Webinar Recap: 7 Steps to Effective Reputational Due Diligence
“It takes many good deeds to build a good reputation, and only one bad one to lose it.”
That quote is from Ben Franklin and was shared by John Arvanitis, Managing Director, at Kroll. He and Tony Rock, COO at Lockpath, which was recently acquired by NAVEX Global, recently presented the webinar, Seven Steps to Effective Reputational Due Diligence.
A bad deed by an organization or its third parties can tarnish the company’s reputation and hurt the bottom line. According to Arvanitis, the first two quarters of 2019 produced six corporate FCPA actions totaling approximately 1.6 billion dollars. That’s not a slap on the wrist. That’s upset management, angry board members, concerned employees, irate shareholders, not to mention severely damaging to the bottom line and customer relationships.
Here are key takeaways from the webinar on performing due diligence to protect a company’s reputation.
Assess major reputational risks
A key takeaway from the webinar is the importance of assessing for reputational risk and determining the potential impact on the business.
“Reputational risk is a primary concern at the highest levels of all organizations,” Arvanitis said. “The bottom line is the bottom line.”
Another focus area is balancing data from assessments with the company’s risk profile. How much risk are you willing to take on? Apply resources such as regulatory requirements; policies and procedures; and training and education to mitigate risks identified in assessments.
Mitigating risk can be costly, but management should be receptive to green lighting efforts given the risk and potential impact.
Give third parties extra due diligence
The organization has a code of conduct that everyone must follow. Third parties follow their own rules, which may or may not align with yours.
According to Arvanitis, third parties present the highest degree of risk to global organizations operating throughout the world. That puts the onus on those responsible for identifying and prioritizing third-party risk.
Third parties not only need to meet their contract obligations, but they should also follow your company’s policies, systems and controls that pertain to them. Periodic assessments and ongoing monitoring bring to light increased risk with third parties. If due diligence reveals an unacceptable level of risk, flag the third party for review and next steps.
That’s why you need to give third parties extra due diligence.
Create a culture of compliance
A company’s reputation depends greatly on having a corporate culture of compliance. The webinar advised building the culture through steps like tone from the top, listening to the workforce, asking questions, addressing challenges and resolving issues. These all reflect a commitment to continuous improvement.
Arvanitis advocates a “speak-up” culture that builds on hotlines. Management needs to convey the message that retaliation isn’t acceptable and that nobody gets a pass.
For management’s message to get through, a culture of compliance must grow, and employees need to warmly embrace the code of conduct, all of which demands education and training. Such programs can be web-based or live in-person and held semi-annually or annually.
Third parties also benefit from training programs designed for them. It sends the message that the material covered is important to both organizations. It’s also defensible if issues with a third party arise that were addressed in training. The organization can point to the subject matter covered. It’s why many organizations make training part of the third-party agreement.
Watch the webinar for a deeper dive in these and other critical steps to effective reputational due diligence. By assessing and mitigating risk, giving third parties extra attention, and creating a corporate culture of compliance, your company can avoid the pitfalls of many organizations and progress toward your goals.
UK banks must now comply with the Senior Managers and Certification Regime, known as SMCR. Learn SMCR’s major requirements, top challenges, and best practices for compliance.
In this post, we share the importance of BYOD policies, alert you to compliance challenges, as well as the risks posed by personal devices tethered to IT infrastructure.
First in our monthly blog series, Risk Management: Back to Basics, where we feature a core pillar of risk management and share practical tips you can implement right away. Today’s topic: policy management.