Transcript for Top 10 – 3rd-Party Risk Nightmares with Kristy Grant-Hart
Nick Gallo: Hello, everybody. Welcome to the “ComplianceLine” Third-Party Risk Nightmares webinar with our indomitable Kristy Grant-Hart. We’re gonna let…people are just kind of loading in now, so we’re gonna give them a couple of minutes here. But while we’re doing that, I’ll kind of start touching on the logistics. So, today we’re gonna be talking about third-party risk, how to take a real risk-based approach to this topic, which a lot of us, you know, have to deal with on a day-to-day and quarter to quarter basis. So, like last time, we want this to be a very collaborative, we want this to be really kind of a conversation, so the more questions you can feed us, the more we can incorporate into our discussion, and we can cover those things as we go.
Just like last time, we’re gonna be doing one of our famous book giveaways, and we’re giving this one away. We’ve had so much demand for this book, we had to buy a whole another pallet of them, so we’ll be giving out a bunch of them out more. And so everybody who attends, they get an entry. If you participate in the chat and you ask a question, you get another three entries, and then we’ll be sending around some emails afterwards to get your input on some stuff, and if you respond to that, you can get another three. So there’s some great opportunities to increase your odds of getting one of these books, which is a phenomenal book. I mean, I’ve learned so much from this book. Kristy is obviously a master in this game, a wealth of knowledge and insight, so please, let’s use this as an opportunity to get your questions answered and have a really lively discussion.
So, yeah, we’ll be, like I said, we’ll be sending around a little, you know, email afterward to see if you want the slides and you want the replay and stuff like that. And with that, why don’t we jump in. Next slide, please. There we go. Thank you. So I’m here with Kristy Grant Hart. If you don’t know her, please get familiar. She’s the CEO of Spark Compliance Consulting, and Kristy has a really unique background, and, you know, the credit…you know, she just has a ton of credibility in this game. She was an international compliance officer for United International Pictures, and she was a professor, and she’s written several books, and she currently is the CEO of Spark Compliance Consulting. And, Kristy, thank you so much… Oh, first of all, I’m usually not dressed as a cowboy, obviously. We’re on spirit week, and so I am dressing up as my favorite decade. This is decades day, and I’m dressing up as my favorite decade, the 1880s.
Kristy Grant-Hart: Yes. And we put up a pumpkin in my office, the light-up pumpkin, and I’m wearing the blood-red just to try to, like, at least be themed. I figured this would be a little strange if I had, you know, a spider face or something for a replay later, but we’re going with the theme.
Nick: Yeah. We’re going with the theme, we’re diving in, we’re making this super festive. So, yeah, and thank you, Kristy, for, you know, sharing your time with us today. I know you just wrapped up that course. Tell us a little bit about that course you guys just did.
Kristy: We are finishing this theme, which is how to create a truly risk-based third-party program. It came out today, and I’m really excited about it, and that really was the impetus to have this discussion about how people, you know, the nightmares that people face, and some of them not of their own making. So this is what the nightmare is and how to fix it.
Nick: Yeah. You were talking a little bit about some of those tools that are going along with the course, are there any of those that you’d wanna maybe perhaps share with some of the folks in the audience that we can send everyone after?
Kristy: Everybody in the audience can get our mitigation toolkit, which is completely free, and we’ll send it out with you guys. It’s 10 different ways to mitigate risk, manage your red flags, manage your third parties, gives you examples of how to do it, so we’ll make sure that everybody gets that as well.
Nick: Awesome. That’s very generous. Thank you so much. Okay. Well, with that, let’s just kind of jump into a little introduction of what this course is. I mean, I kind of framed it out a little bit on the front end. But, you know, you spend a lot of time consulting with large organizations, really, across the board in terms of the kind of risk landscape that they’re trying to navigate, so how would you kind of summarize what we’re gonna be talking about today?
Kristy: So we’re gonna be talking about the 10 biggest nightmares so… I mean, currently, even right now, I’m doing five different third-party program implementations, and over the years that I have done this, I have seen things go horribly wrong, and there are themes about what can go horribly wrong. So I think that when you are equipped to know what to look out for, what to do about it, that it can make your program better, and so many programs can benefit from recognizing those places and saying, “Oh, my gosh, you know, this isn’t just me. This is a problem for a lot of people. What do we do about it?”
So let’s go to our first nightmare, which is having no mandate. And what I mean by that is that the board or the C-suite, nobody is really behind it. And it’s a nightmare because the compliance can’t recant manage this by themselves. And one of the things that we see is compliance being delegated and saying, “Hey, by the way, can you do this third-party program?” Nobody is going to listen to you if there isn’t a mandate from on high. And so that support comes from beginning to end, it will be one of our themes, that without it, you’re done, and it’s really, really frustrating to be told to do something without the genuine support of that management and that board.
Nick: So that’s it… I mean, this one seems like a really obvious one, right? Like, you need to have some teeth to get something like this done. It’s probably not intentional, you know. I doubt a sort of a board or leadership is saying, “Hey. I wanna sort of tie these people’s hands, let them kind of figure this out.” But where do you think the slippage comes? Like, are the people who have to push this forward not getting the backing that they’re supposed to get, and they should be raising their hand and asking for it? Is the onus on the leadership to get it? Like, this seems like a really big one, but it’s also very basic.
Kristy: The thing is, I think a lot of boards and CEOs and things don’t understand the importance of it. So if you haven’t framed it by the fact that 90% of FCPA cases come out of third-party interaction, or if you can’t explain it. This morning, “The Wall Street Journal” was reporting on yet another, I think it’s the Jim Beam settlement, where it was, yet again, this third-party distributor, third-party joint ventures. If you aren’t paying attention to that, and why would the board really be watching that, then it’s really not clear sometimes just how critical this mandate piece is. So sometimes I think they see it on, you know, the dashboard and say, “Yup. We need a third-party program, go do that.” But “go do that” is not the same as “we really believe in this, we need to have it done, we understand its importance.” It’s just not the same thing. So having a kind of “yes, we should do some security, and we should do some privacy, and let’s do some third party.” If there isn’t a really strong desire, it’s too disruptive. Because third-party programs are disruptive in a way that other things just aren’t, and they slow down business in the way that other things just don’t. And so that’s why that mandate is so critical because you need the support to say, “Yup. This is a pain, and we’re gonna do it anyway.”
Nick: So, for somebody who’s lacking that mandate or lacking that support, what’s the strategy there? Is it an education? Is it saying, “Hey, guys, I really need your backing on this because this is a massive risk area, and it’s coming up the system if I don’t have, you know, your wind in my sails”?
Kristy: Yeah. I mean, I think that it is an education, and I think that the best thing you can do is to essentially, this is Halloween, use fear, right? Bring in stories of companies very similar to yourself, anywhere you can do it: similar size, similar locations, similar geography, similar market share, whatever it is, to say, “This can happen to us, and this is gonna prevent it,” and then bring in the mitigation, right? “If we’ve got this thing in place, we may be able to get out of these fines, and we may be able to get out of this problem.” Start there. And if you can do the education, it makes such a huge difference.
The other thing you can do, and I’ve done this before, is to look at the makeup of your board, at the non-executive directors, see if there’s anybody on it that has been associated with a nightmare. One of the companies that I was working with that really couldn’t get mandated, and it was one of the first times I had seen it happen, I looked at one…one of their board members had been at GSK, GlaxoSmithKline, and one had been at BAE Systems, both of which had had nightmares, and I appealed to them and asked them direct questions about, “What was your experience in this?” You know? And so when that happens, it allows the other people to really see that this can happen to them, and you’re leveraging not just your conversation, but their experience.
Nick: Yeah. And then that pushes some of the credibility on the rhetorical path to the answer you want to that side. Do you know what I’m saying? So I love…this is a great example of why I love doing webinars with you because we talk about concepts, but we also bring it down to earth and provide some actionable stuff for folks to change their reality. So I love how strategic that was, to take that next kind of, you know, double-click on the board and see who’s experienced some stuff like this, you could pluck those kinds of memory strings in your conversation. That’s phenomenal. Let’s go to the next one, which is a little bit related.
Kristy: Yeah. It’s very much related. No communications. So congratulations, you’ve got support, everybody loves it, no one told anybody in the business that they loved it and supported it. The very best thing you can ever do is have the business introduce this thing to themselves, right? If your CEO, if your board member, if your highest levels of management or middle management can be the people who start this conversation, it is better, regardless. Particularly when you have really challenging third-parties, you need to know that you can call whomever it is and that they are going to get on the line for you. So one of the nightmares is when you don’t have any communication about mandate. So if you are lacking one and two, I mean, you might wanna think about getting a new job legitimately because you’re gonna be pushing rocks up hills for the rest of time.
So what do you do with that? You ask for that communication. You write the email and ask them to send it. You create a tool kit with a one-minute, you know… And you also use good stories. Like, for me, I mean, anybody who’s read my stuff knows that everything comes back to storytelling because human beings process facts on the left side of their brain, and they process stories on their right, and the right is like Halloween movies, right? We get scared when we watch scary movies, we know nobody is coming out of the closet in real life to stab us, but that still affects us. We feel that. And so the more that you can tell great stories, people are more engaged, the more that you can use those communication tools to help people to communicate about why it’s important. If you can make it better for them or fun for them or interesting for them, that’s the very best way to get to actually, you know, flip the dial a little bit.
Nick: Yeah. And I like what you said, like, write the email for them, right? Like, make it easy for them to give you what you need, make it easy for them to help you and by doing things like that and saying, “Hey, listen, I know I have your backing, everybody else doesn’t seem to know it, is there a way that we can push this out through departments and have these department folks send it out and incorporate the why and talk about a little bit of story so people can understand the risks that we’re trying to mitigate here?” That just seems to be a great kind of tip to kind of get the train moving forward a little bit.
Kristy: Can I tell you one other thing about that? I love what you just said about telling them that they believe in it or thanking them for their support. There is some great psychology around people living up to the expectations that you set for them, and it’s one of my favorites, like, psychology techniques is to tell people that they support the program to thank them for being so great with it because they are more likely to do it when you’ve already set the expectation that they will.
Nick: Yeah. And they may not remember that they voiced their… And, you know, you don’t remember…
Kristy: They may…
Kristy: …not actually feel that way. It’s one of the best ways to get them to do it anyway.
Nick: Correct. Correct. And then, again, it’s just about knocking down these impediments to get the information flow to the people whose behaviors you need in order to achieve your goal, you know?
Kristy: Yeah. Absolutely.
Nick: We had a good comment here from someone that said, “I started using real-world scary stories in my new employee orientation,” and we use that same thing, both on the good and the bad, to, kind of, to your point, like, nobody wants to just read a bunch of regulation or a bunch of rules or whatever. Putting it into context brings this concept off the page into the real world, and it gives them something to kind of do something with. So let’s jump to the next one, which is probably my favorite, and by favorite, I mean the one I hate the most.
Kristy: This is…it’s such a nightmare. People think everything should be in scope, right? Because compliance officers, part of our job is to be a bit risk-averse, and so we wanna do everything all at once. We want suppliers and customers and all of our agents and all of our distributors and all of our resellers and all of our all of our all of our…and we ended up with a program so broadly scoped that we can’t manage it or the business gets so freaking tired of us because we can’t get to the red flags to clear them, we can’t even look at the ones that are false positives. The overly largely scoped programs are a nightmare, and I think that it comes from being overly ambitious not thinking about how much time these things take, especially if you have a new program, you don’t realize just how long it takes to clear some of these red flags. So, you know, starting small is better, paring down is rational. The DOJ guidance is very clear that you need to take a risk-based approach, which, of course, is the theme. Risk-based can also apply to scoping, and a lot of times, it just doesn’t seem to. You can scope with exclusions. You can scope with thresholds. You can scope all kinds of different ways. But horrible scoping will create a giant nightmare for you.
Nick: What do you think that that is rooted in? I mean, you said ambition, absolutely, that could be part of it, but that’s… Like, what’s behind that ambition? Why does this thing, which ultimately kind of determines the amount of work, essentially, that could potentially come out of this process, why does this not get the right attention or why…? Like, what is the root of the wrong frame or the wrong lens that people are looking at this process through?
Kristy: I think that, obviously, there’s a fear of getting it wrong, right? They don’t wanna lose a third-party that suddenly creates a nightmare for them, and they say, “Well, why didn’t you put that one through?” And it does tend to be, “Why didn’t you?” When something goes wrong to compliance. So I think that that’s the criticality of this, is that you don’t wanna get it wrong, but that, actually, applying a risk-based approach is scary because you feel like if it goes wrong, that it is your fault and that you should have known better and you should have worked harder somehow. But there’s only so many hours in a day and really taking a risk-based approach to this is one of the best things you can do for your sanity and also for your business so that only the really higher-risk third parties are getting the kind of attention they need.
Nick: So let’s pause here. Like, explain it to me like I’m five, what do you mean by risk-based approach?
Kristy: Like you’re five? Okay. I’m trying. Like a…
Nick: Like I’m 15…
Kristy: I think you’ve been talking…
Nick: …maybe then.
Kristy: …to my dog. So it’s Halloween, right? So we have several killers, and they’re all very frightening, one of them has a gigantic cache of weapons, and the other one has a pen, who is higher risk to you, right?
Nick: Got it.
Kristy: Who would you wanna take?
Nick: Wow. That was actually phenomenal. That may have been like I was four. That was good.
Kristy: So you wanna pay a lot more attention to the person with the weapons arsenal than the one with the pen, right? So that’s a risk-based approach. You start with the ones that are the scariest. And maybe somebody just has stickers and not even a pen, you can ignore the one with the stickers. You can, you know… But pay attention to the one who’s actually gonna do you the most harm.
Nick: Yeah. But…so kind of, to your point, the lack of a risk-based approach create, you know, applies the same sort of defense, so to speak, to every threat, whether they have stickers or a bunch of machetes or something?
Kristy: Exactly. Exactly. Yeah.
Nick: Out of all of the 10, where does this kind of rank, do you feel?
Kristy: I feel like… Well, there’s a couple of them that I find are pretty awful. They’re all awful. Horrible scoping is…
Nick: Yeah. I agree. Yeah.
Kristy: …is the one that dooms your programs from the beginning, because if you get it wrong, then everyone gets sick of trying to deal with it, and you get sick of trying to deal with it, and it becomes its own nightmare, and then you try to pare it back, and people say, “Wait. Hold on. What about the risk of this or that and…?” Now you’re taking it back. It’s hard if you get it wrong in the beginning. It’s not impossible. You can fix it, especially if you say…if you didn’t…got this wrong you say to the business, “Listen, I think that we’re gonna go ahead and reframe. It’s a new day, and we’re gonna make this easier on you,” right? Like, “just that easier on you,” is my favorite phrase so that if you have gotten it wrong in the beginning you say, “We’re gonna make this easier on you. We’re gonna go ahead and take a different approach.” And I would go that way if you have to re-scope.
Nick: I know we’ll be getting into this a little bit later, but with respect to scoping, what are some, like, high-level kind of approaches, kind of putting high, medium, and low buckets or different jurisdictions? Like, how would you..? What are some little steps that somebody who’s maybe taking more of like a binary risk elimination approach, which is this massive scope, which is look under every single rock for the worm? You know, how do we get them to take a little bit of a step toward this thing? What’s something that they can kind of apply on their next cycle of this process?
Kristy: So I think that one of the best things that you can do when you’re scoping is to say, “All right, how closely does this third party represent us, with our customers, with our consumers, associate them with us? That’s one huge part of risk. And the second is, what kind of cases have happened with this type of third party?
One of the challenges that I give when I am working with companies to scope is I say to them, “Explain to me, if it’s a bribery, an anti-bribery or a third-party due diligence program, which most of them are, tell me how this bribe would happen?” And you would not believe the numbers of times people say, “I don’t…I don’t know,” you know? Or, like, you’re gonna tell me that…what’s the supplier doing that’s gonna…? What’s the bribe with the supplier, or particularly to a government official, how does that work? It doesn’t. So that’s one of the challenges I throw people. It’s just, “Tell me how this can be a bride. Show me a case, any experience that someone has had where this bribe happens.” If it doesn’t, eliminate it. Get it out because it feels better to have everybody, but it’s not good for you.
Nick: And I’ll just throw this out there that, like, this is not necessarily a compliance or a risk thing. This is just a general kind of rule of thumb or heuristic. Like, anytime you’re trying something new, or you’re doing something that you haven’t done before, apply the pie rule. So whatever, you know… You think this is gonna take you two hours, multiply that by Pi, multiply it by, you know, three. It’s probably gonna be six, that’s probably a higher confidence interval that you’re gonna get it done in that time and then over time, as you iterate whatever thing we’re talking about, you’ll be able to dial that into that hour or that two hours, whatever a better estimate is. But I love this one, and I love, you know, some of the anecdotes that you’ve shared around this scoping, because, to your point, you kind of lose the race right at the starting block if it’s not scoped right. All right. Let’s jump to four, please.
Nick: It’s a big one.
Kristy: …if you, and this is a nightmare, if you don’t have the ability to terminate a contract or suspend a third party, you don’t have a program, you have a voluntary exercise. I’ve seen this so many times. Oh, my gosh. Like, you actually get the, like, burning on fire third party, and you’re like, “No, we can’t use them.” And they’re like, “What are you talking about…?” I recently was dealing with a client, and they had, they were in Africa, and there was only one supplier during the pandemic that could give them what they needed, and they were a hot mess. And, you know, “What do we do with that? Like, do we stop our production?” That’s where your mitigation tool kit comes in because you’re desperately trying to fix it. But if you don’t have the back…and this comes from mandate and communication to the mandate, if you don’t have the backing to say, “No, we are terminating this contract. We are suspending this contract. I don’t care what this third party does for us, I don’t care that there’s been a 25-year legacy relationship.” We have to have teeth. If it doesn’t have teeth like a scary monster, it’s not real. And you ultimately are just asking people to participate, and it’s not good enough.
Nick: So you deal with clients who are probably…and, you know, this is probably a spectrum, right? Termination, suspension, nothing, right? It’s some kind of gradation, how do you find folks, or what do you tell folks who need to get more authority or more teeth or claws or whatever you wanna call? I’m trying to incorporate more scary things to this. Do you understand?
Kristy: I think…
Nick: How do you…?
Nick: …get them to get that?
Kristy: Well, you start with… And hopefully, you have some sort of escalation committee, right? So when you disagree with the business that there is a place to go, ultimately, it is the board’s responsibility, and if you have a big enough problem, then you need to take that to the audit and risk committee and say, “You guys can bless this, so I’m gonna put it in writing that you said it was okay.” But, you know, you really need to be confident in your ability to escalate because if you don’t have it, again, there is no third-party program without the actual ability to terminate or suspend. And one of the questions in the DOJ guidance is, how many parties have been suspended or terminated or not allowed to be in your program because they didn’t pass your due diligence? And if the answer is none, you should probably rethink that.
Nick: Yeah. Yeah. Because, I mean, it’s just…it’s kind of an odds game at some level. Like, the odds that everybody you touch is just freaking perfect and not messing anything up is pretty low, right?
Kristy: Yup. Yup. Yeah. You need to work with the business to try to get mitigation in place, right? You wanna figure out whether you can do the e-learning and the heavy-duty contract terms, can we do an audit, can we actually have termination rights? There are a number of mitigations that you can apply, and that is always recommended. But if you can’t say no, then it’s really not a good program.
Nick: Yeah. It’s like, what’s the point? It’s like, I don’t know, it’s like a helmet when you go skydiving or something. Here’s a good question, so can the mandate empower the compliance officer to terminate at the beginning? And if so, how do you recommend going about doing that?
Kristy: Well, I…
Nick: I think they mean at the beginning of the contract or something?
Kristy: Yeah. Or before their… I mean, yeah. Yeah. There has to… Frankly, I think that’s the best… The best time is…to not take on a third party in the beginning, it’s a nightmare, right? When you get those 25-year legacy relationships, and I have seen it. Like, when a new program comes in, and they’ve been working together 25 years, and no one even wants to send the due diligence questionnaire, they do the adverse media. It’s horrible. That is a much worse situation than at the beginning saying, “This just isn’t possible. You know, business, help me find somebody else, let’s look for a different provider, can we scope this differently in terms of the tender to try to get somebody in another location? Can we use somebody already on our vendor list?” You know, work with them to try to fix it, but try to get it at the beginning, man. Absolutely.
Nick: Yeah. Yeah. Kind of that ounce of prevention is worth a pound of cure is definitely the case here. So thank you for that. Let’s jump to number five, you know, another good one here. So this one is, no obligation to participate, and again, it’s a little bit related to the last one because it kind of introduces this element of like voluntary participation.
Kristy: Yeah. So, sometimes I have seen, particularly in the pilot phase or early due diligence programs, that they say, “Okay. Well, we’re gonna just do a few of these. If this isn’t a really important contract, we’re gonna go ahead and like… We’ll do it later,” right? Or, “We’ll start the contract, and then, eventually, we’ll do the due diligence.” You have to have people obligated to participate. The most mature programs have APIs that work between their third-party due diligence platform and payments, so there has to be some sort of approval before they can start to…
Nick: Are paid.
Kristy: …be paid or before the contract is there. But, look, that is a big ask, and I gotta tell you, the huge multinationals we work with don’t have anything like that, particularly if they’ve grown through acquisition, so there’s not a single payment system in all these countries. There needs to be an obligation to participate, and your internal audit should be checking that this is happening because one of the blind spots I see is that people assume that it’s working. They’ve put out the information, someone’s on the training. You need to check this stuff, right? So when internal… One of the things that I try to do is when internal audit is going to a country, I want them to look and see what the third party situation is. Can they identify third parties that haven’t been put through, that should have been put through? Can they double-check that the right contract terms were in place? If you have an escalation break like clearing criteria, were those things actually completed the way that they said they were supposed to? There’s a whole series of things. But if there’s not an obligation to participate and no one’s checking, it’s really difficult to make your program work.
Nick: And when you’re talking about obligation to participate, are you talking about departments inside the organization, or are you talking about third parties or kind of both?
Kristy: Both. But, you know, I hadn’t actually thought of the second one. It’s the business themselves that can just get things through and avoid the whole issue. I mean, some…and in a lot of companies, the business people can draw up their own POs, and if there is no check for that, how are you gonna know? The other thing is people assume that once they’ve done the training once four years ago, that people still know which types of third parties should go through. It’s just human nature, really. If you don’t have it in front of you, if you don’t see it and there’s no checks, you’re never gonna do it. And, yeah, the third party participation, good call. “Oh, they’re just too busy. It’s not good in our country. That seems to be invasive for them, they don’t want to…” I don’t care. That’s no obligation to participate, right? Like, “Oh, we’re not gonna do any of our legacy third parties.” Go ahead.
Nick: Yeah. And, you know, the foundation of this entire training, which is, or this entire webinar, which is similar to the one on the last, is that, like, we’re not just doing things to do them, we’re doing them for effectiveness sake. And, I mean, you know, I’m just kind of picturing kind of this nightmare third party vendor, which I might be the victim of in some of our client relationships. But, like, I mean, just think about it. Like, all of this effort is going out, you know, there is no mandate, there is no support for it, there is terrible scoping so there’s all this work to do, there’s all these flags to clear, and there is no obligation to participate, so you’re not even looking at all the flags. Do you know what I’m saying? Like, you’re looking at the world through a pinhole, you’re not even seeing the full picture. You’re doing all this work because it’s creating this false sense of security that, man, all this effort is mitigating risks, when you’ve got a massive hole in the castle wall or something. Do you know what I mean?
Kristy: Yeah. Absolutely.
Nick: Yeah. That’s a good one. Let’s jump to number six now.
Kristy: Yeah. This is no…
Nick: A good one.
Kristy: …consistency. So the biggest thing that I see, and this is one of those tools that we have in the course, but it’s a big deal for people, is not having consistency in how they clear their red flags and not having consistency in the due diligence that they apply to their risk types. So one of my personal favorite things, and I have seen it so many times, there’ll be one person who is the god or goddess of the third-party program, and you ask how they decide, you know, where to escalate, how to get the higher-level reports, and they say, “I know. I have been here 20 years, I just know.” And so, I’m like, “Okay, so if you win the lottery and quit or get hit by a bus and quit, no one has any idea how or why you made these decisions.” It is so much more common than you would think.
So you get a subject matter expert that doesn’t write anything down about process, that doesn’t write anything down about, like, actual criteria, and you get a program on the other side that has 90 people throughout the world, all of them are clearing red flags in different ways, none of whom are doing it exactly in a consistent manner, that has the same types of mitigation based on the same, you know, what do we do if we get…if we think we have a match, if we think we have a fuzzy match in our sanctions review? What do we do if we get adverse media? How do we approach that? What do we do if it’s validated? When do we escalate? If there is no consistency, you have a scattershot program that will frustrate the business because it’s not consistent, and you put yourself at risk because it’s not written down properly and it doesn’t have that capacity to say, “We always do it the same way.” It’s really important.
Nick: Yeah. Yeah. I mean, it’s almost like, you know, you have a goalie who’s showing up with different mixes of pads on or something, you know I’m talking about hockey here, right? Like, everybody needs to be applying the same risk overlay or the same sort of thought pattern on how we’re gonna handle this type of a match or that type of a match or this type of a situation or flag, because, to your point, just having somebody clicking flags and eliminating flags, if everybody is doing it differently, you’re not getting that sort of, well, consistent risk mitigation. Again, this is one that’s kind of basic. Do you think this is something that perhaps people just think, “Well, the process in itself will kind of take care of it? If I can just impose a third-party process over my business, it’s gonna kind of take care of itself.” Is it an education thing? Is it a misunderstanding about like what goes into it beyond just the sort of, you know, scuffling that supports the process?
Kristy: I think it’s not having enough structure, actually. It’s the opposite. It’s believing that…and it’s frequently true. By the way, the subject matter expert that believes that they know when things should be escalated tends to be right. The problem is if you’ve got a prosecutor who is looking at that person and saying, “How did you make that decision?” And here she is like, “I just knew.” Well, clearly, you didn’t…
Nick: That didn’t work.
Kristy: …because it got overlooked, you know? I think that the imposition of structure can feel scary if you have a 90-person team, and you’re saying things like, “Well, it’s different in each region, the cultures are different.” Yes, but you need consistency in your program. And the other place you don’t see consistency is when that rogue third party, right? We’re gonna take this one out of the review because they’re too important, which is actually a recent case. I just thought, how is that still a thing? Where can you push these third party somewhere else and say, “Oh, well, it’s too important we really don’t need to put this one through.” That’s a consistency issue as well.
Nick: So, as people use vendors for part of their third-party thing, how have you seen that go right, and how have you seen that go wrong?
Kristy: I think that the vendors make it a lot easier. If you have the kind of platform that does an automatic review, that you have to set it up correctly, right? The fact that it can process third parties through a sanctions and adverse media review is not the same thing. So you have to set the criteria for it. I have a client right now that their current system says 98% of their third parties are low-risk.
Kristy: That’s how it’s been set up, and that’s how they set it up in the beginning. They are wrong. It is not… Ninety-eight percent of your third parties are not low risk. Right. So that’s the first thing, is technology can help, but you’ve got to set it up correctly so that it works. If you’ve taken a risk-based approach in the beginning, which is, there’s risk-based approaches at the beginning, which is getting your criteria and your risk model right. There is risk managing in the middle. How much due diligence are you applying to each third party based on that initial risk ranking? And there is risk at the end, which is, how are we going to mitigate these red flags and what are we going to do with our highest risk third parties to manage it? So there’s three different levels of places where risk management needs to happen, and getting that consistency is incredibly important. So, yes, the technology helps, but you have to set it up correctly, and it doesn’t clear stuff for you. It doesn’t tell the business what to do after that, because it can’t, really. So there has to be documented process in place that makes that consistency imposed.
Nick: That’s a great point, it’s not just enough to have a vendor doing it. You have to actually put some thought into it and make sure that it’s being consistently applied, irrespective of how you’re engaging with them. What do you think about this question? Do you think it’s better to have the subject matter expert clear all red flags or multiple people across the business clearing third-parties?
Kristy: I love this question. I think it’s a combination. So, I hate it when companies give the business the ability to just clear their own red flags. I feel like you’re a fox in the henhouse stuff there, right?
Nick: Yeah. Totally.
Kristy: So… But you, as the compliance person, I don’t think it’s your responsibility to reach out to the third party and try to ask them if they were in India at the time of that bombing, that their same name is up in that adverse media article because you don’t have the relationship. So what I think that means is that you reach out to the business and say, “Look, we think this guy is a potentially sanctioned party. Can you find out if he has an Iranian passport?” Or if it’s somewhere else, right? Your match says that the same name is in Italy and it is your third party somewhere else. Can we get a passport to see if the numbers match on the OFACs list, right? So it’s up to the business to get the evidence to clear the third party. It is up to the compliance officer to decide whether that evidence is good enough to clear it and approve the third party. That’s the line I would take.
Nick: Yeah. And I think, on that connection, to the extent that the best practice is for the compliance officer to get that business person to get that information. During that exchange, there’s a little bit of influence that you’re gonna wanna do to explain the why behind what you’re asking…
Nick: …but let them see the context of the thing, to come across as helpful and not trying to be a pain to them, so that down the road, as the process expands or shrinks or whatever, you’ve kind of positioned yourself as somebody who’s, you know, not trying to impede them, but trying to help them move forward in a safe way.
Kristy: And I think that this is where education…that’s where an education can really be helpful, right? Okay. I’ve got this adverse media issue. Well, can you imagine if we actually engage the person who was in the bombing in India, like, how that would looked or do you understand that if this person is the same person and we go forward, I have to notify the federal government that we engaged with this party. Do you want me to engage the federal government and tell them that you didn’t get the passport for me? I mean, you know, at that point, people, when they realize the consequence of getting it wrong and actually have to think about it, are usually much more able to see why that’s a problem.
Nick: And not to get too tactical here, but if you notice, everything you just said in your little scenario, those were all questions, and those were all influenced questions that were putting this business person in this other scenario that you’re trying to avoid, and that’s really the key to the influence. It’s not just an info dump. It’s bringing them with you on that sort of persuasion journey so that they can understand and see your world through their own eyes. Do you know what I mean?
Kristy: It’s almost the storytelling, right? I’m telling you a story…
Nick: It is.
Kristy: …of what happens when you get…
Nick: And you’re coming at it from different…
Kristy: …into the story.
Nick: Yeah. All right. Let’s jump to number seven. Here we go.
Kristy: Number seven is so much of what we’ve been talking about. That’s not using a risk-based approach. So I have a client in the pharmaceutical field. Luckily, I have lots of clients in the pharmaceutical field, so one of them isn’t gonna get mad at me, and we did a third-party program evaluation for them, and what we found was that they were applying the same heavy-duty due diligence to all of their third parties, regardless of level of risk. And this came out of one of their, I think, it was the general counsel that had originally done the program, and that person was very fearful, and that person had come from a company where something went wrong, and it was everybody is getting this hard review, because if that happens, we can get in trouble or… And it was killing the business, and the business just hated it. You know, we did our surveys and focus groups and just, you know. It was… And that creates your animosities. So…
Nick: Yeah. Totally.
Kristy: …I think the biggest thing that you can do is, if you really do focus on high-risk third parties, and you also prepare the business, that if they’ve got one of those, this can take three to six weeks, maybe more, but that most of them aren’t going to be that, then I think you engender a lot of goodwill. And the other thing you get is outrageous budgets, and that’s because if you’re doing this third-party thing, where you’re doing desk reviews and enhanced due diligence on 1,000, 2,000 third parties, that’s gonna take forever, and people get upset about it, but it also gets really expensive. And so you want…you only have so many resources, right? You have technical resources, you have human resources, and you have financial resources, so you need to think about all three of those types of resources and where they should be allocated, and I think people sometimes, they rely on the technology so much that they don’t realize how much it’s going to cost and how much time it will take because that technology feels like it’s gonna save you and it doesn’t.
Nick: It doesn’t. Well, it can’t, by its nature, because we need this sort of human brain to understand the circumstance and the nuance of the jurisdiction that they’re in or whatever, by its nature, it can’t. And, you know, I love that you brought up the fact of time. I mean, we all know that, like, time is money and, you know, but we all seem to get anchored to the number on the invoice. Do you know what I’m saying? Or the number on the contract, that dollar amount on the contract, when, you know, against your point, that scoping can end up creating a ton more costs because you can incorporate what the cost of everybody’s time is on how that diverts them, and I think when that gets weighed against the true risk mitigation, which I get is hard and fuzzy to sort of, like, draw a circle around, the return on risk mitigation, obviously, starts to fall through the floor when that thoughtfulness is not incorporated on the front end.
Kristy: Yeah. I mean, it is a very, very big problem, and I think that… One of the ways that we try to help our clients is to say, “Okay. What does a perfect stratification look like for you? Do we want 50% of our third parties to be low-risk and 30% medium and 20% hot?” That sounds artificial to some people, but actually, it’s a really helpful thing to do, to try to think about how are we going to manage that? Because that helps you with your budget, but it also helps you adjust your risk model to…
Kristy: …match your budget and the time that you have. So you need to be operating in a world where, yes, you’re managing risk, but you’re also managing your own resources, and your risk-based approach needs to be documented because if you look at that DOJ guidance and if you look at all of the guidance around this, a lot of times, I see people not documenting why and how they excluded third parties, right? So let’s say that they decided that they aren’t gonna do lawyers or audit firms over 100 employees, they’re not gonna do charities that are registered with the government that they can prove that they’re legitimate registered charities, those are all legitimate decisions. But we have seen charities go wrong. We have seen law firms be conduits for bribes. We have seen audit and tax companies be conduits for bribes. What you need to do is write down that, based on your resources and risk-based approach, that we are mitigating by the fact that there are over 100 lawyers or 100 auditors, and therefore, they’re a larger firm, and it probably has a stronger reputation. We are mitigating for the fact that these charities have been registered and that there’s been due diligence done by the State to give them their registration. If you write that down, particularly for your exclusions, it’s really hard to second guess that later. Whereas if you don’t write it down, you just write down who’s in scope and not why you left other people out, you’re back to trying to defend something in the negative later.
Nick: Right, which is a fool’s errand, obviously. As we talk about, kind of, risk-based approach, I think what we’re kind of talking about is expected value. I think we’re pretty good at getting a picture of like, “Hey, here’s a recent fine. If we had it, it would kind of be this number.” That’s the value piece, but the expected value piece in your risk-based kind of thing here is putting some kind of a probability with it. So just think about like a lottery ticket for a 30, you know, $30 million lottery, when that’s in your pocket, what is that worth? Is that worth $30 million? Well, obviously not, right? It’s worth 30 million times your odds of winning it. So if we can apply that to…if we can apply some kind of, even if it’s just a guess, right? To your point, if we can apply some kind of a likelihood to these things, it can help guide us on that scoping piece and really incorporate that risk-based approach on the front end you know, during the risk mitigation process and as we’re clearing those flags. We’ve got a…
Kristy: Can I say one other–
Nick: …great comment… Oh, yeah, please. Please.
Kristy: Oh, go… All right. But I wanted to hear what they have to say.
Nick: Yeah. They…
Kristy: When… The other thing that you see is people only doing sanctions checks and then escalating if something goes wrong. So it’s only if they get a red flag and I see that as really dangerous, and I wanted to say that because, instead of using a full risk-based approach in the beginning to say, what are they doing for us? What’s the CPI score? Are they representing us to the government, how much money is involved in this contract, what’s that create as a risk-based? They say, “I’m only gonna wait to see if I get a red flag and then I’ll do something…”
Kristy: “…more.” That, to me, is horrible scoping as well, and horrible not using a risk-based approach because they say they’re using a risk-based approach, but it’s only if they find a problem do they then apply a greater risk-based approach. I really don’t like that approach at all.
Nick: Yeah. And it’s kind of related to this difference that we see a lot around kind of like a type one error acclimation or a type two error acclimation in statistics or science or whatever. There are two kinds of errors, right? There’s the type one, which is a false positive, and then there’s a type two, which is a false negative and what we find a lot of folks, by their nature, probably because they’re overly relying on the technology, they really have this type one or false positive acclimation, which, obviously, you don’t want false positives. You don’t wanna fire a vendor if they’re actually a good actor. But from what I think, like, that type two, which is a false negative, is perhaps even riskier, and I just think opening our minds to these different error types can help us as we’re applying a risk-based based approach, because, I mean, think of the false negative, this is a bad actor that you said, “No, he’s good to go,” and now he’s in the system and you’ve already given them that seal of approval. It’s hard to remediate that until you check it again or until somebody else is looking at it. And, you know, I guess that kind of dovetails pretty well into this comment that somebody just dropped into the chat and it said, “Technology can only flag something, but it can’t put the context to what it means.”
Kristy: Yeah. That’s completely true. And, you know, last year, one of the most fascinating things that I saw was one of the sanctions impositioned, was that the, I think it was OFAC, they said that just doing the sanctions review like this without a human is not acceptable, that you need to have…
Kristy: …some spot checking and you need to have… Man, is that a pain in the ass. Now we’re not even allowed to just rely on our software, right? So everything needs context. It absolutely does. And the third party relationships, when you do find yourself with a problem, 100% new contracts. That’s when you start to do your deeper dive to understand where that comes from. But technology is fantastic, I could not imagine trying to run any kind of medium to large size companies’ program without it, but it’s not the be-all-end-all, and I think that that’s really important.
Nick: Yeah. That’s a great point. There is no silver bullets in risk mitigation, unfortunately. Let’s jump to number eight, please. Love this one. I hate being on the other end of this one, but this is a…
Kristy: I know.
Nick: This is a big one.
Kristy: So when you have a supplier or a vendor or a third party or a consultant or whatever, that has to go through six or seven processes, it is a nightmare for both them and for you and for the business. So there are so many contracts where, and so many companies, where they have to do a data privacy and security interview and review. There’s a sustainability piece. There is a corporate social responsibility piece. There is a modern slavery review. There’s also, of course, compliances review, the anti-bribery, sometimes, they have a separate import-export, and trade sanctions review, all on different platforms, all in different places, all without any coordination and you end up with much more frustrated businesspeople because maybe the compliance review isn’t even that big a deal, but when you couple it with six other processes, it becomes a nightmare.
So the most important thing you can do here is to ask the question, how many due diligence processes do we have, time we pare it down, can we get our software talking to each other? A lot of the really sophisticated vendors now have APIs do other types of due diligence programs and processes, and they all come into Coupa or Oracle or whatever it is or an enterprise risk management system. If you can get that streamlined, you will give yourself so much of a favor. It’s hard… I mean, you know, you’re on the other side of this, it’s why you’re…
Kristy: …trying to get contracts through.
Nick: Yeah. It’s… You know, on the other side, you know, being on the other… Well, this has been a very awesome webinar for me, because we’re, to your point, on the other side of this a lot and, you know, we’re part of people’s, you know, third-party due diligence process, and it is just across the board. Like, it is just… Some of them, they seem properly scoped, and the questions they’re asking are good to go. And, I mean, we obviously have to have all of our stuff dialed in for the type of clients that we deal with. So there’s rare cases where, like, our fingers, you know, where we’re overstepping the line, so to speak. But sometimes, we get these third-party, you know, diligence things, where it takes, you know, 15 hours from somebody on our side to talk to their third party vendor who doesn’t have an insight into the business issues, and there’s no sort of communication. They’re just kind of sending us, “Well, oh, here’s an IT questionnaire. Well, there’s 50…” You know, half of it doesn’t even apply to us, right? So without that thing, it creates a lot of chaos on the vendor side and, to your point, I’m sure on the internal side, somebody has to go through and do those approvals and all that kind of stuff. It’s, you know, it feels like some, like, you know, like a traffic jam. Do you know what I’m saying?
Kristy: I do. And I’m gonna go off on a tangent here about due diligence questionnaires. So one of the things that makes me crazy are the huge diligence questionnaires, where people ask questions where they don’t need the answer, to feed their risk model, right? Or they ask things like, has anyone in your company ever been accused of, alleged to have, or was then convicted of any kind of crime? And you’re like, “Ah, I have 150,000 employees. Yes. I’m sure somebody at some point had, you know, a smoke, or buying cigarettes under age violation or a DUI, or…” You know. These kind of super broad questions that make people lie or not have the information and… So overly broad, you know, due diligence questionnaires, overly engineered due diligence questionnaires, due diligence questionnaires where the questions wouldn’t change, whether or not you work with a third party. There is so much that can be done to make those better, and I think that a lot of times, we either use the default from the vendor, or we wanna do that whole, like, super protective thing.
The other one there is this risk-based approach giving everybody a due diligence questionnaire. It’s unnecessary. Use it for your prior third parties because remember that if you said it out, you’re probably going to have to look at it, so think about that, or you have to… You asked for references, somebody should call me up. If you’re looking for banking information, somebody needs to be making sure it’s real. So don’t ask for so much from that many third parties if you’re not gonna follow up on it. It is worse to have this stuff, not have followed up on it, and then to never have had it in the first place.
Nick: Yeah. And there’s a little bit of courtesy to putting some thought into that questionnaire, not just because I get burned by these all the time, but, like, to your point, like, you made the great point, like some of these questions are ridiculous, and then they make people lie and once somebody does that, well then, the whole questionnaire is sort of compromised. Do you know what I’m saying? Like, we don’t want people who are filling these questionnaires out to be like, “What a stupid question.” Do you understand what I’m saying? “This whole thing is stupid. I’m gonna check out of it, and I’m just gonna click a bunch of yeses and just roll the dice.” Like, that, not that we ever do that, of course, but, like, that… We don’t wanna create…we wanna create the circumstances for success and ridiculous questions like that, which you see a ton of them, I think, create headwinds for the true picture that you’re subject to, because this is all self-reported at some level, you know?
Kristy: When I was the director of compliance for Carlson Wagonlit Travel in Europe, the Middle East, and Africa, we would get supplier codes of conduct, or we’d get requirements to abide by somebody’s anti-bribery policy. You would open it up, and it would say things like, “This is our gifts and hospitality limits for the entire company,” or, you know, “You have to do…” They would literally have the due diligence process for that company in the anti-bribery policy. How am I supposed to say…? The other one was these pushdown clauses, right? Where they say, “Every sub, every, not sub-processor, I’ve got data privacy on my mind, every subcontractor has to agree to abide by our supplier code of conduct.” Our suppliers were American Airlines. Like and Hilton, American Airlines.
Nick: Can you imagine?
Kristy: I mean, it’s… Like, you think that I can get Nordic Telecoms thing in… And, like, I mean… But… Yeah. I’ll sign it because if you say no, then, well, you’re not gonna get the contract with this, like, huge telecom. But I think that people aren’t smart about thinking through that, ask for things you can get, use a principles-based supplier conduct, not, “if you will abide by our specific policy,” or read your darn policy and make sure it’s possible for outside vendors to follow it. Like, seriously. Okay.
Nick: Good one. All right. Let’s jump to the next one, number nine, please. Boom. A big one. Look at all those cooks in the kitchen.
Kristy: If everybody is responsible, no one is responsible, and so a lot of the documentation that I read when we’re doing a third-party program review, is, who’s in charge of that compliance? Okay. What does that mean? You got 15 people in compliance. Who is actually responsible for making the decisions? Who is responsible for doing the double-checking? Who is responsible for making sure that contract terms are correct? Who is responsible for making sure that these red flags are clear and on what timescale? When you don’t have defined roles, you’re in real trouble because people don’t take responsibility, and you end up with everyone thinking someone else is supposed to do it.
Nick: Right. Why does this result, do you think? Like, when you see this happening at clients or other, you know, anecdotal situations, what’s at the root of this?
Kristy: I think that it’s comradery, actually, and a lot of times, it’s a belief that we are all in this together. And particularly when compliance teams don’t have definition, you end up with people who just believe that everyone is gonna do their best work, and they may be.
Nick: They may be.
Kristy: But if it’s not assigned to somebody, then it’s really hard to hold anyone accountable, and it makes the business mad because, again, it’s not happening quickly enough, and I think that that’s a real problem. And on the other side of that, if the sales department is in charge of third-party processing or asking for third parties but not an individual or, you know, a specific business sponsor, that can get you in trouble, too. Who has the relationship to do the follow-up is a really important question, and if it’s… So I have seen some that are done by a department, and it’s not effective.
Nick: Yeah. I like how you said camaraderie, “Hey, we think we’re all in this together.” I mean, if you look at a football team, they’re all in it together, but they all have different positions, they have different assigning roles and different responsibilities, and that’s how you win a football game. I’ve got a good question here, are there any general guidelines that you, or that can help determine which roles to include and the number of people in each role?
Kristy: Look at your process, map it out, think about the resources you have, go back to your scoping. I think that you need to see where the bottlenecks are. So where are the places where you get problems? So who’s going to be inputting? Who’s gonna do the initial review? Initial review tends to be the place where people get most caught up.
Nick: Behind. Yeah.
Kristy: Sometimes, people have the business do the initial review. I don’t like that. But I think that…
Nick: Back to that…
Kristy: …you need to…
Nick: …consistency thing, to your point.
Kristy: What did you say?
Nick: Back to that consistency thing.
Kristy: Yeah. It’s a consistency thing. But find out what your bottlenecks are and then think about who can help be the most efficient person to get through it. I think that’s the way that you manage that.
Nick: Listen to this comment, I have never heard this, but I love it, “the best way to kill a dog is to ask two people to feed it.”
Kristy: Oh, my God.
Nick: I like that.
Kristy: That is a Halloween nightmare. I suppose.
Nick: It’s morbid. It’s fine…
Kristy: Yes. Exactly.
Nick: …and it’s fitting and… Okay.
Kristy: All right. You did it. She did it. You did it. Why didn’t you do it? Yeah.
Nick: So a lot of people are in this situation I’m about to describe here, so someone just placed this comment in the chat, “I’m a compliance team of one, that’s a different kind of potential nightmare.” She works with great attorneys and business folks. But that’s a tough situation, I mean, a lot of folks are under-resourced, understaffed and stuff like that. For somebody who’s in a compliance team of one, how much more important is it to just put that risk-based approach to everything you put your hands to?
Kristy: Everything. It has scope, scope, scope, scope, scope. That is scope all over the place, and that is, you know, documentation that this is your bandwidth, and that’s it.
Nick: That’s it.
Kristy: And that has to be okay. You’re going back to mandate than in communication. If you want me to manage 50,000 third parties, then I need help to do that. Otherwise, I will be an impediment to the business, nobody wants that. Let’s do a better scoping of this or get me more resources. There has to be a conversation.
Nick: Yeah. Where is it gonna come from? That person can’t expand the number of hours in a day, obviously. Let’s jump to number 10 here because this one is, this was… I don’t know, I don’t wanna call it the granddaddy because this is a whole handful of granddaddies, but this is another crazy one.
Kristy: Mm. Oh, the number of clients that I have that want compliance to approve their third party plus the business sponsor and if it’s a little bit higher risk, the business partners, sponsors, supervisor, and then the division head supervisor. You have four or five levels of approval. You will never get that third party through because those people are busy, and they don’t want to do it. They may also have no context for the relationship. If you’re talking about senior enough people, they don’t know why your…if their person in Bangladesh wants to hire that guy. I mean, you know? And what…?
Nick: It sounds good.
Kristy: …are sort of the demands and things that they’re gonna ask, right? So I think that one of the ways we shoot ourselves in the foot and create nightmares is by having convoluted and difficult approval processes. You need the business to take responsibility. For me, one of the things that people do is they ask for all of these business rationales for why the third party is necessary, and that’s, to me, where the business gets the risks. Like, they need to know their third party is necessary. They need to have that approval before it comes to compliance to check… Our job is to check sanctions and to check PEP, and to check adverse media, and to check reputation. Our job is not to question whether or not you actually need a consultant. How would I know that? It’s not my job to second guess you. So that convoluted approval thing is a nightmare that needs to be managed in the business risk side. We need to take responsibility for what we’re meant to do and not the rest of it.
Nick: Great. Because… I mean, the approvals just turn into kind of a joke at that point. Five people have to approve it, you’re never gonna get them, or you have to follow up five times or, you know, the top, you know, the top person who gets it, they don’t, to your point, have that context. Again, I’d love for you to kind of comment on this, this feels like, again, a fear, it feels like a fear-based thing. Well, if I got 20 people saying yes to it, then I’m not going to get in trouble for this.
Kristy: I am not responsible. I am not…
Kristy: …responsible for saying…
Nick: …what’s the goal?
Kristy: …yes. They had to.
Nick: Is the goal risk mitigation, or is it sort of your ego and your own sort of, like, safety from, you know, letting a shot, you know, pass a goal or something? I have a quick one here from somebody. You know what? Why don’t we…? I wanna talk a little bit about your course and then let’s, you know…
Kristy: Finish up with some Q&A?
Nick: Yeah. A little Q&A.
Kristy: So we have our focus series. This is the first day it’s launched. There’s a 20% off code for a “ComplianceLine” folks that are coming, and their link to the page is on there, and of course, people will have the slides to be able to do it. But it’s at my website, which is compliancekristy.com. It’ll give you 13 different tools, all of the stuff we’ve talked about today, having… You know, we have a red flag clearing criteria matrix. So you’ve got a mitigation tool kit. We’ve got a risk-based approach worksheet. All of these kinds of things are in there, it’s really focused on making sure you have a risk-based approach, giving you all the tools you need to have that and to make sure that your program is defensible and manageable.
Nick: Well, we got so much great feedback from the people who checked out your course on the last webinar. I mean, really, everything you put out is… I mean, you at least live to the, you know, the high-level principles that you’re talking about. You put a lot of thought into what you put out, there’s not a lot of BS and filler. Like, it’s all actionable stuff. I love it. I’d encourage everybody to check this course out because if you haven’t checked them out, you will be pleasantly surprised. I just got a great comment, Kristy, to wrap it up, “Kristy is always so knowledgeable and engaging, and I love the Halloween slides.” So another…
Kristy: They’re crazier today.
Nick: …gold star for your chart today.
Kristy: Thank you.
Nick: I wanna jump into some more questions. Anything else you wanna add about the course or any…?
Kristy: Yeah. Let’s keep going with this stuff.
Nick: So somebody said, “Hey, good point on the false positives and false negatives, but how do we, in a practical way, protect against the false negatives?” It’s a great question, so if you have anything to weigh in on I’d love to hear it. If you need a minute, I have a couple of ideas.
Kristy: Why don’t you start? Because, actually, that’s a concept I haven’t even heard before, I didn’t spend a lot of time in science class, so I got to college and went, nah, I’m an arts major. Forget it. So please go ahead.
Nick: Yeah. So, from our standpoint, when we see the biggest sort of type II error risk is when people are applying a search filter, so to speak, that’s too…it’s too loose. It’s letting too many things through, which corresponds to, you know, again, this is an extreme, but, like, the closer you are to an exact match framework, the more false, you know, the more of these type II errors, these false negatives you’re gonna open yourself up to. So what we find with clients who rec…you know, sometimes one will pop up, they’re just applying an exact match, and they’re like, “Well, how did we miss it?” And it’s like, “Well, because this guy, you know, this search name had an initial in it, the sanctioned name didn’t have an initial in it, so the algorithm that you selected for this is not finding those things.”
So we tell folks to open those up. It will create a little bit more work, especially on the front end if you don’t have that sort of carryover algorithm capability to say, “Hey, I’m just checking for new things,” and you don’t have to go through the whole, you know, haystack to find that needle again. But it just comes down to, what are you trying to prioritize? And this is, you know, Nick talking here, I think if you’re trying to prioritize, like, minimal work, then go for an exact match thing, but just understand that you’re kind of opening yourself up to a ton of false-negative potential.
Or you can say, “Listen, I wanna do some…” You know, risk mitigation is the biggest thing, apply this risk-based approach to some kind of a filter that would allow you to, again, look, you know, check more apples in the basket for the bad apples, that’s just gonna ultimately reduce your likelihood that a bad apple is in that basket, you know, once you kind of give it the thumbs up. So I hope that was helpful. If it wasn’t, please, you know, respond to the email, I’m happy to kind of dive into that some more, we have some other resources on that. Quick question, do you recommend the FDCPA training? Do you rec…? I’m sorry, not the… Do you recommend FDCPA training?
Kristy: If I knew what that was, I could comment on that. Apologies. I may not know the acronym. But please, follow up, send me the link…
Nick: I will.
Kristy: …to that and I’d be able to…and I’d love to take a look at it.
Nick: We’ll get that over to you. All right. Well, thank you, everybody, for joining. Another home run, Kristy. This was phenomenal. Love the insights and the takeaways. Everyone, keep your eyes out for an email from us. We’ll be sending around the information for the course, the link, the discount code, and, you know, we’re happy to send around the slides and everything else. So, thank you so much, Kristy. Always a pleasure. Thank you, everybody, for joining us, and we’ll see you next time.
Kristy: Thanks, Nick. Take care. Bye.