of third parties deemed to be of little or no risk may not be assessed, or may be subject to a simplified assessment, while the riskiest groups will require an in-depth assessment for each third party. In this way, we can concentrate on the riskiest third parties, while managing a large but adjusted volume of third parties.
A median of 9 GTR
25% of companies declared less than 5 GTR, 50% less than 9 GTR, and 75% less than 20 GTR.
For 50% of them, the RWGs were identified after they had drawn up their risk mapping. 33% did both at the same time, no doubt to save time in setting up the system.
The majority of respondents use a mixed approach to establish homogeneous groups of third parties: risk scenarios and a list of risk criteria are predefined.
If it is indeed the cartography that feeds the creation of GTRs, we can legitimately think that to qualify each third party, the company needs to retain the criteria that will enable each group of third parties to be identified.
The 3 most frequently used risk criteria: country, activity and business volume
Country risk - one of the risks mentioned in Sapin 2 - comes out very clearly on top for 52% of respondents. Next come business volume and sector of activity, respectively for 29.5% and 25% of respondents.
The nature of the transaction, the length of the relationship, the nature of the third party and even economic dependence are also taken into account to qualify the GTR.
GTRs: the link between risk mapping and third-party assessment
On the whole, companies know how to enlist the help of consulting firms to draw up their risk maps and qualitatively identify their third-party groups.
When you want to set up a third-party assessment tool and load your third-party portfolio based on risk level, you need to structure your third-party portfolio into GTRs in order to control the depth of analysis to be carried out, as recommended by the AFA. And this isn't always easy, when you have several different data repositories, often incomplete and insufficiently qualified.
This is undoubtedly why more than half of all companies claim to draw up their GTR both on the basis of the risk scenarios identified in their corruption risk mapping, and on the basis of a list of predefined criteria.
At Ellisphere, we are convinced that companies need support to identify and qualify the third parties they need to include in their valuation process, in order to optimize their due diligence actions.