Blog

5 (More) Good Reasons Why ABAC Compliance Should be a Priority for Boards

Corporate leaders, including boards of directors, are beginning to pay more attention to bribery and corruption risk. Though growing, this trend is not universal. For all too many organizations, anti-bribery and corruption (ABAC) efforts fall far down the “to do” list.

The World Economic Forum – an organization for public-private partnership which has its flagship meeting in Davos each year – thinks ABAC is so important it has created a specific initiative around it. Called the Partnering Against Corruption Initiative (PACI), the group launched a new report, The Future of Trust and Integrity in August 2018. The report talks about how bribery and corruption can be reduced through projects that focus on change in three key dimensions of trust and integrity – institutional, behavioural and technological dimensions. The PACI group is now targeting projects in all three dimensions.

The fact that the World Economic Forum is engaging so explicitly in ABAC should make it clear to boards how important the fight against bribery and corruption is. However, below are five more good reasons why boards should make their ABAC programs a priority:
Read More

Topics: third party risk management, board of directors, reputational risk, board accountability, ABAC compliance, anti-bribery, ethical leadership, duty of care, anti-corruption

Doing the Right Thing - 5 Best Practices in Managing ABAC Third Party Risk

Managing third party bribery and corruption risk can be one of the more challenging aspects of both overall anti-bribery and anti-corruption (ABAC) and third party risk management (TPRM) programs. They are also closely intertwined. Organizational stakeholders – shareholders, regulators, customers, and interested bodies such as pressure groups – are focusing on both of these areas with increased intensity today. This is not surprising, as third parties represent one of the largest areas of ABAC risk exposure to a company, and their compliance failure can result in significant financial and reputational damage for the organization.

However, getting an ABAC program for third parties right – greatly reducing the probability of a risk event occurring – can often mean the need for an organization to substantially raise its game. Applying focus on ABAC compliance after an investigation or enforcement action is never the best approach, as the damage is already done.

Below are 5 important best practices that organizations around the globe are implementing within their ABAC third party risk management programs today:

Read More

Topics: FCPA, Anti-Bribery and Anti-Corruption, supplier due dilligence, ABAC compliance, vendor due dilligence, third party due dilligence, third party risk monitoring, compliance standards

Five Key Trends in ABAC Enforcement Demand A Strategic Response From Companies

In the rapidly evolving anti-bribery and anti-corruption (ABAC) enforcement environment, boards and senior managers need a strategic approach to tackling this issue more than ever before. The volume of enforcement activity continues to be high. Investigations and prosecutions in the US remain robust in spite of initial concerns about the impact of Trump administration policies, and global monetary sanctions imposed by the world’s regulators on entity groups in US Foreign Corrupt Practices Act (FCPA)-related investigations totaled $3.2 billion in 2018, the second highest total over the past decade.

Read More

Topics: FCPA, Anti-Bribery and Anti-Corruption, SEC, DOJ, uk sfo, sanctions, US Department of Justice, ABAC enforcement, ABAC compliance, World Bank

OFAC Settlement Agreement  Highlights the Importance of Knowing Your 4th Parties

Eyelashes expose weaknesses in 4th party and supplier due diligence.

Today the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)  announced a settlement of $996,080 with e.l.f. Cosmetics, Inc. (“ELF”) of Oakland, California. ELF has agreed to settle its potential civil liability for 156 apparent violations of the North Korea Sanctions Regulations, 31 C.F.R. part 510 (NKSR).

Read More

Topics: third party risk management, tprm, reputation risk, supply chain risk, 4th party risk, sanctions, supplier due dilligence

Charting Your Course Through the TPRM Forest

If your journey to third party risk management (TPRM) maturity includes an RFP in the coming months, you might be feeling a little unsure about the right direction to move forward in the vendor selection process. That’s why Aravo asked Michael Rasmussen of GRC 20/20 to provide Best Practices for Third Party Management RFPs in a recent webinar.  

During the presentation, Michael outlined the key capabilities you need to look for if you’re planning a technology purchase to help you to achieve your organization’s third party management objectives, address the uncertainty that comes with risk, and act with integrity. To bring this to life he used the analogy of the forest.  If you compare your individual third parties to trees, he said, the forest is the interconnectedness of relationships on the organization. To achieve the highest level of TPRM maturity (as illustrated in the chart below), you need to make sure your RFP is designed to identify tools that deliver a deep understanding of both the individual third parties (the relationship level), their engagements (the contract level), and the ecosystem they are a part of.

Read More

Topics: tprm, rfi, poc, rfp, request for proposal, request for information, best practices, proof of concept, third party risk management program, third party risk management maturity

Best Practices for Third Party Management PoCs

During a recent Aravo webinar on “Best Practices for Third Party Management RFPs,” I stated that a proof-of-concept (PoC) and/or hands-on pilot is much more effective than the traditional RFP process when it comes to selecting a TPRM solution that will meet your expectations. I wasn’t trying to be contrarian. After 20+ years in enterprise software and participation in countless RFPs, I’ve seen too many clients come back to me two or three years after selecting another vendor through an RFP looking for help in cleaning up a failed implementation – especially in the TPRM space .

Read More

Topics: poc, rfp, request for proposal, best practices, proof of concept

Is Best Practice for RFPs not to Issue RFPs?

The RFP has long been accepted as an “objective” way to conduct vendor selection for purchases ranging from hard goods to complex services. Its often lengthy list of feature/function-oriented questions is considered a means to level the playing field between vendors while demonstrating adequate due diligence. But is it necessarily the best way to buy third party risk management (TPRM) technology?

Read More

Topics: Third Party Management, rfi, poc, rfp, request for proposal, request for information, best practices, proof of concept

Aravo Solutions Selected to Power Fidelity International’s (FIL) Global Third-Party Risk and Performance Program

Today we are pleased to announce that Aravo Solutions has been selected to power Fidelity International’s (FIL) global third-party risk and performance program.



You can read the full announcement here.




Find out more about Aravo for Third Party Risk Management (TPRM) in Financial Services. This cloud-based application is designed to help financial services firms accelerate their third-party risk programs with confidence, and support compliance with increased regulatory expectations.

Read More

Topics: Financial Services, third party risk management, third party performance management program, press release

Getting the Risk Data Right – TPRM’s Biggest Challenge

In third party risk, issues around data – data security and data privacy - often hold center court. In the wake of the recent onslaught of cyber attacks and data breaches, as well as the enhanced and new regulatory efforts to contain them, third party risk managers can often find themselves spending a lot of time talking about data.

But are they focusing on one aspect of the businesses’ data, at the expense of improving their own? Today, third party risk management (TPRM) executives are being asked to help shape their corporate data strategies, while their approach to their own risk data can be painfully out-of-date.

Two recent surveys show that while vendor risk issues may be a high priority for organizations’ finance teams, the way data is used within the risk management discipline falls considerably behind how other parts of the business may be using data to help deliver on the firm’s strategic goals.

Read More

Topics: third party risk management, Data Security & Privacy, cybersecurity, tprm, risk-scoring, cybersecurity regulation, cyber risk, third party governance, supplier risk, cyber resiliance, vendor risk, internal audit, regulation, data quality checks, vendor database, compliance data, data risk

Cyber-Criminals Target New Companies, New Supply Chains

Cyber-criminals are seeking out new prey. Industries that previously had a lower threat profile – such as oil-and-gas, manufacturing, and shipping – are now falling victim to cyber-attacks at an increasing rate. In some cases, the cyber criminals are using the supply chains of companies in these industries as entry points for the attacks. In other cases, the criminals target these companies directly. In either case, the organizations these companies are third parties to – their clients – are often impacted.   

As a result of this new trend, governments are stepping up with new efforts – laws, regulations, and guidance – to help create national supplier ecosystems that are more resilient to cyberattack. Industries are also creating their own working groups and other types of infrastructure to help increase communication about cyber risk – to share experiences as well as information on prevention and resilience. The evolution of cybercrime is rapid – governments, industries and individual companies are working hard to stay ahead of the threat.

Read More

Topics: third party risk management, cybersecurity, tprm, cybersecurity regulation, cyber risk, third party governance, supplier risk, cyber resiliance, vendor risk, salary