On June 1, 2020, the DOJ published an updated version of its guidance on the Evaluation of Corporate Compliance Programs, and enhanced third party management was a topic of focus. The updated guidance was meant to “reflect additions based on our own experience and important feedback from the business and compliance communities.” The June 2020 update builds on themes highlighted in its previous update (April 2019) while remaining focused on three fundamental questions that provide structure to the analysis:
- “Is the corporation’s compliance program well designed?”
- “Is the program being applied earnestly and in good faith?’ In other words, is the program adequately resourced and empowered to function effectively?”
- “Does the corporation’s compliance program work in practice?”
While the revisions created by the June 2020 update are not extensive, they do reflect the DOJ’s continued emphasis on adopting a practical and dynamic approach to evaluating the effectiveness of a company’s compliance program – an integral component of which is the management of vendors and other third parties.
While the guidance continues to emphasize that “A well-designed compliance program should apply risk-based due diligence to its third-party relationships,” there were several updates that either directly or indirectly impacted third party management.
Here are my Top 5 updates that have a high relevance to third party management programs, along with my recommendations on what areas to assess to identify potential gaps and close them when they exist.
1. Document Vendor Justification
The guidance added new language directing prosecutors to “assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners.” The requirement for companies to know the business rationale for needing the third party is new to the guidance.
A simple way to address this is to incorporate a “business justification” step in your planning and procurement process, allowing you to document your rationale. While this may not be practical for every type of vendor (i.e. the local caterer), it’s a must have for at least your critical and high-risk third-party relationships.
2. Address Risks Throughout the Vendor Management Lifecycle
Language was added to the guidance asking prosecutors to evaluate “Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?” This appears to get at the problem of poor third-party risk monitoring, which is rampant in many third-party management programs.
Review your vendor management program to ensure it encompasses management and oversight of vendor risks through all stages of the lifecycle. This includes planning, procurement, risk assessments, due diligence, contracting, onboarding, monitoring and finally termination.
3. Resource the Compliance Program to be Effective
The updated guidance revised the second overarching question from “Is the program being implemented effectively?” to asking instead whether the program is “adequately resourced and empowered to function effectively.” This change suggests that the DOJ is concerned that compliance functions are not being given adequate resources, and that compliance officers are not sufficiently empowered within their organizations.
Vendor risk management and compliance programs are notorious for being under resourced. Unfortunately, a lack of resources won’t be an acceptable reason for non-compliance under a DOJ review. To ensure your resources are adequate, you should start by identifying all of the stakeholders involved in vendor management and ensuring you have established clear roles for all of them. RACI charts are a great tool to use in this process. From there, you can determine if you have any resource gaps and, if so, create a plan to fill them through additional staff, outsourcing or some combination of both.
4. Continuously Mature and Refine Activities
The guidance states that, once a program is established, it must be periodically updated and refined or there is the risk that prosecutors will deem it a “paper” program.
Your vendor management program should include an ongoing review and update of the program to keep it fresh and continually evolve the effectiveness of policies and procedures. These updates to existing policies and procedures should be made in accordance with the company’s periodic risk assessments, and should be based on lessons learned. A best practice is to create a maturity roadmap for your program to continually refine and strengthen your vendor risk management practices, and to drive more value from your vendor relationships too.
5. Establish Adequate Systems and Reporting
There is a new sub-section in the guidance that queries whether compliance and control personnel have access to data “to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?” It also asks whether “any impediments exist that limit access to relevant sources of data,” and if so, “what is the company doing to address the impediments?”
This reinforces the need for a central vendor management system that is used as the central, source of truth for data on vendors and other types of third parties. Data on vendor justification, risk assessments, due diligence, contracting and monitoring activities should all be captured in one system to allow for proper reporting and the effective testing of compliance with policies, controls and transactions.
With its latest update, DOJ continues to raise the bar on what it expects from companies’ compliance programs. The DOJ’s Brian Benczkowski said the revised version of the guidance “reflects additions based on our own experience and important feedback from the business and compliance communities.”
A key portion of those additions is more focus on third-party risk, and how the compliance program identifies and deals with it. Now is a great time to take a step back to look at your own vendor management program and identify any compliance gaps you may need to fill.
If you need a hand in assessing your current vendor management program, Vendor Centric can help. Contact me at firstname.lastname@example.org to schedule a free consultation.