Monitoring, training, or toolkits?
If third-party risk is one of the most pervasive across companies of all shapes and sizes, how best to ensure they don’t do anything we don’t want them to?
This week, I spoke to several funds that have to monitor their portfolio companies (PortCos). Funds typically have more leverage over their PortCos than many of us do over our third-parties. Yet, even in this context, and despite most contracts including audit rights, the monitoring is a struggle.
In the best cases, we see some analytics (or transaction testing) on third-party financial data. For corporates, that might be analysing payments to third-parties to look for anomalies (round-dollar payments, duplicates, addresses and bank accounts cross-referenced with other third-parties and employees, a bit of Benford’s Law if we’re lucky).
The improved accessibility of these tools might explain why we’re getting more confident in our fraud detection mechanisms (image below), where around one-third of us feel left behind (ineffective or nothing in place), but the rest are moving up. (Data from our Fraud Prevention Scorecard)?
If you’re in the bottom third or wondering if monitoring tools are right for you, that’s good. Some basic steps you can take quickly will help exponentially down the track.
Let’s use our dog as an example. Sasha is generally a very well-behaved pup. However, she is partial to leaping onto a kitchen top 3-4 times her height when we’re out, hoping (two successful raids) that we’ve left unguarded food out. We have one of those movement cameras (monitoring). If I catch her, I can, in theory, give stern warnings via the speaker. But by the time I get the alert, I’m invariably driving, in a meeting, or at some excruciating event (making small talk at a kid’s party). That’s monitoring – catching wrongdoing, often too late, and reacting.
Training Sasha (who is a rescue) is a better long-term play and has had better results after her early bouts of opportunistic larceny.
Same with third-parties. Best practice compliance is often alien to PortCos (usually SMEs, mid-caps, or scale-ups) just as it is for your garden variety supplier, who might pose risks from sustainability, sanctions, human rights, cyber, data privacy, fraud, money laundering, corruption, etc. Understanding these risks and the importance of compliance is the first step to mitigating them.
In a recent review meeting with a fund, where I was given feedback on performance, sharing “toolkits” with PortCos was singled out as particularly appreciated and helpful. The things I’d shared all lend themselves to monitoring and tracking – risk assessments, gifts and hospitality registers, guides on setting up a speak-up framework, investigations tracking tools, etc. For the PortCos (and the deal teams in the fund), this solves three pain points:
👉 Third-parties often don’t know where to start looking for tools to help them plug compliance gaps.
👉 It’s hard to monitor without data; we have somewhere to start if the tools gather data.
👉 You can’t help someone until you know what they’re up against; develop tools that calibrate exposure (speak-up, assessments, tracking gifts and hospitality, etc.).
This approach won’t be appropriate in all cases, of course. But could you share essential tools for critical third-parties (those you rely on to succeed and behave correctly)? Maybe a bit of training on how to use them? It’ll make the monitoring more effective and intentional.