Blog

5 (More) Good Reasons Why ABAC Compliance Should be a Priority for Boards

Corporate leaders, including boards of directors, are beginning to pay more attention to bribery and corruption risk. Though growing, this trend is not universal. For all too many organizations, anti-bribery and corruption (ABAC) efforts fall far down the “to do” list.

The World Economic Forum – an organization for public-private partnership which has its flagship meeting in Davos each year – thinks ABAC is so important it has created a specific initiative around it. Called the Partnering Against Corruption Initiative (PACI), the group launched a new report, The Future of Trust and Integrity in August 2018. The report talks about how bribery and corruption can be reduced through projects that focus on change in three key dimensions of trust and integrity – institutional, behavioural and technological dimensions. The PACI group is now targeting projects in all three dimensions.

The fact that the World Economic Forum is engaging so explicitly in ABAC should make it clear to boards how important the fight against bribery and corruption is. However, below are five more good reasons why boards should make their ABAC programs a priority:
Read More

Topics: third party risk management, board of directors, reputational risk, board accountability, ABAC compliance, anti-bribery, ethical leadership, duty of care, anti-corruption

OFAC Settlement Agreement  Highlights the Importance of Knowing Your 4th Parties

Eyelashes expose weaknesses in 4th party and supplier due diligence.

Today the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC)  announced a settlement of $996,080 with e.l.f. Cosmetics, Inc. (“ELF”) of Oakland, California. ELF has agreed to settle its potential civil liability for 156 apparent violations of the North Korea Sanctions Regulations, 31 C.F.R. part 510 (NKSR).

Read More

Topics: third party risk management, tprm, reputation risk, supply chain risk, 4th party risk, sanctions, supplier due dilligence

Aravo Solutions Selected to Power Fidelity International’s (FIL) Global Third-Party Risk and Performance Program

Today we are pleased to announce that Aravo Solutions has been selected to power Fidelity International’s (FIL) global third-party risk and performance program.



You can read the full announcement here.




Find out more about Aravo for Third Party Risk Management (TPRM) in Financial Services. This cloud-based application is designed to help financial services firms accelerate their third-party risk programs with confidence, and support compliance with increased regulatory expectations.

Read More

Topics: Financial Services, third party risk management, third party performance management program, press release

Getting the Risk Data Right – TPRM’s Biggest Challenge

In third party risk, issues around data – data security and data privacy - often hold center court. In the wake of the recent onslaught of cyber attacks and data breaches, as well as the enhanced and new regulatory efforts to contain them, third party risk managers can often find themselves spending a lot of time talking about data.

But are they focusing on one aspect of the businesses’ data, at the expense of improving their own? Today, third party risk management (TPRM) executives are being asked to help shape their corporate data strategies, while their approach to their own risk data can be painfully out-of-date.

Two recent surveys show that while vendor risk issues may be a high priority for organizations’ finance teams, the way data is used within the risk management discipline falls considerably behind how other parts of the business may be using data to help deliver on the firm’s strategic goals.

Read More

Topics: third party risk management, Data Security & Privacy, cybersecurity, tprm, risk-scoring, cybersecurity regulation, cyber risk, third party governance, supplier risk, cyber resiliance, vendor risk, internal audit, regulation, data quality checks, vendor database, compliance data, data risk

Cyber-Criminals Target New Companies, New Supply Chains

Cyber-criminals are seeking out new prey. Industries that previously had a lower threat profile – such as oil-and-gas, manufacturing, and shipping – are now falling victim to cyber-attacks at an increasing rate. In some cases, the cyber criminals are using the supply chains of companies in these industries as entry points for the attacks. In other cases, the criminals target these companies directly. In either case, the organizations these companies are third parties to – their clients – are often impacted.   

As a result of this new trend, governments are stepping up with new efforts – laws, regulations, and guidance – to help create national supplier ecosystems that are more resilient to cyberattack. Industries are also creating their own working groups and other types of infrastructure to help increase communication about cyber risk – to share experiences as well as information on prevention and resilience. The evolution of cybercrime is rapid – governments, industries and individual companies are working hard to stay ahead of the threat.

Read More

Topics: third party risk management, cybersecurity, tprm, cybersecurity regulation, cyber risk, third party governance, supplier risk, cyber resiliance, vendor risk, salary

Third Party Risk Management - Salaries, Budget and Team Size

In this week’s blog on the results of the Global 2018 ‘Taking the Pulse of Third Party Risk Management’ Survey, we will delve into the some of the resourcing benchmarks for third party risk management.

To mix things up a little, we will also share the results of polls conducted at the CeFPro Vendor & Third Party Risk conferences in New York and London last month, where we first launched the results of the survey. This gives us some additional interesting cross-Atlantic perspectives.

 We’ll start with salary.

Salary
Why salary? Well everyone’s at least a bit interested in what the benchmarks for their profession may be, and there’s a paucity of data on third party risk management compensation. 
Read More

Topics: OCC, third party risk management, tprm, survey, cyber risk, third party governance, benchmarking, supplier risk, vendor risk, salary, compensation, budget

Third Party Risk Management Benchmarking Survey Results

Earlier this week we published the results of a survey that we conducted with the Center for Financial Professionals. With over 200 respondents from around the globe, the survey was designed to take a snapshot of the state of third party risk management, and to help firms develop their road-map to maturity, and support with planning, resourcing and direction.

The survey provided a great deal of insight, and we’ll be taking a deep dive into some of the results together with the implications for TPRM programs over the coming weeks.

We will also share the results of some polls that we conducted at the CEFPRO Vendor & Third Party Risk Conferences in New York and London where we launched the results. These provide an interesting cross-Atlantic comparison between peers.

But first to the survey results – which revealed gaps between regulatory expectation and the reality associated with third party risk programs. What looks good in theory, is often a lot harder in practice.

Read More

Topics: OCC, Financial Services, third party risk management, governance, tprm, survey, cyber risk, third party governance, benchmarking, supplier risk, vendor risk, concentration risk, fourth party risk

Expert Interview: Keith Koo on A Horizon View of Third Party Risk, Cyber-Risk, and Emerging Technologies

 

Sometimes, in the world of third party risk, we spend a lot of time looking at what is directly in front of us (or re-actively, what’s behind us), or even with our heads in the sand. Industry expert, Keith Koo, spends a lot of time looking to the horizon.

When you meet Keith – you are immediately struck by the energy and enthusiasm he brings to the topics near and dear to his heart: disruptive technology, digital innovation and cyber-security, and the intersection of all these trends with third party risk.

Not only has Keith had significant experience in managing large third party risk programs for large banks and enterprise technology companies, he now advises companies with the most complex and pressing third party management challenges as a Managing Partner at Guardian Insight Group.

However, it’s been his experience working in the Silicon Valley, that also spurred Keith’s long-term interest in digital innovation, cyber-security and emerging, disruptive technologies such as cryptocurrencies and blockchain.

Read More

Topics: third party risk management, Data Security & Privacy, data privacy, cyber risk, technology, blockchain, cryptocurrency

Bribery & Corruption – A growing focus for governments and companies

Although the way firms and individuals are being prosecuted for bribery and corruption continues to evolve, the overall direction of travel is towards increased responsibility for the prevention of these activities. Most FCPA actions (83%) of 2017 involved bribery schemes that relied on third-party intermediaries such as agents, consultants, or contractors.  And yet according to a recent survey, organizations are not responding fast enough by implementing the right policies and risk assessments.  

Read More

Topics: risk and compliance, Anti-Bribery and Anti-Corruption, third party risk management, Corruption, Bribery, compliance risk, tprm, uk bribery, supplier risk, vendor risk, regulation

Five Third Party Risks The Regulators are Focusing On

It’s the billion-dollar question – what is on a regulator’s mind when they walk through the door of a firm? What kinds of things are they looking for – and is the firm prepared?

The focus on third party risk management by regulators has increased significantly over the past few years.  The regulators themselves are providing some clear and coherent guidance on their expectations, such as: OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance; FFIEC Appendix J: Strengthening the Resilience of Outsourced Technology Services. And, if you’re looking for a ‘crib-sheet’ of what the examiners are likely to be looking at, there’s also OCC Bulletin 2017-7: The OCC's Supplemental Examinations Procedures for Third Party Relationships.

In February 2018, Aravo brought together a panel of experts, two of whom were former US regulators, to talk about how supervisors are thinking about third party risk management. You can listen to the broadcast here – but we’ve also distilled it down into five key take-aways.

Read More

Topics: risk and compliance, third party risk management, information security, compliance risk, tprm, third party risk, cyber risk, supplier risk, vendor risk, occ compliance, third party risk regulators, regulatory frameworks, third party compliance, third party vendor, FFIEC, concentration risk, fourth party risk, geopolitical risk