Part 8 in the “Controls and Risk Management” series
In addition to traditional post-process controls, more and more organizations have to enforce proactive screening and monitoring of the organizations and people they are doing business with.
Whereas some organizations simply decide to screen their vendors against countries ranked as the most “risky” in Transparency International’s Corruption Perceptions Index, this is definitely no longer sufficient to comply with the variety of associated regulations such Anti-Bribery and Corruption (AB&C or ABAC), Know Your Customer (KYC), Anti-Money Laundering (AML), Counter-Terrorism Financing (CTF), Modern Slavery Acts (MSA), embargos, etc.
Indeed, behind this extensive list of regulatory initiatives and acronyms are lists of foreign or domestic sanctioned parties, politically exposed persons, companies or people that have been associated with negative media coverage, and so on. These are the lists that companies need to screen against. Now, extend this to family members, known associates, and sub-holdings, for instance, and the scope that needs to be monitored increases exponentially.
Depending on the industry and geographical reach, organizations have to comply with local, national, and international lists, or a combination of all three, thereby making the process even more complex.
What’s the exposure?
Implications of not complying with the legislation mentioned above are multiple: from adverse media coverage to civil and criminal penalties or even revocation of a license to operate that can signify the end of a business.
Focusing on penalties, just for 2019, the total U.S. Office of Foreign Assets Control (OFAC) Civil Penalties amounted to over US$1.2 billion for 26 settlements. This is even above the “record” years of 2014 ($1.2 billion) and 2012 ($1.1 billion).
And these figures are just from the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury that:
“administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, or those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy, or economy of the United States.”
Companies that operate worldwide would be exposed to scrutiny from many other governments, security, and law enforcement agencies.
Based on these 2019 figures, is an average settlement of close to $50 million a risk exposure that your organization would favorably consider? I’m pretty sure the answer would be no.
What can be done?
When you look at finding a needle in a haystack, there are three options available to you:
- Manually go over every straw in the haystack: This is very effective, but also very inefficient. And keep in mind that the haystacks will continue to pile up while you check the first one.
- Burn each haystack and go over the ashes with a magnet: Not only does this assume that the needle will be in metal (or to put it in GRC terms, that your control will be looking for the right deficiency criteria), but this also means that you basically lose your production. Yes, it is effective and efficient, but it yields a different outcome than what is really needed.
- X-ray each haystack in a scanner: This will be effective since the needle will be found, but it will also be efficient since it will be done automatically. Finally, it will be proactive since anything that is not “straw” will also be detected.
For third-party screening, SAP Business Integrity Screening acts as the X-ray scanner for Option 3:
Once the lists of people, organizations, countries, search terms, etc. have been created or uploaded in the tool, users can start the monitoring.
Where it becomes even more interesting is that you can then apply three modes:
- Online screening that is triggered when the individual business processes are executed (such as a payment for an instance)
- Mass screening for batch screening of business partners
- Delta screening for monitoring of business partners after list updates that can be run either during the list import or on-demand
Furthermore (and this is where I believe software supports the process even better than a manual check), aliases, address variations, initials, and more options can also be included for the screening.
Doing this manually would be possible, of course, but would require significant time and resources.
Along with my colleague Michael Hecker from GRC Centre of Excellence for EMEA North, I am including a presentation of this solution in one of the pre-conference workshops of the SAP Conference on Internal Controls, Compliance and Risk Management taking place this week in Copenhagen. I look forward to reading your thoughts and comments on Twitter @TFrenehard.
This article originally appeared on SAP Community and is republished by permission