The launch of the Focus Course: Create a TRULY Risk-Based Third-Party program has been phenomenal. The early reviews are terrific, and I couldn’t be happier. If you haven’t taken advantage of our 20% off launch pricing, the time to do so is TODAY. Use discount code “CL” at checkout to receive 20% off.

Regulators have been 100% clear - you need a risk-based third-party program. But what does that mean in practice? Do you TRULY have a risk-based third-party program? In this Focus Series Course, you’ll learn exactly how to build a risk-based program and how to refine the program you have to meet regulatory expectations, best practices, and the needs of your business. Already have a program? Fantastic - test it out to find out if it meets regulatory expectations, and find out how to strengthen it so it is truly risk-based.

Find out more HERE. You can see some of our reviews below. We can’t wait to have you.

“Risk-based approach” may be the three most over-used and least understood buzzwords in compliance in the past two years. The DOJ talked at length about using a risk-based approach to third-party due diligence and risk management in its Evaluation of Corporate Compliance Program guidance, going so far as to give examples of what they mean. And yet, nearly every client I work with has blind spots when it comes to implementing a truly risk-based due diligence program. Why? Because “risk-based” is easy to say but difficult to implement.

There are four distinct places that a risk-based approach should be implemented during your third-party due diligence process. Let’s look at each in turn.

No. 1: Scoping

The first place to apply a risk-based approach is in scoping. Scoping should result in one of two outcomes for each third-party: you’re in or you’re out. Applying a risk-based approach to scoping is critical because if every possible third-party is in-scope, your program is probably overly broad and doesn’t address the true risk to the company.

Let’s be honest, do you really need to score and review paperclip vendors? How about one-off customers or distributors selling less than $500 of your products annually? Don’t laugh, I’ve seen every one of those third-party types in scope at different companies.

Here’s my top tip for scoping: if you can’t come up with a plausible scenario where the third-party would violate the rules, the third-party type should be out of scope. This determination rests on which risk types you are reviewing in your due diligence program.

For example, let’s say that in your program, you’re reviewing third-parties solely for bribery risk, and you need to determine whether suppliers should be in-scope. Try to come up with a plausible scenario about how a supplier could bribe someone on your company’s behalf. Well, they’re not going to bribe a customer on your behalf. The only scenario in which a bribe would be made by a supplier is the attempt to bribe your employees, who should be trained to avoid this situation. After this analysis, suppliers should be kept out of scope for this third-party program.

Remove third-parties from the scope when there is little or no chance that they could create a problem for you based on the risk areas you’re reviewing.

No. 2: Initial Risk Ranking…

It’s November, which for many, means ski season is near. I love to ski, and I’m not alone. An estimated 130 million people ski and snowboard throughout the world. Skiing is great, but it can also be dangerous. Because of this, people have devised ways to lessen the likelihood of something going wrong. People wear hats to avoid frostbite, helmets to avoid brain injury, and releases so that their skis will detach from their boots if they fall. Skiers mitigate against the risk of things going wrong so they can enjoy the activity they love.

Businesses must do the same thing. The use of third-parties comes with tremendous upside. Third-party sales agents and distributors may hold the keys to new markets and dramatically increased revenue. New acquisitions may double or triple the size of a business. But these third-parties often come with risk.

Risk mitigation is part and parcel of a compliance officer’s job. Because greater than 90% of FCPA cases involve the use of a third-party, third-party risk mitigation is key to having a successful compliance program. But how is third-party risk mitigated? And how do we know if we’re doing it effectively?

In honor of this week’s launch of the Focus Series course on Creating a TRULY Risk-Based Third-Party Program (information HERE), let’s go through the ultimate mitigation toolkit. The following are ten different ways that third-party risk can be mitigated, along with a description of the activity, and an example of how they’ve been used by clients of Spark Compliance Consulting…

Regulators have been 100% clear - you need a risk-based third-party program. But what does that actually mean? And if you already have a due diligence program, how can you know if it is truly risk-based? We have the answer. In this Focus Series course, you'll learn exactly how to build a risk-based program, or to refine the one you have. You'll finally be confident that you have a truly risk-based program.

The course is built into three substantive modules with videos and downloadable tools to help you create your optimized program. This includes:

• How to choose your risk model and evaluation criteria (with huge numbers of examples)

• How to create a truly risk-based due diligence strategy, using multiple escalating levers

• How to deal consistently with red flags using the red flag matrix

• How to use the mitigation toolbox to complete your third-party risk mitigation strategy

You'll have everything you need to create or optimize your program to meet regulatory expectations and to sleep better at night! Best, for the next TEN DAYS ONLY, as a Compliance Kristy reader, you’ll get 20% off the course using Discount Code “CL” at checkout.

What are you waiting for? Let’s get started! For more information and to sign-up, click HERE!

Imagine for a moment that you’re a brand new salesperson and you’ve been tasked with selling a $200 million piece of machinery within the next sixty days. You would likely be totally overwhelmed and not know where to start. If you went to your boss for advice, you would likely get a surprising answer: “Forget about selling the machinery. Just get to the next ‘yes’.”

When launching a large initiative like an overhaul of the Code of Conduct, there can be so much to do and so many people to engage that the task can seem overwhelming. When the stakes are high for an important project, it is easy to feel crushing pressure. This is especially true when the project is highly visible at the company.

Instead of getting overwhelmed, just focus on getting to the next yes.

How this Strategy Works in Sales

Let’s go back to our sales task. When you map out the road to victory, you decide that your first job is to identify and then cold-call 30 potential customers. The next goal will be to get a spot on the prospect’s calendar to discuss the product. Thereafter, you’ll need a video conference to show the product and see if there is interest. The next job will be to get the client to request a proposal. After that, there’s contract negotiation, then the final sale.

What should you focus on? That’s right – identifying 30 potential customers and having at least one say yes to the calendar invite. The big win needs to be the next win, which is simply a calendar slot.

How to Use this Strategy in Compliance…