Accueil
Envoyer
Imprimer
Partager
Globalization and increasing regulatory pressures require organizations to examine their business relationships in order to assess risk, take informed decisions, and comply with laws. From an external perspective there are three main drivers for Third Party Risk Management:
- Anti-Bribery and Corruption legislation (FCPA and UK Bribery Act)
- Anti-Money Laundering requirements
- Emerging markets risks
As a result of these drivers, organizations are looking to build processes and programs to manage third-party risk that is efficient, scalable and fits their unique requirements. Our recent General Counsel Survey (Over the horizon: How corporate counsel are crossing frontiers to address new challenges) shows that Corporate liability for the conduct of third parties has pushed Third Party Risk Management into the spotlight. An effective third-party risk program would likely include the following three elements:
- Identification of Third Parties
- Third Party Risk Assessment
- Integrity Due Diligence
1. Identification of Third Parties
Third parties include business partners, distributors, agents, consultants, vendors, customers, logistics providers and others. Organizations may have thousands of Third Parties archived in systems in various geographies. Thus, the initial challenge is to understand the universe of Third Parties, the location of the data and the means with which to efficiently extract the specific data that will ultimately be used for the risk assessment. Once the universe of third parties and related data has been compiled, organizations would then need to apply initial analytics to eliminate those third parties that would clearly fall out of the scope.
2. Third Party Risk Assessment
After identifying and prioritizing the portfolio of Third Parties or where a new Third Party needs to be on-boarded, there should be a defined process that is then managed to gather further information about a Third Party and to perform a risk assessment to determine the appropriate level of integrity due diligence (IDD) for that particular TPI. The risk assessment can be performed on criteria that are relevant for the organization.
Examples of such criteria are:
- Country of operation
- Nature of relationship
- Country of payment
- Type of industry
- Length of relationship
- Significance of relationship
- Nature of relationship
- Degree of government involvement
- Annual volume of transactions
Following the completion of the risk assessment process, the TPIs can be categorized by risk so that the appropriate level of due diligence can be performed. This can also mean that no due diligence is needed.
3. Integrity Due Diligence
Based upon the results of the Third Party Risk Assessment a good next step is to have five possible actions:
- Deem that no further Integrity Due Diligence is needed
- Perform high-level screening of sanctions/politically exposed persons (PEPs)
- Perform enhanced desktop integrity due diligence
- Perform full, in-country due diligence investigative procedures
- Cease the relationship with the Third Party.
The fourth action is sometimes needed when online due diligence isn’t enough. Organizations may elect to undertake an in-depth Integrity Due Diligence of a Third Party, based on its preliminary risk rating, jurisdictional limitations and other previously identified risk factors.
Alternatively, based on the findings of earlier due diligence (including a high-level screening), the client may seek additional procedures to clarify the findings, address gaps or inconsistencies, or examine relationships more closely. KPMG’s global network of Corporate Intelligence and other Forensic professionals can undertake an in-depth Integrity Due Diligence that typically consists of targeted procedures combining in-depth desk research and field investigations to retrieve documents and information, conduct interviews and site visits. KPMG’s network of professionals can assist with prospective business partners and with local jurisdiction sources that may include business and commercial contacts, current or former associates of the Third Parties, etc. They may also contact colleagues in relevant jurisdictions who have in-country subject matter experience of political, government and business practices.
Don’t be caught off guard!
Applying the appropriate integrity due diligence to the right risk profile is critical to a successful program of managing Third Parties.
By Leo Hattenbach Director, Forensic
kpmg.com
- Anti-Bribery and Corruption legislation (FCPA and UK Bribery Act)
- Anti-Money Laundering requirements
- Emerging markets risks
As a result of these drivers, organizations are looking to build processes and programs to manage third-party risk that is efficient, scalable and fits their unique requirements. Our recent General Counsel Survey (Over the horizon: How corporate counsel are crossing frontiers to address new challenges) shows that Corporate liability for the conduct of third parties has pushed Third Party Risk Management into the spotlight. An effective third-party risk program would likely include the following three elements:
- Identification of Third Parties
- Third Party Risk Assessment
- Integrity Due Diligence
1. Identification of Third Parties
Third parties include business partners, distributors, agents, consultants, vendors, customers, logistics providers and others. Organizations may have thousands of Third Parties archived in systems in various geographies. Thus, the initial challenge is to understand the universe of Third Parties, the location of the data and the means with which to efficiently extract the specific data that will ultimately be used for the risk assessment. Once the universe of third parties and related data has been compiled, organizations would then need to apply initial analytics to eliminate those third parties that would clearly fall out of the scope.
2. Third Party Risk Assessment
After identifying and prioritizing the portfolio of Third Parties or where a new Third Party needs to be on-boarded, there should be a defined process that is then managed to gather further information about a Third Party and to perform a risk assessment to determine the appropriate level of integrity due diligence (IDD) for that particular TPI. The risk assessment can be performed on criteria that are relevant for the organization.
Examples of such criteria are:
- Country of operation
- Nature of relationship
- Country of payment
- Type of industry
- Length of relationship
- Significance of relationship
- Nature of relationship
- Degree of government involvement
- Annual volume of transactions
Following the completion of the risk assessment process, the TPIs can be categorized by risk so that the appropriate level of due diligence can be performed. This can also mean that no due diligence is needed.
3. Integrity Due Diligence
Based upon the results of the Third Party Risk Assessment a good next step is to have five possible actions:
- Deem that no further Integrity Due Diligence is needed
- Perform high-level screening of sanctions/politically exposed persons (PEPs)
- Perform enhanced desktop integrity due diligence
- Perform full, in-country due diligence investigative procedures
- Cease the relationship with the Third Party.
The fourth action is sometimes needed when online due diligence isn’t enough. Organizations may elect to undertake an in-depth Integrity Due Diligence of a Third Party, based on its preliminary risk rating, jurisdictional limitations and other previously identified risk factors.
Alternatively, based on the findings of earlier due diligence (including a high-level screening), the client may seek additional procedures to clarify the findings, address gaps or inconsistencies, or examine relationships more closely. KPMG’s global network of Corporate Intelligence and other Forensic professionals can undertake an in-depth Integrity Due Diligence that typically consists of targeted procedures combining in-depth desk research and field investigations to retrieve documents and information, conduct interviews and site visits. KPMG’s network of professionals can assist with prospective business partners and with local jurisdiction sources that may include business and commercial contacts, current or former associates of the Third Parties, etc. They may also contact colleagues in relevant jurisdictions who have in-country subject matter experience of political, government and business practices.
Don’t be caught off guard!
Applying the appropriate integrity due diligence to the right risk profile is critical to a successful program of managing Third Parties.
By Leo Hattenbach Director, Forensic
kpmg.com
Les médias du groupe Finyear
Chaque jour (5j/7) lisez gratuitement :
Le quotidien Finyear :
- Finyear Quotidien
La newsletter quotidienne :
- Finyear Newsletter
Recevez chaque matin par mail la newsletter Finyear, une sélection quotidienne des meilleures infos et expertises de la finance d’entreprise et de la finance d'affaires.
Chaque mois lisez gratuitement :
Le magazine digital :
- Finyear Magazine
Les 6 lettres digitales :
- Le Directeur Financier
- Le Trésorier
- Le Credit Manager
- Le Capital Investisseur
- GRC Manager
- Le Contrôleur de Gestion (PROJET 2014)
Un seul formulaire d'abonnement pour recevoir un avis de publication pour une ou plusieurs lettres
Le quotidien Finyear :
- Finyear Quotidien
La newsletter quotidienne :
- Finyear Newsletter
Recevez chaque matin par mail la newsletter Finyear, une sélection quotidienne des meilleures infos et expertises de la finance d’entreprise et de la finance d'affaires.
Chaque mois lisez gratuitement :
Le magazine digital :
- Finyear Magazine
Les 6 lettres digitales :
- Le Directeur Financier
- Le Trésorier
- Le Credit Manager
- Le Capital Investisseur
- GRC Manager
- Le Contrôleur de Gestion (PROJET 2014)
Un seul formulaire d'abonnement pour recevoir un avis de publication pour une ou plusieurs lettres
Autres articles
-
La fintech française, Powens officialise son rapprochement avec l'Espagnole Unnax. Objectif : devenir le leader de l'open finance et de la finance embarquée en Europe
-
JuneX, le nouveau fonds "evergreen" pour accompagner "autrement"
-
Pomelo annonce une Série A à 35 millions de dollars menée par Vy Capital
-
Louis Vuitton dévoile un nouveau Collectible exclusif pour sa Communauté VIA
-
Nomination | Paymium confie sa stratégie à Alexandre Stachtchenko
