GRC Tuesdays – Automated Screening Will Help You Know More About the Companies You Are in Business With
In addition to traditional post-process controls, more and more organizations have to enforce proactive screening and monitoring of the organizations and people they are doing business with.
Whereas some organizations simply decide to screen their vendors against countries ranked as the most “risky” in Transparency International’s Corruption Perceptions Index, this is definitely no longer sufficient to comply with the variety of associated regulations such Anti-Bribery and Corruption (AB&C or ABAC), Know Your Customer (KYC), Anti-Money Laundering (AML), Counter-Terrorism Financing (CTF), Modern Slavery Acts (MSA), embargos, etc.
Indeed, behind this extensive list of regulatory initiatives and acronyms are lists of foreign or domestic Sanctioned Parties, Politically Exposed Persons, companies or people that have been associated to negative media coverage and so on. These are the lists that companies need to screen against… Now, extend this to family members, known associates and sub-holdings for instance and the scope that needs to be monitored increases exponentially.
Depending on the industry and geographical reach, organizations will have to comply with local, national, international lists or a combination of all three. Making the process even more complex.
What’s the exposure?
Implications of not complying with the legislations mentioned above are multiple: from adverse media coverage to civil and criminal penalties or even revocation of license to operate that can signify the end of a business.
Focusing on penalties, just for 2019, the total U.S. Office of Foreign Assets Control (OFAC) Civil Penalties amounted to over 1.2bn USD for 26 settlements. This is even above the “record” years of 2014 (1.2bn USD) and 2012 (1.1bn USD):
And these figures are just from the Office of Foreign Assets Control (OFAC) of the US Department of the Treasury that “administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, or those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States”. Companies that operate worldwide would be exposed to scrutiny from many other governments, security and law enforcement agencies.
Based on these 2019 figures, is an average settlement of close to $50m a risk exposure that your organization would favourably consider? I’m pretty sure the answer would be no.
So, what can be done?
When you look at finding a needle in a haystack, there are 3 options available to you:
- Manually go over every straw in the haystack => this is very effective but also very inefficient. And keep in mind that the haystacks will continue to pile up while you check the first one
- Burn each haystack and go over the ashes with a magnet => not only does this assume that the needle will be in metal (or to put it in GRC terms, that your control will be looking for the right deficiency criteria) but this also means that you basically lose your production… Yes, it is effective and efficient, but it yields a different outcome than what is really needed
- X-ray each haystack in a scanner => this will be effective since the needle will be found, but will also be efficient since it will be done automatically and finally it will be proactive since anything else that is not straw will also be detected
For 3rd party screening, SAP Business Integrity Screening acts as the X-ray scanner for Option 3:
Once the lists of people, organizations, countries, search terms, etc. have been created or uploaded in the tool, users can start the monitoring.
Where it becomes even more interesting is that you can then apply 3 modes:
- Online screening that is triggered when the individual business processes are executed (such as a payment for instance)
- Mass screening for batch screening of business partners
- Delta screening for monitoring of business partners after list updates and that can be run either during the list import or on demand
Furthermore, and this is where I believe a software supports the process even better than a manual check, aliases, address variations, initials, and more options can also be included for the screening.
Doing this manually would be possible of course, but would require significant time and resources.
Want to discuss this further?
My colleague Michael Hecker from GRC Centre of Excellence for EMEA North, and I will be including a presentation of this solution in one of the pre-conference workshops of the SAP Conference on Internal Controls, Compliance and Risk Management that will take place in just over a month, on the 3rd and 4th of March in Copenhagen:
I look forward to meeting you there or reading your thoughts and comments either on this blog or on Twitter @TFrenehard