Normativas que tienen mayor impacto (y multas) en TPRM

Matt: Muy bien, empecemos con las presentaciones. Me llamo Matt y trabajo aquí en Prevalent en el departamento de desarrollo empresarial. Hoy nos acompaña nuestra ponente invitada, Samira Donmeyer. Samira es directora de cumplimiento normativo en Booking.com, especializada en delitos financieros y normativos, y también se centra en sanciones, soborno y fraude. También nos acompaña hoy Scott Lang. Scott es nuestro vicepresidente de marketing de productos. Hola, Scott.

Scott: Hola, Matt.

Matt: Y bueno, como pequeño apunte, este seminario web se está grabando, así que lo recibiréis junto con la presentación poco después del seminario web. Por último, tenéis el micrófono silenciado, así que utilizad el cuadro de preguntas y respuestas para cualquier duda que tengáis durante el seminario web. Sin más preámbulos, le cedo la palabra a Samira, que nos hablará de las principales áreas normativas relacionadas con la gestión del riesgo de terceros (TPRM).

Samira: Thanks Matt for the introduction and uh thanks everyone for joining today for the ones who don’t know me yet my name is D I’m based in Amsterdam the Netherlands Uh so as Matt mentioned I work for an online travel agency booking.com for the past six years now. Um heading the program um for financial crime compliance and third party risk. Prior to working for Bookie.com I worked at several law firms where I advised big corporates on compliance policies and best practices. Um which also included you know big investigations on money laundering, fraud and corruption. Um and Uh at Booking, I’m leading and driving the end-to-end risk management program for third party risk and financial crime compliance. Um for the people less familiar with Booking.com, we have grown from a small Dutch uh startup to uh one of the largest e-commerce uh companies in the world. Um so we invest in digital uh technology to help uh take the friction out of travel. And yeah, happy to uh provide some insights today. Um I will dive into uh some of the critical steps uh to enhance third party risk management compliance. But before we dive into these uh specifics of building and maintaining uh a robust DPM program, it’s also essential to understand the regulatory landscape uh that actually significantly influences these efforts. Um so my folks today will be um uh beginning with an overview of the regulation that have the most substantial impact on TPM. Um, these regulations can be broadly categorized into ongoing regulations that have been shaping the industry for several years um and new regulations that are emerging in response to uh the evolving global trends that we’re seeing. Um so let me start with uh a little bit of the ongoing regulations. Um uh think about the international sanctions and trade regulations. Um you know these have been a long cornerstone of TPRM together with anti-bribery laws. Um you know critical for maintaining ethical business practices. Um these laws aim to prevent corruption and bribery uh in all business transactions safeguarding our reputation and operational um integrity. But also data privacy and cyber security regulations. You know, especially with the increasing uh importance of data protection. Um these regulations mandate stringent measures to protect sensitive information and maintain cyber security specifically crucial for mitigating risks uh associated with third party uh data handling. And some of the new regulations uh that I will speak about is also um some of the ESG standards that we’re all hearing left and right. Uh these um have becoming increasingly important as many organizations strive to demonstrate uh their commitment to sustainable and ethical business practices. Um so it’s now also a very critical component of risk management and corporate responsibility. And then uh we’re also hear a lot about AI um on the EU uh level but also national AI strategies uh whether in the US Canada, the UK, China, uh they’re all developing their own AI strategies. Uh introducing new regulations that will address the ethical and responsible use of AI. Uh and these regulations will also have a significant implication for your third party relationships, especially those involving in um involving in AI technologies. Um so now let’s dive a little bit deeper of uh these regulatory areas and examine how we can navigate um uh into these uh uh the complex landscape to enhance our TPM compliance. I’m going to give a little bit of a refresher for each of the regulations of what those are and what this means as I believe the that we have today a diverse group of people together in today’s webinar. Uh so let me start with international sanctions and and trade regulations. A little bit of a refresher and some backward looking and forward looking. So international sanctions and trade Regulations are laws and policies implemented by countries and international bodies to restrict and regulate trade with certain nations, organizations or individuals. Um, these regulations are crucial for for maintaining global security and enforcing foreign policy objectives and preventing activities like terrorism and human rights abuses. Um, these are often, you know, designed to exert pressure on specific countries or entities to influence political or uh economic change. So for instance, the US has imposed comprehensive sanctions on Iran while you know the European Union has applied very targeted sanctions against Russia. These are some of these examples. Um and the application can arise for a number of reasons which you know uh is often based on the location of the relevant activity or the citizenship of persons or entities um involved. and the nature or the value or currency of your business dealings. Um, but not all sanctions are created equal. Sanctions regimes can differ greatly by territory, but commonly fall into one of you know some of these categories such as comprehensive sanctions. So the broad prohibitions against virtually all transactions involving certain countries. So you have the Cuba, the Iran, the North Korea, Syria, Crimea, Donesk, Luhansk in the in the Ukraine in Ukraine regions, but also your list based sanctions. So, prohibitions on virtually all transactions with specifically sanctioned persons uh or entities where ownership um uh of an entity owned or controlled by a sanctioned person is very relevant here based on the 50% rule for instance. Uh but then you also have your sectoral sanctions. So, your um uh restrictions on certain transactions relating to specific sectors of a targeted country’s economy. Um and then you have of course your export controls regulations which are laws and regulations restrict the sending uh let’s say export or reexport transfer transit or brokering of certain goods software and technology that either can be used for military or both civilian and military purposes or which has been restricted for the end use of a specific person or entity. Um export controls uh usually apply to the physical transfer of goods as well as the transmissions of technologies. software, technical data or information for example by sending an email or or making files available for a download in another country. Um so some of the backward looking uh of last year and in 2023 um enforcement actions related to international sanctions and trade regulations resulted in approximately 1.5 billion in fines and penalties. And these enforcement actions high highlight the critical importance of compliance in a variety of industries and also underscore the consequences of failing to adhere to international trade laws and sanctions. Um this was actually spent across a wide range of industries. So not only regulated institutions actually each facing unique challenges related to compliance. You have your traditional finance uh you know banks financial institutions they were heavily scrutinized for their role in facilitating transactions that may involve sanctioned entities or individuals. So for instance, you’ve seen um some know your customer protocols uh deficiencies that led to the breaches of sanctions but also manufacturing firms. They faced enforcement actions for exporting goods to restricted territories. Um so emphasizing the importance of compliance and supply chain man supply chain management. Uh the tech industry uh that was uh heavily impacted by sanctions relating to the export of sensitive technologies and software also highlighting the intersection of innovation and regulation. Um so as I mentioned a lot of KYC deficiencies uh that was definitely a common theme across many industries. Uh but also uh companies were penalized for conducting business operations in territories subject to international sanctions. Uh but also what we’re seeing is a lack of senior men management commitment. So that’s a significant factor in many enforcement actions. Um and to actually prioritize sanctions compliance effective TPRM compliance do require to support an active involvement of senior leadership to foster culture of compliance throughout the organization. So a little bit of forwardlooking 2024 2025. Um so one of the major changes uh from a couple of months ago is the extension of the statute of limitations for violations related to sanctions and trade regulations to 10 years instead of 5 years. Uh this has several key implications. The extension actually allows regulatory bodies more time to investigate and prosecute violations. So companies cannot just rely on the passage of time to avoid penalties for past non-compliance, but companies must be diligent in also maintaining a detailed record of their transaction. actions compliance efforts for at least a decade. Um so historical compliance will be under greater scrutiny with the need for robust recordkeeping practices. Um also the expectation for robust sanctions compliance program. Uh so your regular uh uh risk assessment uh to identify mitigate potential sanctions violations. Um the focus should definitely be on you know the geographic location your customer or transaction based risk with uh associated with your operations. Performing a enhanced due diligence on your higher risk vendors uh particularly when dealing with high-risisk regions, customers or transactions uh especially in jurisdictions where there’s a higher risk for imposed sanctions on individuals or entities. Uh and then of course your internal uh automated screening uh systems for transactions and business partners against updated sanctions list on an ongoing basis. Um moving on on to anti-bribery corruption laws. Um, also a little bit of a refresher here, uh, some of the ABC regulations and particularly the differences between the the US and the UK. So, the FCPA and the UK bribery act. So, the FCPA is a US federal law. Uh, it applies to US persons including US companies, citizens, residents, foreign companies listed on the US stock exchange. Some of the key provisions of the FCPA um are um prohibit it’s basically prohibiting US persons and businesses from bribing foreign officials to obtain or retain business. What this really means is you know the law makes it illegal for US persons including US companies to give money or gifts to foreign government workers to get business deals. That’s basically what it means. Um so let’s say a US company wants to win a contract in another country. It cannot offer money, gifts or other perks to a government official in that country to get view. Um there are also some very uh uh relevant accounting provisions. So requiring um publicly traded companies to maintain accurate books and records and implementing internal controls to uh uh prevent bribery. Uh so let’s say you’re publicly listed. Um you must keep detailed and accurate financial records. Um you must have to ensure that you um that your company um you know no one company can actually easily hide or bribe or fake company’s financial records. Uh so they also need you also need to have systems in place to prevent and detect any attempts to bribe someone. Um enforcements um the US department of justice and the securities and exchange commission um they focus primarily on prosecuting companies and individuals involved in bribery and specifically targeting bribery of foreign government officials. Uh not ne necessarily covering private sector bribery. So bribery between private businesses. Um and of course there are very much severe penalties including significant fines and imprisonment for uh individuals. Uh on the UK bribery act uh obviously law of the United Kingdom but this one has very much an extra territorial reach applying to any company or individual with a close connection to the UK including UK companies, citizens and residents as well as foreign companies. doing business in the UK. Um some of the key provisions there is um you know covering basically bribery of any person. So both public and private sector bribery specifically uh it’s addressing bribery of foreign officials. Uh and it int it also introduces an offense for failing to prevent bribery by associated persons. And some of the key provisions in the UK bribery act they they say Companies can actually avoid liability if they can prove they had adequate procedures in place to prevent bribery. So if a company has strong anti-bribery policies, training programs or internal controls uh and an employee still manages to bribe someone, the company can argue that it did everything it could to prevent bribery. And uh actually there are also very much severe penalties including unlimited fines for companies and up to 10 years of imprisonment. for uh individuals. So some of the backward looking from what we’ve seen um in in 2023 is um global enforcement agencies imposed approximately um around 700 million in penalties relating to anti-bribery and corruption violations. And this significant uh figure actually reflects the ongoing efforts to hold companies accountable for corrupt practices and deter future violations. What What we have also seen is a little bit of an um a decline in voluntary self-disclosures by companies and this shift can be attributed to the increased focus on national security related corporate crimes basically diverting the attention and resource resources away from traditional anti-corruption efforts. Um so companies may have been more cautious in self-reporting due to uncertainties about the regulator environment and potential repercussions. Um several industries have been impacted uh for instance in the healthcare industry and uh insurance uh and specifically in multinational commodities and it’s you know from what we’ve seen with a little bit of a fewer voluntary self-disclosures it’s um likely influenced by the geopolitical conflicts and sanctions. such as those in the Ukraine and Israel. So, governments are increasingly linking national security concerns with corporate practices, particularly regarding foreign investments, technology transfers or supply chain integrity. And what this will lead to is more rigorous enforcement of enterprise and corruption laws as part of the broader national security strategies. Uh so you see many agencies working together um with uh you know um the DOJ together with the um US Department of the Treasury’s Office of Foreign Assets Control so OFAC um so I do believe that going into 2025 what we will be seeing is an increased enforcement activity so the backlog of FCPA investigations will be accumulated over recent years it’s going to lead to a surge in in enforcement actions so companies should certainly prepare for more scrutiny as authorities work through pending cases um and having your resources allocated to manage the potential increase in compliance reviews or legal consultations. Um we have also seen a new corporate anti-bribery initiative. Uh so the new international corporate anti-bribery initiative represents a collaborative effort among multiple countries to harmonize interbribery laws and enforcement. practices. So, this initiative really aims to close the loopholes and create a unified front against corporate bribery, increasing the risk of detection and prosecution for violators. Um, and then of course, similarly to the sanctions program, there’s always an expectation for robust ABC program. So, you’ll have your comprehensive risk assessments to conduct um to identify and mitigate potential bribery and corruption risks in your operation. Um and this includes evaluating risk associated with specific countries, industries and uh business partners. Um and then also um think about your regulatory your regular training programs for employees at all levels to ensure that they understand anti laws and internal policies. Um moving on to some of the data and privacy and cyber security uh backward. looking and forwardlooking. And in 2023, uh, and this is just an example of many of the fines that we’ve se seen is there was a $2 billion fine in in GDPR, uh, violations. Um, so what we’re seeing is there’s a big impact on technology, software, and social media. Um, you know, ma major tech companies were penalized for inadequate data protection measures reflecting the critical need robust privacy practices in the industry. Uh software companies um uh were scrutinized for privacy vulnerabilities in their products. Uh social media, they were heavily fined for failing to protect user data and also you know a broad spectrum of issues. Lack of verification systems um ineffective privacy features uh no control of your of their data sharing. Um so what we’re expecting is um you know and and some of these have been into effect already is um um a focus on more privacy regulations. An example is the digital services act in EU and digital markets. Uh the the DSA they actually aim to create a safer digital space by regulating online content and ensuring accountability for online platforms. So it really applies to these large platforms and social media companies imposing strict rules on content moderation, transparency and user protection. Uh but what this means for the TPRM program is you know companies will need to ensure that third party platforms and service providers comply with content moderation requirements to prevent the dissemination of illegal content. Um and of course um ensuring that uh the third parties comply with stringent data handling and privacy requirements as laid out by DSA. Um then Um what we’re also seeing is a focus on some of the emerging technologies um which I will be speaking about a little bit later on AI. Um but now moving on to some of the other hot topics uh ESG and in recent years ESG has transitioned from I would say a niche concern to a central pillar of corporate strategy and risk management. uh stakeholders including investors, customers, employees, regulators are really increasingly demanding that companies operate responsibly and sustainably. And this shift reflects a broader understanding that long-term success and value creation are intrinsically linked to how organizations address environmental, social, and governance uh issues. Um an example is the corporate corporate sustainability reporting directive which entered into force last year in January. uh which is basically part of the EU’s broader agenda to improve and standardize uh sustainability reporting across member states ensuring that companies provide reliable and comparable um ESG information. Um so companies will need to adopt uh standardized practices to ensure transparency uh consistency in their reporting to comply with these standards. Um this means integrating ESG reporting requirements into vendor contracts and monitoring their adherence. Uh so think about workforce management uh report on employment practices including diversity, inclusion, working conditions and uh uh employee well-being, uh human rights, so uh disclosing policies and practices to prevent human rights abuses uh within the company and the supply chain. Um including measures to actually combat forced or child labor. And then of course ethics and compliance. Uh so disclosure policies and practices related to ethical business conduct, anti-corruption measures and compliance with laws and regulations. Um you’ll have to establish clear policies uh for collecting and verifying reporting ESG data. So it’s very important that uh you assign roles and responsibilities within your organization to ensure comprehensive ESG reporting. So, and imagine you’re you’re a manufacturer uh that sources raw materials from various uh suppliers worldwide. You need to create a policy that dictates how these suppliers report their carbon emissions, labor practices, and waste management’s efforts. Um you might want to designate a compliance officer to oversee this process and set up a regular check-in with your suppliers to ensure that they’re following um your guidelines. Um also the third party data collection and management systems must be scrutinized to ensure they meet your ESG standards. So regular audits and validation should be included in your TPRM processes to verify the accuracy and reliability of third party data. Um so you know let’s say you’re a uh uh uh your company partners with a logistics provider to handle uh product distribution, you’ll need to review their data collection systems to ensure that they’re actually accurately tracking uh things like uh fuel consumption, uh CO2 uh emissions or use of renewable energy and and then enhanced monitoring of supply chain practices. Uh there will definitely be an increased scrutiny on those. Um so So you might want to conduct annual audits where you or an external firm visits the manufacturing site to verify that they’re adhering to your environmental social standards. Um, but how do you implement this? You know, as a company, you can conduct these regular on-site inspections or employee interviews at supplier factories or even conducting surprise inspections. You can also require suppliers to submit documentation or detailed questionnaires about practices. Um, you know, proving compliance with labor standards. There are several ways to think about to ensure that um they comply with your ESG standards. Um what we’re also seeing is that there’s also this integration of ESG with human rights and financial crime risk management. You know, financial crime including money laundering, uh bribery, corruption, fraud, it all falls under the governance pillar of ESG. So, good governance practices are definitely essential for preventing financial crime. and ensuring ethical business conduct. So definitely think think about a collaboration between compliance, legal, other risk management teams as this will be critical to address the interconnected risks and ensure comprehensive risk mitigation strategies. Um stricter contractual obligations. So uh think about including ESG classes in contracts, contracts with um third party vendors. You know they need to you need to mandate compliance with the relevant standards. Uh so these clauses can clearly state what is expected in terms of um ESG social responsibility uh governance practices. They can even include the consequences if the vendor fails to meet um those expectations such as penalties, contract termination or um the need for corrective action. Uh what we are seeing though is that there’s a focus on high high impact sectors. So for high impact sectors such as healthcare, energy or manufacturing, um these TPRM programs will need to include specialized due diligence processes tailored to the sector specific ESG risks and regulatory requirements. Uh so it really really requires deeper understanding of the unique uh ESG challenges and implementing targeted risk management strategies. Um so for instance in the healthcare sector, you know, a company might be particularly concerned about um ensuring that their suppliers of medical devices comply with stringent regulations regarding products uh product safety or uh ethical sourcing of materials. Um enhanced risk management uh you know might involve conducting regular audits of the supplers manufacturing processes. So these are the the things to think about with ESG. Um moving on to another hot topic uh you know AI uh what um and then primarily focused on the EU um commission’s AI act. Uh the EU Commission’s AI act actually introduces a riskbased approach uh categorizing AI systems into several levels. So minimal, limited, high and unacceptable. And then each category dictates the regulatory requirements based on the potential impact of the AI system. system on safety, rights and freedoms. So for companies this means a need to assess and classify AI systems according to these categories. So the level of regulatory scrutiny and compliance requirements will also vary depending on the classification. So high-risk AI systems such as those used in healthcare or infrastructure or legal systems will actually face stringent regulatory requirements. Um This will require data governance uh transparency measures, risk management pro protocols uh and companies deploying these systems must actually maintain detailed documentation reports to demonstrate compliance including evidence of risk assessments and impact analysis. Um so to give an example uh in healthcare an AI system that helps diagnose diseases must be trained on diverse accurate medical data to avoid misdiagnosis that would harm patients, right? So, the company would need to implement processes to regularly check and update the data to ensure it remains accurate and relevant. Uh, or a very straightforward example is autonomous vehicles, you know, self-driving cars that navigate and operate on public roads. Um, so companies will need to conduct a more thorough assessments for third party vendors that provide or utilize uh AI technologies. Um so this includes evaluating the AI system for compliance with new regulatory measures. Also uh the verification um verifying that the third party uh AI vendor meets required regulatory standards. Um so also the adherence to riskbased categorizations and conformity assessments and this verification process should then be integrated into your vendor onboarding and ongoing management procedures. So uh before signing a contract with a vendor offering AIdriven cyber security tools for instance um a financial institution would require proof of certification that the I AI meets the necessary security and privacy standards. Uh so this certification check certainly becomes a mandatory step in your uh vendor selection process. Um we will also see more um scrutiny on the um uh from supervisory authorities. Uh they will be responsible for overseeing uh AI compliance, enforcing regulations and handling disputes and non-compliance with AI regulations can certainly lead to potential financial penalties including fines and sanctions. Um and of course beyond financial repercussions, companies may face reputational damage on loss of customer trust. And also here we do see that there’s a focus on high impact sectors. So the healthcare or the medical devices or the autonomous vehicles. Uh but of course this will all increase over time. Um so even if your organization operates outside uh major regulatory jurisdictions like the UK or the EU or the US, it can still be impacted by these regulations. So for instance, GDPR, you know, applies to any company. processing EU citizens data regarding of the regardless of the company’s uh location. Similarly, international trade sanctions they can affect uh global supply chains. So therefore, global enterprises must adopt a proactive approach to TPRM by understanding and preparing for regulatory impacts from basically all jurisdictions. Um but there are also geographic and jurisdictional challenges in terms of you know some regulations may require data localization. Meaning that you know third parties must store data with specific jurisdictions but it can create challenges especially when sanctions and trade restrictions are in place. So companies need to ensure that you know their third party vendors are capable of meeting these localization requirements to remain compliant and then non-compliance can also lead to barriers to market entry. Um you know for example company that fails to adhere to GDPR may find itself restricted from handling data from the EU. Uh effectively ing entry to into a significant market. Uh or similarly, sanctions enforced by bodies like OFAC can limit an organization’s ability to engage in trade um with certain countries or entities. Um you know, so maybe your company is located in the EU and the EU has different applicable sanctions laws and regulations. So what do you do? So you have to determine which sanctions apply to your business by understanding the sanctions enforced by OFAC, the EU and other relevant jurisdictions. And you know in today’s interconnected world you know regulatory compliance in supply chain is a critical issues um you know there’s supplies and partners around the globe uh they adhere to their local regulations so this means that even smaller organizations must align with these standards to maintain valuable business relationships um and then non-compliance can seriously damage an organization’s reputation leading to loss of customer trust or even potential boy bots. So you know then you have your have often attract adverse media attention or you know other effects on the organization’s market position. Um you know your customers and partners have high expectations when it comes to data security or other responsible management. Um so any breach that occurs due to inadequate third party risk management can certainly severely erode trust. Um but how do you stay comp Ed with the evolving regulatory landscape. Um definitely taking a holistic approach to TPRM is essential. You want you want to evaluate all potential risks associated with your third party vendors, not just financial or operational but also legal, reputational or compliance risk. So what does that mean in practice? So staying compliant with all of the evolving regulations that I walked you through in relation to TPRM involves certainly a proactive and comprehensive approach as you want to futureproof your TPM program and this sounds very straightforward but subscribe to regulatory updates it’s vital to regularly receive updates from relevant reg regulatory bodies um you know by subscribing to these updates you can ensure that you’re informed about the latest latest changes and developments as soon as they happen um engage with industry groups so you know participating in this industry associations or groups that focus on regulatory compliance that can provide valuable insights and networking opportunities. These groups often share uh best practices, upcoming changes uh you know I see it as a VIP lounge for regulatory news where you get the scoop before it’s publicly announced and um leverage your your regulatory technology um which offers real time alerts and updates on regulatory changes. because these tools can help you automate the monitoring process and ensure you’re aware of new requirements as they arise but also you know establish clear policies um you know maintain and maintaining clear and comprehensive TPRM policies and procedures you know they are the foundation of an effective TPRM framework so provide guidance on how to manage risks associated with third parties and ensure consist consistency compliance efforts across the organization. So um think of this uh as setting the the rules of the game. The these policies should cover everything from how you choose a third party vendor to how you assess and monitor them. Um but also regularly update that framework especially when new regulations coming. You know since regulations are risky bol your framework should um adapt accordingly to stay effective and compliance. Um, so let’s say new data protection laws are introduced. So your TPRM framework should be updated to include these new requirements such as you know enhanced um data handling practices or updated privacy assessments for vendors. But it’s also crucial to clearly um define and communicate your organization’s risk appetite and tolerance levels. Um you know articulating how much risk your organization is willing to accept that will guide your TPRM strategy and it help you make informed decisions about managing third party risks. So if your organization decides it can only tolerate a low level of operational risk, you might be stricter about which suppliers you work with, requiring them to have robust disaster recovery plans or high levels um of cyber security. But it could also be the other way around. Um, also think about your due diligence. So before you establish any relationship, it’s crucial to conduct a detailed assessment to evaluate potential risks and ensure that the third party meets your compliance standards. This initial step is also sets the foundation for secure and compliant partnerships. But look, not all third parties present equal risk. So they should also not consume equal risk assessment capacity. So develop criteria to help you categorize third parts into high, medium and and lowrisk buckets which will help you better allocate your limited resources where they will have the most impact. Um and if you understand the universe of third party uh relationships then you can better determine uh which third party should be considered in scope and therefore subject to a risk based diligence exercise because not all you know not all vendors are subject to the same level of scrutiny. you you might care less about a catering company or a vendor that provides office supplies. Um the key to effective vendor risk management is just knowing which vendors post the most compliance, regulatory and reputational risks to your company. Um and then of course the ongoing monitoring uh continuously monitor third parties for compliance and potential risks. Due diligence is just not a one-off or one-time event, but it’s an ongoing process. Um third party risk management and due diligence usually For many companies take a back seat after third party has been brought on board. And this actually makes a lot of organizations unaware of like likely you know the third party risks that occur which if left unmitigated can actually lead to critical issues that could significantly affect the orbitation of your organization. Um and that doesn’t mean that the liability is on the third party side. You know ultimately the company that engages the third party is held responsible by regulators and customers for not identifying addressing the issue. So definitely regularly monitoring helps to identify uh any changes in the third party’s compliance status. Um and of course for your higher risk um third parties you apply an enhanced due diligence. So the deeper level of scrutiny and more frequent assessments or monitoring to manage the increased risk effectively. And then very important you need to implement strong contractual controls. Um it really begins by your your contractual clear compliance clauses. Uh they should the contract should explicitly outline the regulatory standards and compliance obligations that third parties must meet. This clarity helps set expectations and it provides a solid foundation for managing compliance throughout partnerships the beginning um of a contractual relationship and ongoing. So um you know you need to make sure that that your third party stays aware but at the beginning of that contractual relationship you can actually set the tone that happens at the beginning of the contractual relationship not after. So you look you know beyond just the monetary relationship but you approach it from the values and the service delivery and ongoing effectiveness of a relationship. So how do you set that tone at the beginning? You know how transparent think about how transparent you should be in the beginning of these discussions. So as As a company, you should clearly identify and communicate your needs. And if you’re not transparent, your third parties won’t be transparent either. And ensure that you have uh clauses around the right to audit. So ensure that you know it grants you the right to audit and access relevant third party information when you need to. Um you know this is key is a key element in maintaining oversight and ensuring that third parties adhere to agreed upon standards and of course your regular termination classes for non-compliance with regulatory requirements and think about leveraging technology solutions. You know these uh tools can continuously assess and track risks associated with third parties providing real-time updates and alerts. By automating these processes, you can actually enhance your ability to detect and address think you know potential issues swiftly. inefficiently. Uh also think about leveraging external sources. So while internal um screening assessments or onboarding risk assessments, continuous monitoring are very much critical to third party due diligence, it is also important to take information from outside of the organization if you have the resources to do so. Um so your company could validate your third party via um external data sources like credit rating, sanctions list, adverse media and this could provide a complete assessment of your third party risk that could account for politic you know politically exposure risk um um other private corruption risk or now even with ESG risk since this area is increasing um but also think about maintaining a centralized repository uh of of uh all your third party information and due diligence records. Uh having a single organized location for your data ensures that you have quick access to critical information. Um I think a lot of companies struggle with this and vendor uh data uh is a little bit scattered. Uh especially if you know you have several onboarding uh channels or you know um uh different departments can onboard vendors uh it can easily be lost. So think about having this centralized into one tool. Uh and this comes together with you know your with your compliance management systems which can help you track can manage actually any compliance activities or regulatory requirements. So this will help you streamline the process of monitoring adherence, managing documentation and ensuring that all regul regulatory obligations are met efficiently. Um and instead of managing compliance tax manually, these actually six systems can actually automate and streamline processes which saving time and reducing errors. Um and then you have your regular training and awareness programs. Um start by regularly training employees uh on TPRM policies, procedures, regulatory uh requirements. You know, ensuring that several departments are well-versed in these areas and it will help maintain a strong compliance culture within your organization. Uh regular training sessions will keep employees up to date on any changes and will reinforce the importance of adhering to compliance standards. However, be mindful that people are very tired of training and they often see compliance and training as a burden. So, you need to find a way to have your teams and especially senior management to view compliance not as a burden but more as a strategic asset uh that enables us to operate responsibly and ethically in an ever evolving landscape. So, compliance when it’s strategically integrated in into TPRM uh and aligns with broader goals and objectives of the organization that would help. You know, it it ceases to be more a checkbox exercise and transforms into a more strategic in initiatives that will contribute um to the overall success and sustainability of your business. So, it allows your organization to basically strike a balance uh between meeting legal obligations and achieving broader business objectives. It will transform compliance into a enabler rather than a hindrance to innovation and growth. So think about instead of your regular training programs, think about certain awareness campaigns, newsletters, um webinars uh or or serve to remind uh or and update employees or and your third parties about the latest regulatory developments and best practices and why uh this is relevant to your organization. So make it a little bit more uh fun and and and and make it a little bit more alive. Um, so but also ensure to train and make your third parties aware. Um, think about adding this into your supplier code of conduct. The supplier code of conduct sets the tone. So it is your responsibility to ensure that your suppliers understand what is expected of them. So if you look at the benefits of a supplier code of conduct, by doing that you set clear expectations for supp ires in a way that they cons consult and engage with. So it helps protect your company’s brand reputation in the event of breaches or violations. So making sure that your supplier code of conduct ensures that it includes language around labor laws and remind environmental importance um or any other compliance risks um that is relevant to your organization. Um it’s really an opportunity to embed all risk areas that you’d like your supplier to to adhere to um but also when you perform your internal audits and and assessments uh ensure that you perform a gap analysis and to identify and address deficiencies in your TPRM program. So a thorough gap analysis will help you pinpoint areas where your current practices may fall a little bit short of regulatory expectations or international standards. So addressing these gaps will ensure that your TPRM program remains robust and aligned with the evolving regulations. Um, and also maintain your your strong communication channels. Uh, you know, fostering an open communication with your organization regarding TPRM compliance is is key. Uh, everyone needs to be assure um, uh, of what TPRM is, why this is important to your business. Um, because if you if you don’t, you know, you will never get the resources that you need. Um, and and you know, having senior management on on board is one of the, you know, most critical components. of the building out your TPRM program. Um, yeah, and some of you might be thinking, you know, how do I do this if I don’t have the budget or resources to do this? You know, small start small and scale up. Begin with a small pilot, a small small scale pilot project or initiative focus on addressing specific TPRM challenges or risk. Start with manageable tasks and then gradually scale up as resources and c capabilities uh permit. So, we’re almost coming to an end of this webinar. So, um let’s take a little bit of a moment to reflect on the critical points that we’ve covered uh regarding TPRM in the context of ongoing and new regulations. Um it’s important to recognize that ongoing and new regulations uh even those originating outside of our home jurisdiction significantly impact our TPRM strategy. So, the global nature of these regulations mean means that we must stay on the lookout um and adaptiveness ensuring that our practices align with a broad spectrum of compliance requirements and you will need to adopt a proactive comprehensive approach. This means not just reacting to regulatory changes but anticipating them and by doing so you can stay ahead of the curve and ensuring that your TPRM frame framework is robust and resilient. Um but then also you know the strategy is to implement a robust TPRM framework. So it really needs to uh come down to you know your rigorous due diligence and your continuous monitoring and the ability to adapt to evolving regulations. And by having these systems in place you can create a solid foundation for managing third party risks. Um and having that the need to foster the strong relationships with your vendors. So clear communication, regular audits, mutual understanding of compliance expectations are really crucial for success. Um yeah and while the regulatory environment may be challenging and ever changing I think you know with the right strategies and tools um we you can successfully manage third party risks. Um yeah so thank you for your attention and uh I’m now handing over uh to Scott to talk a little bit about prevalent.

Scott: Awesome. Thanks Samira. Uh and I would like to share my screen. There we go. All right, very good. Make sure you guys can see that. Okay, awesome. Uh, well, I just want to take a few moments and and share a few thoughts about how prevalent can help simplify the process of uh achieving uh regulatory compliance within your extended vendor uh and and supply chain. Of course, we can’t help you be compliant, but we can give you the frameworks and the tools and the capabilities to help uh prove that out to auditors. Look, we know a couple things to be true from our annual uh survey, third-party risk management survey to the industry. Uh the first is that half of organizations are using spreadsheets to manage their third parties to execute assessments and whatnot. And that means about uh companies are reporting that they’re only really managing about a third of their vendors with any level of discipline and rigor and accountability. Of course, that might equate to the ratio of of of tier one suppliers to non-tier one suppliers of course and then third just short of 30% of companies are looking at risk across the life cycle of that relationship which as we you know learned from Samir during the presentation is you know not an ideal situation because risks present themselves at every stage of that relationship look from my perspective what I think you probably want out of your TPRM program are three things first is you need to get the data to make better decisions and you can’t do with spreadsheets or disjointed tools or um you know whatever type of manual manual approaches or GRC tools that might be doing half the job. Second uh you have to cross enterprise uh departmental boundaries in order to bring teams together and knock down silos and you know execute on those assessments and reduce risk. And then third provide a good foundation uh for uh scale and solid growth and change o over the course of the life cycle of uh of your program. You know that’s our approach. Our approach is that we look at risks and compliance uniquely at every stage of that third party vendor or supplier relationship. On the left hand side of that that diagram kind of the early stages of the relationship. It’s about understanding exposure to uh sanctions sanctions compliance uh cyber security snapshots uh financial profiles uh operational disruptions uh you know ESG compliance status so that you can make a good well-informed decision on whether or not you want to do business with the supplier. In the middle stages of the relationship, it’s continually assessing and monitoring those suppliers against cyber security problems, uh ESG, uh findings, negative ESG findings, uh operational disruptions, financial problems, more and in the latter stages, understanding the long tale of your organization’s risk exposure once a contract is terminated and that vendor is offboarded. So, we deliver specific capabilities for every one of those st in the life cycle and we did it through a combination of three things. First is our experts that are are trained and um ready to help organizations manage the entire thirdparty risk life cycle on your behalf if you choose to uh full managed services self-service options to to to help you manage uh compliance and third party risk. Second uh an unbelievable amount of great data in the platform that we distill down on your behalf to give you the most relevant findings to help you make decisions in the third We house it all on a platform with workflow reporting uh compliance mapping uh and more. Uh uh speaking of compliance mapping, we’ve we’ve assembled a couple of example frameworks and regulations that are supported by specific content in the prevalent platform and then validated uh by the continuous monitoring of of controls. So some of those are cyber security data privacy related, some are EST related, some are industry specific guidelines. A lot of that focused on financial services of course. Um But you know by using the prevalent platform you get a questionnaire for every one of these regulations and then you have the ability to validate those controls uh by observing um uh you know uh controls in the wild or validating against uh you know negative news about an ESG finding or something against an ESG rag. So uh that’s kind of what uh what you get with the platform. Uh you know we score every risk that comes in according to what your established thresholds are. give you those risks in a heat map, a 5×5 heat map, and then you can laser on or laser into the risks that matter most to you. And we do this by framework or regulation. So then you can look at it multiple different ways. Look, we’ve we’ve assembled dozens upon dozens of uh industry regulations, uh cyber security frameworks and regulations, data privacy rags, ESG rags, and we’ve written handbooks that follow a chapter in verse uh approach where we call out the important thirdparty supply chain and vendor requirements in those regulations and then provide you a path to best practices for every one of those things. And all four of those handbooks are available on the prevalent website. We’ve made a a link for you there, but we will also uh send this out to you with recording tomorrow. So, at any rate, that’s what I wanted to share today. Um I’m going to pitch it back to Matt. Matt, if you want to open it up to uh to questions. I know we have a few sitting out there.

Matt: Sí. Gracias, Samira. Bueno, como ha dicho Scott, ahora sería un buen momento para que todos ustedes introduzcan cualquier pregunta que tengan en el cuadro de preguntas y respuestas. Mientras lo hacen, voy a poner la última encuesta en la pantalla para que podamos hacer un seguimiento de cualquiera de los proyectos de TPRM que tengan en mente. Básicamente, ¿les gustaría que Prevalent se pusiera en contacto con ustedes para hablar sobre cómo mejorar su programa TPRM? Por favor, sean sinceros, porque realmente nos pondremos en contacto con ustedes. Ahora pasemos a las preguntas y respuestas. Parece que tenemos unas cuantas preguntas aquí. La primera es de Robert: ¿las leyes contra la corrupción y el soborno incluyen a los funcionarios públicos además de a las empresas?

Samira: Sí. Por lo general, se aplican tanto a los funcionarios públicos como a las empresas. También se dirigen a las empresas y a sus ejecutivos. Por lo tanto, también es ilegal ofrecer, dar o prometer cualquier cosa de valor a los funcionarios públicos a cambio de un trato favorable o ventajas comerciales. Por supuesto.

Matt: Perfecto. Siguiente pregunta. ¿Con qué frecuencia supervisan las empresas, por término medio, a sus terceros de riesgo alto, medio y bajo?

Samira: Eso depende realmente de tu organización y de si sabes que adoptas un enfoque basado en el riesgo para tu programa de TPRM. Y también, ¿cuáles son los riesgos que estás considerando? Quiero decir, si hablamos de sanciones, normalmente las empresas las examinan, es decir, comparan la base de proveedores con la lista de sanciones a diario o incluso semanalmente. Pero si hablamos de supervisar el rendimiento de tus terceros o de garantizar que tienes derecho a auditarlos o de asegurarte de que cumplen con ciertas regulaciones, esto se suele hacer anualmente, dependiendo de si el riesgo es alto, medio o bajo. Quiero decir que, si estás en el lado más bajo, lo que vemos a menudo es que lo haces con menos frecuencia que una vez al año, tal vez cada dos o tres años, y con terceros de riesgo medio, anualmente, y tu riesgo más alto podría ser tal vez trimestralmente, pero realmente depende del tipo de terceros. Depende de tu organización.

Matt: Genial. Tengo una o dos preguntas más para ti. ¿Cuál es el efecto de la decisión de Chevron en EE. UU. sobre las iniciativas ESG?

Samira: Creo que se trata de una doctrina jurídica muy antigua, anterior incluso a mi época, de hace muchos, muchos años, en la década de 1980, que, según creo, otorga a las agencias federales la autoridad para interpretar de manera razonable las leyes ambiguas. Básicamente, permite a los expertos del Gobierno tomar decisiones importantes cuando las leyes no son claras. Sin embargo, no estoy familiarizada con la decisión sobre las iniciativas ESG desde la perspectiva de Estados Unidos.

Matt: Claro. Muy bien. Y que venga otro. Entonces, eh, el derecho a auditar es difícil de imponer y es ineficaz sin cierto nivel de intervención de un proveedor externo. ¿Podría decirnos si algún proveedor externo podría utilizar una evaluación independiente cualificada, es decir, si hay algo en perspectiva?

Samira: Estoy leyendo la pregunta también, eh, sí, eh, sí, quiero decir, eh, muchas empresas están utilizando evaluaciones independientes, especialmente en lo que se refiere a los calcetines, eh, pero, eh, desde el punto de vista de la ciberseguridad, veo que se presta más atención a, eh, la exhaustividad, eh, o la transparencia de los datos, pero también, eh, a la forma en que, eh, manejan y comparten los datos. Así que hay más programas relacionados con eso, pero no tengo constancia de que vaya a entrar en vigor nada nuevo el año que viene.

Matt: Muy bien. Y la última pregunta: ¿cómo gestionas la captura e integración de una evaluación de los riesgos actuales y nuevos de ciberseguridad en la cadena de suministro?

Samira: Bueno, para mapear la cadena de suministro, hay que identificar a todos los proveedores externos que participan en ella. En función de esto, se clasifican estos socios según la importancia de las operaciones y, diría yo, la sensibilidad de los datos o sistemas a los que tienen acceso. Por ejemplo, un proveedor de servicios en la nube puede suponer un riesgo, mientras que un proveedor que no tiene acceso a sistemas sensibles puede suponer un riesgo bajo. Um, así que realmente depende de cómo lo mida en función de su empresa y del motivo por el que utiliza estos proveedores externos, um, y de si tienen acceso a sus datos o no, um, y diría que, en el caso de los nuevos proveedores, se lleva a cabo una evaluación exhaustiva de los riesgos como parte del proceso de incorporación para comprender su postura en materia de seguridad, um, su historial en cuanto a incidentes de ciberseguridad, um, o cualquier riesgo específico del sector, um, que puedan presentar que podrían presentar, basándose en problemas anteriores, así que yo diría que...

Matt: Perfecto, muy bien, gracias Samir y Scott, y gracias a todos por todas esas preguntas. Si quieren mantenerse al día con TPRM, no duden en agregarnos en LinkedIn. Y, por último, espero ver a algunos de ustedes en sus bandejas de entrada y tal vez incluso en uno de nuestros futuros seminarios web. Cuídense todos.

Samira: Gracias a todos.

Scott: Adiós a todos.