In the second in her blog series on protecting supply chain integrity, Holly Miller looks at why one-off, look-back, due diligence is no longer adequate. To read her first blog on this topic, click here. 

Supply chain or third-party risk is nothing new. However, recent events such as the global pandemic, the war in Ukraine, and the economic turmoil in many major economies has significantly changed the third-party risk landscape for many organizations. This is why it’s more vital than ever for decision-makers to understand who they are doing business with and the risks their organizations are being exposed to as a result.  

Despite these changes in the risk landscape, however, many organizations still only perform one-off screening or due diligence exercises for new suppliers at the time of onboarding. Very few monitor their existing suppliers for risk and the ones that do this may be basing their assessments on a one-dimensional view of data and/or risk. 

This approach to due diligence screening can expose organizations to regulatory, financial, or reputational risks that may not have been apparent at the time of onboarding. 

One-off Screenings & Supplier Audits: Why The World Has Changed 

Many pieces of legislation, such as the Foreign Corrupt Practices Act 1977 or the UK Bribery Act 2010, recognize that compliance programs should be proportionate to risk. As such, there are very few rigid or prescriptive requirements in place from regulators regarding third-party management. 

Since these legislations were initially implemented, the landscape has changed in several ways: 

• Lessons have been learned in sectors such as Life Sciences, which has had to react to significant enforcement activity and supervision. There are now strong examples of analytics-led compliance programs to manage the risk of their third parties. In 2020, the US Department of Justice (DOJ) updated guidance on what makes an effective compliance program, and the message is clear: a stale “paper program” that is based on a snapshot in time doesn’t work in practice and is no longer good enough.  
• There is an expectation from the DOJ and other regulators that continuous access to data be made available to compliance teams and that ongoing monitoring of third-party relationships be required.   
• Technology in 2023 is light years ahead of the technology that existed – even in 2010. It’s now possible to continuously monitor third parties for integrity risks. 

• Legislation is being enacted continuously around the world, increasing the expectations of organizations to own and manage integrity risks within their supply chain. This is not just about monitoring fraud and corruption. It also includes assessing the risks of human rights violations, environmental impacts, sanctions, financial crime, and more. 

Based on this, the base line expectation of what is reasonable and adequate in response to changing risk has moved on. Continuous monitoring is no longer a best practice – it’s an expectation. 

Why Continuous Monitoring is Necessary  

Having a continuous approach to monitoring is necessary to ensure you have the fullest picture of the organizations you’re doing business with. At the time of onboarding, a new third party may look squeaky clean, but what happens if: 

OFAC releases a new sanctions regime and several shareholders and directors of your organization’s supplier base are impacted? 

1. A new director is appointed at one of your suppliers, who is a senior politician in a significant growth jurisdiction? 
2. Recent adverse media identifies that a key supplier is accused of significant environmental violations? 
3. ESG reporting requirements in some of the origination’s jurisdictions have changed? 
4. A conflict of interest has been identified between a new employee and the CEO of a key supplier? 
5. A supplier recently changed their bank account details to an account in an offshore tax haven? 

These examples expose an organization to possible regulatory, financial, or reputational risks, which would have been hidden without a continuous or at least periodic monitoring program. 

Powering Decision Intelligence to Expose High Risk Activity 

In legacy programs, compliance teams have had to compromise on screening and monitoring due to the effort and resources required to manually bring internal and external data together, sift through false positives, and review self-declarations from employees and third parties. In addition, siloed teams reviewing third parties for multiple, different risks result in additional inefficiencies and a lack of context. Organizations have often had to prioritize screening on a risk-based sample of organizations and often only refresh a smaller sample every couple of years. 

To overcome these challenges, organizations need to be able to connect their data to derive the most meaningful insights. And this starts with context. Technology exists today that addresses many of the challenges organizations previously faced in managing the integrity of their supply chain: 

• Technology that incorporates accurate Entity Resolution capabilities allows organizations to connect internal and external data at scale to create trusted, dynamic single views of suppliers. This can significantly reduce the vast number of false positives that can occur when screening against a fuzzy match of a supplier’s name. 
• Network analytics allows an organization to automatically screen their suppliers, and their suppliers’ network including connections to other suppliers, businesses, and individuals. 
• Contextual monitoring provides a 360-degree view of a supplier to provide intelligence-led detection of the highest risk suppliers and/or transactions to the top. Enhancing this approach with supervised or unsupervised machine learning techniques allows compliance teams to focus their efforts on third parties, which are most likely to expose the organization to risk.
  

Bringing it All Together 

To surface genuine high-risk activity, organizations must put their data to work using the power of advanced AI and analytics technology. By bringing together both internal and external data and using a greater number of signals, you can filter out the riskiest activities, transactions, or third parties for review without creating high numbers of false positives. A Decision Intelligence Platform is proving to be the best line of defence.