Can your organization provide evidence that your house is in order?

Actions by the U.S. Securities and Exchange Commission (SEC) have amounted to more than a billion dollars in disgorgement, fines and penalties every year for nearly two decades. On average, nearly a quarter of actions filed also included named individuals as defendants. What does it mean for your organization if one of your employees engages in illegal activity? Well, that depends. Can your organization provide evidence that your house is in order?

The executives who sleep well at night know that 1) they have policies in place, 2) they have and enforce a process to ensure policies and procedures are kept up to date, and 3) the organization has gone to great lengths to ensure that all employees and third-party agents of the company are aware of the policies and procedures.

Upon request, managers in their organizations can provide the latest policies, proof of maintenance, access to previous versions, a list of all changes including who made them and when, as well as evidence of employee notification and certification.

Employees in these organizations can also rely on their policy management systems to help them work more effectively and efficiently. Their policies and procedures are appropriately linked to related regulations, risks, controls, and principles, and they include ties to responsible parties, departments, relevant locations, and systems touched. If a new employee, system, or regulation is introduced, they can see who and what is impacted.

The most adept organizations have a broadly communicated philosophy regarding policy documentation and practices that provides a shared foundation for all divisions, departments, and regulatory management teams throughout the enterprise. They utilize a centrally accessible policy management platform that supports collaborative authoring and monitoring while also providing all employees with easy access to the latest approved versions.

How well have you been sleeping? Reach out to us and soon you can rest, too, knowing your house is in order: 412.263.3330.

Third Party Risk and Compliance: Screen potential partners effectively with policyIQ Forms

The subject of third party risk and compliance continues to be a hot topic for our clients and for companies around the world. This past spring, third party risk was one of the key topics at the 2014 Compliance Week conference, and continues to be top of mind. One way that our clients have been using policyIQ to help mitigate third party risk is by utilizing policyIQ forms for the screening of new potential partners, vendors, suppliers and other third parties.

Almost every organization requires these third parties to go through some level of screening process before beginning a business relationship. Sometimes this process is decentralized and informal, leading to poor decisions or poorly documented decisions that cannot stand up to an audit review. Other times the process is highly bureaucratic and complex, which slows down the ability for the business to move forward with important partnerships.

policyIQ can help you to create a process for screening third parties that is consistent, sustainable, and takes a risk-based approach.

Typically we have seen this process administered by a compliance or legal team, however each organization can choose how much of the footwork is pushed down to the business owner of the proposed relationship. If your compliance “team” consists of just one or two individuals, the compliance role will be to review the information gathered and the decisions made by your business owners.

Use policyIQ Forms to quickly issue a questionnaires to:

  • Third party contact person.
  • Internal relationship owners.

The third party questionnaire might ask for company details, as well to request documentation, such as:

  1. W-9 or other formal supplier profile;
  2. policy documents related to key issues such as information security/privacy, supply chain compliance, or anti-corruption;
  3. references for other customers with similar relationships; and
  4. financial reports.

Internal questionnaire should capture information such as:

  1. the purpose of the relationship,
  2. the benefit to be derived,
  3. the options (or lack of options) for other third parties to fill the same need, and
  4. due diligence documentation, such as
    1. background check,
    2. credit check, or
    3. financial reports.

These questionnaires may be submitted to your compliance team, often along with an initial assessment by the relationship owner of any potential risks.  For specific types of partnerships – or those that are expected to involve more than a defined threshold of transactions – additional detail may be required.  After a thorough review, compliance can confirm the viability of the relationship. To finalize the process, a final attestation may be sent out to the newly approved third party to let them know of their approval – and to require their formal sign-off on a statement of compliance. (This may include signing off on key policies or agreeing to standard terms.)

Let us help you to build a process that works for you!

The process outlined above is just one example of how you can use policyIQ for third party screening. We can help you to build your process, or to define a more efficient process.  If you need a little help confirming that your third party screening process is truly managing your risks and will hold up to regulatory audits, our RGP consultants can help you to review and refine that process, as well. Contact us today and let’s get started!