Our client is one of the world’s largest manufacturers of generic drugs, specializing in generic, proprietary and active pharmaceutical ingredients. Rapid expansionary growth through multiple mergers and acquisitions has cemented the company’s stronghold within the industry. However, the unforeseen consequence of that positive growth is an equal yet opposite amount of assumed global risk exposure via third-party intermediaries. A ripple effect of the risk of potential corruption and bribery activities of third parties can affect the original company. While navigating this environment is a regulatory obligation, a comprehensive centralized compliance environment has many benefits, including supporting growth initiatives, protecting daily operations and safeguarding the company’s reputation.
Our client requested global risk management support in the identification, migration effort and risk scoring of all in-scope third parties. Our starting point was a series of raw data extracts that were untidy, incomplete, in need of translation and delivered piecemeal from a centralized data warehouse. Our end goal would be a fortified compliance program that effectively manages third-party intermediaries through a bolstered risk monitoring system with empowered global compliance officers.
The workload was partitioned into four global regions, with North America serving as the pilot region. After an initial client expectations meeting, the Grant Thornton LLP team assembled, consisting of a Project Management Office (PMO), and the Business Consulting group to handle day-to-day responsibilities, and the Forensic and Valuation Services team for their risk knowhow. Through collaborative efforts between the three teams and global coordination with the client’s compliance personnel and external legal counsel, we collectively established the appropriate framework necessary to achieve a successful outcome.
WHAT THE TEAM DID
Our team kicked off the data collection effort with North America, composed only of Canada and the United States. The idea was that our team could use this smaller population as a testing ground and come out with various workflow efficiencies to transpose onto the larger, more intricate regions. Other advantages gained from starting with a smaller pilot population were: (i) it allowed our team ample adjustment time to learn and familiarize ourselves with the client’s third-party risk tool, making adjustments in customization when appropriate; (ii) we could experiment with different methods of sharing workloads and progress tracking to find the most efficient approach; and (iii) our team was able to develop an idea of approximate duration so we could forecast the remaining regions accordingly.
Discovering these efficiencies earlier helped our team enormously, but it didn’t prepare us for everything. Remaining regions would have their own unique challenges, including (i) coordination with local teams to acquire missing information that was sometimes met with resistance, (ii) lags due to translation services or backlogs with the client’s external risk tool, and (iii) picking up and reconciling our findings against previous third-party identification efforts that were partially completed. While these proved to be hurdles along our path, none of them were roadblocks to the over 30,000 third parties we screened, thanks to the strong framework that was established early on.
The risk scoring component launched concurrently with our data migration efforts. As we integrated data into the client’s risk tool region by region, the risk scoring and investigative due diligence would launch shortly thereafter. Lower-risk third parties went through multiple watchdog list checks, while higher-risk third parties received full detailed investigation reports. Our team fielded these reports as they were completed, dispositioning false positives and escalating especially high-risk instances to the local compliance teams.
The culmination of this engagement generated enormous value for our client. It assisted in the client’s cost-saving initiative by consolidating their vendor base through the risk screening process. Investigative reports were run on a significant portion of third-party intermediaries whose relationships with our client were worth more than $1 billion, which exposed our client to a great deal of potential risk. This exposure was mitigated by identifying medium- to high-risk third parties and implementing remediation steps to extenuate risk moving forward. Lastly, the risk management program is now a part of the client’s business processes, and the risk screen function can be used for all future interactions with third-party intermediaries. While it is not a preventive measure, it does substantially lower our client’s liability exposure.