Aligning Vendor Risk Management to US Department of Justice Expectations
In June 2020, the US Department of Justice Criminal Division (DOJ) released an updated “Evaluation of Corporate Compliance Programs” notification. Our (and maybe your) first reaction upon hearing of this doctrine was likely, “What does the US DOJ have to do with Vendor Management and my organization?”
As it turns out, maybe a lot. This document is a component of “Principles of Federal Prosecution of Business Organizations”. The US DOJ defines the adequacy and effectiveness that Corporate Compliance programs are required to follow, else in the findings of criminal misconduct that can be prosecuted, an effective compliance program factors into “the appropriate organizational criminal fine.”
Stay with me here. Corporate Compliance will be evaluated for effectiveness in the event of criminal misconduct. Again, how does this impact my Vendor Risk Management program? Well right within the document, in section E. Third Party Management, the company (which we interpret as any US-based organization falling under US law, including financial institutions already overseen by a gauntlet of regulators) will be assessed by prosecutors to ensure “an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”
Furthermore, prosecutors are instructed to analyze “whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region.”
They should also verify that organizations are “engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.”
As is summarized by the DOJ, “a company’s third-party management practices are a factor that prosecutors should assess to determine whether a compliance program is in fact able to ‘detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.’”
By now you likely realized there is a new Vendor Risk Management Sheriff in town.
Thank goodness for vendor risk management solutions…
If you use a best-in-class Vendor Risk Management solution like Mitratech VendorInsight, you realize that this new requirement has implications for a number of capabilities resident within the product to evaluate risk and performance. If you’re not using a VRM solution, may we humbly advise that you put it high on your to-do list?
In our case, at least, almost all of the risk and assessment requirements are met right out of the VendorInsight shrinkwrap when the system is installed. But there are specifics that we feel it’s prudent to consider, such as updates to the Vendor Relationship and Inherent Risk Assessment, assignment of added vendor Due Diligence documentation, updates to the Residual Risk Evaluation, the addition of Compliance as a subject matter expert, and so on. A more specific set of updates are planned for distribution to VendorInsight clients in the very near future.
Whatever you do, do not forget to update your board-approved policy statement for the new DOJ expectations and recognition of their oversight status.
These updates should provide you and your Compliance brethren air-cover that by design, are focused upon the new guidance in the unfortunate and unlikely situation that vendor misconduct follows itself back to Vendor Risk Management via DOJ prosecutors (mind you, not auditors or regulators).
As always, as we work with our clients to review the DOJ guidance, and as we help clients build and deploy these and likely other ideas, we’ll endeavor to share with the VendorInsight community our continuing thoughts and best practices in the months ahead and beyond.