On this date in 1933, just eight days after he was inaugurated, President Franklin Roosevelt (FDR) gave his first Fireside Chat to the American public. FDR began his chat by stating, “I want to talk for a few minutes with the people of the United States about banking.” He went on to explain his recent decision to close the nation’s banks in order to stop a surge in mass withdrawals by panicked investors worried about possible bank failures. FDR had correctly assessed that the public had lost confidence in the US banking industry and, based on that assessment, he closed them in his famous Bank Holiday. In 1929, over 600 banks folded, the number by 1932 had increased to over 5100. But more than simply these bank failures was the perception that the US banking system was on the verge of collapse. FDR also announced that he was reopening the banks the next day. The US banking system has been secure since that time.
I thought about FDR’s ability to correctly assess the risk to the US banking system. As compliance programs mature, one of the things that companies struggle with is how to better assess third party risks so that the right resources can be delivered to manage these risks. In the most recent issue of Compliance Insider an article, entitled “Building a Risk-Scoring Methodology for Distributors and Resellers”, lays out a decision making calculus which can assist a company to best utilize its resources to not only quantify a large number of third party risks, but manage those risks more efficiently.
The article notes that there are two main resources that a compliance practitioner will need to rate the risks of third parties. The first is information about the entity. This category of information can come from a number of sources including the third party itself, in the form of a questionnaire through to various levels of due diligence. The second resource is the people who use the information to make decisions. As there is only a finite amount that you, the compliance practitioner, can find out about your third parties use the resources available as there is a substantial need to make the best use of that information. All of this must be balanced between spreading the decision making across a large number of people whilst ensuring that the decisions made are consistent. To assist in answering these issues, the article suggests a methodology “to help focus your controls and resources more efficiently”.
1. What is your aim?
The initial step in any risk-scoring exercise is to clearly define what you are trying to achieve. The second part of clarifying the aim is to build an expectation and means of measurement so that you can assess the validity of your calculus.
2. Which information is relevant?
Most generally, the main criteria are the location of the partner or where they will deliver the product or services, the type of service or product that the partner is providing and the value of that service. This initial analysis can help you to create a high, medium and low risk model. But other factors should be weighed which can provide a more sophisticated approach. Some of these factors include the following:
- Are they new or existing partners?
- Are they touching end-users?
- Are they selling to government customers?
- Do you have contracts with them?
- Do they obtain licenses for selling products in that country on your behalf?
- Do you provide market development funds to them?
3. Where can I find the information?
This speaks to the heart of your due diligence process. Obviously a questionnaire forwarded to your potential third party is a starting point. However such information should be verified and cross-checked. Additional factors should be geographic risk, the value(s) of potential transactions and compensation to the third parties. Lastly is the traditional levels 2 and 3 due diligence.
4. Consider the questions you will ask the third parties
Here the author believes that an additional analysis of both the criteria required and the possible resources to garner datum to support the criteria should be considered. These considerations include:
- Which is the most cost-effective source for the information?
- What is the most accurate way of obtaining information?
- Do you need to ask the question at all?
- How should the questions be worded to ensure the greatest efficiency in getting to the required answer?
- How do you write the questions to ensure the scores are usable?
- Which questions and responses should be scored?
5. Are the responses accurate?
Here is where ‘a second set of eyes’ is critical. The article suggests that “sanity checks to ensure that the answers respond to the question and that the responder seems to have understood the question – this is especially useful when the questions have been translated into other languages.” You should also endeavor to cross-check against other information known about the partner, with reviews by multiple persons in your organization. Finally, on the back you should build into your program audits and spot-checks to assess the accuracy and consistency of approvals.
6. What does it all mean?
Now you have to start using the information. Recognizing that you may need to tinker with your system, it is important that you “design the overall process to allow changes to be made in the future, as you learn more about the results.”
7. What happens next?
Now the time has arrived to score the results. After you determine who will make the decision and the path for review and escalation, if required, also you should consider the Tom Fox Mantra, Document, Document, and Document. In other words, how does the scoring and decision making process get documented in your organization?
8. How will you carry out the review process?
At this point, it is appropriate to consider whether you have met or are moving in the direction that you attempted to establish back in Step 1. You should consider:
- Does your program accurately reflect the risks that you understood the partners posed?Is the final result of your process consistent?
- Were decisions on the risk level made by the right people in your organization?
- Were the necessary issues escalated to the right people?
- Have the risks changed?
- Can the process be changed, or has it been built into an inflexible technology or workflow?
Once the review is complete any necessary changes should be communicated to the staff involved in the process to ensure they know how their role is impacted. The author ends with some reservations that you should expect to run into. These include:
- don’t expect to use scoring to fully automate a process – the information available is generally not complete enough to provide an accurate model, so scoring is far better when used as a guide;
- don’t assume you will get it right first time (or second) – it is important to have a clear understanding of what you are aiming at, and to build regular review into the program to recalibrate the scoring;
- keep the process and scoring as simple as possible – most of the relevant risk-related information can be found in a few key criteria; and
- your perception of risk will change when new information comes to light, so remember to document the decision-making process so that you can justify the final risk outcome.
While FDR may have more intuitively known the real problem with the US banking system it was the perception that it was not solvent, you do not have to rely solely on your gut when making informed decisions about the Foreign Corrupt Practices Act (FCPA) risks that a third party may present to your company. For the Department of Justice (DOJ), I think the key is that you assess the risk and document that assessment. If you do so and a third party gets you into FCPA hot water, you have the best chance of coming out on the other side as well as the US banks did after their ‘holiday’ with FDR.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2014