One of my favorite television shows as a kid was “Scooby-Doo, Where Are You!” Watching Scooby-Doo and the teenage gang discover mysteries, track down clues, and use unorthodox detective tactics to unmask shady characters (who were always conducting silly acts of real estate fraud and/or marketing scams) was a Saturday morning highlight for me. It’s too bad investigators in the real world don’t drive around in bright green “mystery machine” vans with friends and talking Great Danes.
In the world of third-party risk management (TPRM), investigators play an extremely important role in understanding risks pertaining to third parties. Third parties are complex and therefore require different levels and types of investigative processes to properly vet risk and stay compliant.
Let’s first explain the differences in corporate investigations versus due diligence processes, then explore why it is best practice to log and facilitate all third-party investigative activities in a centralized solution that can align business processes with team contributions and business objectives.
In TPRM, due diligence is a proactive business process that evaluates a third-party before any formal engagement has been initiated or any formal contract has been put into place. Due diligence can consider many aspects of a third party, including financial stability, regulatory compliance (i.e., ABAC, business continuity, ESG, data privacy, cyber, etc.), and reputational risk.
Due diligence can be pursued to varying levels of depth as well. For instance, organizations may conduct preliminary or initial due diligence for any new third party regardless of its inherent risk scores. An initial due diligence process may include basic background checks, financial stability reviews, and general regulatory compliance screenings (i.e., publicly available online checks for politically exposed people, sanctions/watch lists, negative news, etc.), as well as lightweight questionnaires assigned to internal stakeholders and/or external third-party contacts. Initial due diligence processes involve at least one review cycle in which a dedicated person or team reviews all the initial information captured about the third party and decides to approve, not approve, or conditionally approve the third party (i.e., conduct additional due diligence).
If a third party poses moderate to high risk (e.g., handling sensitive data, operating behind an organization’s firewall, etc.), “enhanced” due diligence may be initiated before an organization decides to accept any of the risks discovered from the initial due diligence process. Enhanced due diligence may be a requirement for third parties that provide critical products or services to the organization or operate in high-risk industries. Furthermore, enhanced due diligence takes a deeper, more expansive look into the specifics of a third party, going beyond publicly available online checks to in-country details (e.g., offline corporate registration records, directorship, and ownership checks as well as offline litigation, regulatory, and law enforcement checks).
Enhanced due diligence can also involve deeper financial analysis, reputation checks, as well as lengthier internal and external assessments to determine compliance with relevant industry regulations (e.g., AML laws, GDPR, NIST, HIPAA, ISO, FCPA, etc.). Some of the most advanced due diligence processes involve in-person site visits (i.e., boots on the ground) as well as discreet source inquiries.
Corporate investigations are very different from due diligence processes because they are reactive measures and occur only when red flags or compliance issues occur. For example, if a third party violates a regulation, is suspected of fraudulent activity, or is at the center of a negative media report, a corporate investigation can and should begin to protect the business from an incident. Corporate investigations are time-sensitive and must move swiftly and efficiently since the issue being investigated could negatively impact the organization’s reputation, people, and bottom line.
Like due diligence processes, there can be different levels to how a corporate investigation is conducted. In all incidents, corporate investigations follow several key steps, starting with identifying the issue, scoping out what the team must evaluate, conducting the applicable background checks (including researching adverse media reviews and scouring watchlists), cross-referencing relevant regulations and contractual agreements, and revisiting any previously completed third-party risk assessments. Often, corporate investigations result in an increase in on-site audits, additional interviews with key third-party stakeholders, and on-going or escalated monitoring and reporting.
Whether an organization is actively working to prevent risk through due diligence processes or responding to risk-related issues through corporate investigations, third-party processes should be managed in a centralized solution so all investigators within an organization can manage tasks effectively and TPRM program managers can audit and track historical activity.
Aravo’s best-in-class Intelligence FirstTM TPRM platform is built to handle the complexity of organizations’ due diligence processes and corporate investigations. With 25 years of experience in third-party management, Aravo offers a Software-as-a-Service (SaaS) solution that can automate the most detailed of tasks while providing investigators with a holistic lens into their third parties to understand everything from when the last onsite audit occurred, the frequency of periodic third-party monitoring, the risk scores associated with any assessment conducted by a third party, any uploaded documents, the integrated data provider details about the third-party, and much more.
Why continue with fragmented systems and manual processes?
Contact Aravo to see our Intelligence First PlatformTM in action and learn how we can help your TPRM team level up due diligence and corporate investigations.
Share with Your Friends:
