It's not unusual for a company to want to go through all its third parties with a fine-tooth comb. However, this can quickly turn out to be very costly and time-consuming... and, above all, pointless!
As the AFA (French Anti-Corruption Agency) points out in its recommendation N°207, "The nature and depth of the assessments to be carried out and the information to be gathered are determined according to the various homogeneous groups of third parties presenting comparable risk profiles; risk mapping makes it possible to draw them up. In this way, groups of third parties deemed to be of little or no risk may not be assessed, or may be subject to a simplified assessment, while the riskiest groups will require an in-depth assessment".
It's certainly necessary to find up-to-date beneficial owners and screen them... but only for the highest risks. You can even do nothing about certain third parties (suppliers, customers) if, according to your risk mapping, they present no risk. And for low-risk third parties, a probity analysis of the company's directors and legal entity may be more than sufficient.
What this means in terms of "best practices" to follow:
Identifying the categories and volumes of third parties at risk enables you to calibrate your third-party integrity assessment tool (and therefore your budget), as well as the induced due diligence workload (including training) for your operational staff. Don't forget that the overall cost of the system is the sum of the two. By limiting the portfolio of third parties to be included in your assessment tool, you can usefully size your expenses and make substantial savings.
Some data providers will try to sell you the same depth of data on all third parties, without telling you when their data is fresh. Demand up-to-date information on high risks, and don't pay for data that you won't use, or that is likely to add to the workload of your teams. Follow the risk-based consulting approach by applying your risk mapping to your third-party integrity assessment system.
Use the medium-risk questionnaire to obtain the beneficial owner, involving the third party. The best tools will launch the screening as soon as the beneficial owner is collected, and may even compare it with the beneficial owner in the Official Register or with a beneficial owner already in the database. In all cases, this will enable you to obtain an up-to-date and cost-effective beneficial owner, or to challenge an existing one.
Your risk mapping is based on your processes, and often on internal data. Build your own probity score by integrating both external and internal data (such as the amount spent, or the nature of the activity) into your risk indicators, to filter your risks.
Define your workflows in advance, according to your organization's needs, to channel and secure assessment processes according to the level of third-party risk groups, especially if you intend to partially delegate responsibility for assessment to operational staff.
Start your assessments and internal deployment gradually. Start with the risk segments identified by the risk map, to familiarize your users with the assessment tool. You don't have to move too quickly; user support is a key factor. By spreading out the third parties to be assessed over several years, you give yourself a better chance of success! We recommend starting with certain companies, subsidiaries or business units, certain groups of third parties at risk, enabling you to transform users into internal promoters who can become support or even trainers for new users. Understand that adoption will be gradual, and that you are spreading Compliance throughout your organization. It's a transformation project that requires the full involvement of senior management to give meaning, in particular by giving concrete expression to the application of ethical values within the company.
Automate due diligence tasks on so-called green risks to close valuations, while putting third parties under surveillance with a periodic review date. In this way, you can smooth out charges over time, while maintaining control over the probity risk for your third parties.
At Ellisphere, we are specialists in BtoB third-party assessment; we don't offer risk mapping, to stay focused on our core business and offer our customers the best. We work with business consulting experts such as Finegan and Cortona Conseils, whom we recommend to our customers, and with whom we optimize the transition between risk mapping and the third-party assessment tool.
