Finding Contracts in the Wild: A Good Start for Managing ESG and Other Third-Party Risks

by | Aug 9, 2022 | compliance and threat prevention, Data Privacy, digital forensics, driving digital, GRC, information governance, Nuix, Uncategorized

The Covid pandemic has shown many organizations how much they rely on third parties in their supply chains, to help them deliver services and products to customers. At the same time, the growth in environmental, social and governance (ESG) concerns has forced many organizations to re-visit the commercial relationships they have with third parties whose behaviors may create risks for the organizations’ ESG goals and commitments.

THIRD-PARTY RISKS

Deloitte recently surveyed the third-party risk management practices of over 1000 organizations in more than 30 countries. It found that since COVID-19 became a global pandemic on 11 March 2020, just over half (51%) of respondents faced one or more third-party risk incidents. These incidents created regulatory, reputational or strategic issues for respondents in areas such as:

  • Cybersecurity and privacy issues in third parties
  • Failure by third parties to meet their contractual obligations to those organizations
  • ESG issues in third parties, such as environmental pollution, modern slavery, bribery and corruption.

Unsurprisingly, the experiences of the past 24 months have also sharpened regulators’ interest in businesses’ arrangements with their third-party vendors. Regulators have often been quick to remind those businesses that they remain ultimately responsible for meeting their obligations to customers and regulators, and where they rely on third parties, it’s their job to manage the third parties to ensure those obligations are met. Some regulators have gone as far as to require businesses to include in their third-party contracts, rights for the business to conduct ongoing audits and continuity assessments of their external vendors. The reasons for doing this are borne out in a recent McKinsey study which showed that while most third-party disruptions occur lower down in the supply chain, two-thirds of companies say they can’t confirm the business continuity arrangements with their non-tier-one suppliers.

STEPS TOWARD BETTER RISK MANAGEMENT

An important foundational step towards managing these increasing third party risks for any organization is to have an up-to-date and comprehensive management system for all the contractual arrangements the business has with these external parties.

Our experience though, is that this is not always as easy as it sounds. Particularly for large organizations, contracts aren’t always where they should be.

Even if you are organized enough to put all your contracts in one place, can you say for sure the document in your central repository is the final version? Or is that the contract the vendor sent a couple of days later after final negotiations with the legal team? Is it the computer-readable Microsoft Word version or the signed-and-scanned PDF emailed back to the other party?

FINDING CONTRACTS, WHEREVER THEY’RE HIDDEN

Nuix recently worked with a large bank in the United States that was grappling with this challenge.

The bank needed to improve its risk management of third-party vendor contracts. Over time, each business unit had developed its own practices for managing third parties which led to considerable differences across the bank on standard contract language, different approaches to third-party risk management and material variances in approaches to ongoing due diligence. Different approaches in the contracts to pricing was also an issue, with the situation almost certainly leading to commercial value being left on the table.

To deal with this, the bank was looking to centralize all its contracts into a single third-party management system. But over time, many contracts had been stored by staff amongst terabytes of data in difficult to search locations such as employees’ inboxes or shared drives.

The bank’s contract management team knew it couldn’t just run a search for “contract” across all employees’ emails, file shares and other data repositories. Instead, it used the Nuix Data Finder plugin to run a series of detailed search queries relating to common contract terms across each business unit’s systems.

Nuix Data Finder rapidly trawled the bank’s systems – running optical character recognition to capture scanned documents – and extracted text and metadata from items across the network. This allowed the contract management team to analyze responsive items in real time and flag any real contracts for further analysis.

Real-time search results helped them fine-tune their search queries to improve the accuracy of detection for each system they analyzed. The bank then extracted the most recent versions of each confirmed contract and migrated it into the management system for ongoing administration. In doing so, Nuix helped the bank rapidly take steps to start dealing with its operational and strategic third-party risk exposure.

RE-ENERGIZING THIRD-PARTY RISK MANAGEMENT

Managing third-party risks is a growing concern. Over half of Deloitte’s survey respondents agreed that because of recent and ongoing global events, they need to increase their focus on third parties and make at least some major investments to re-energize their third-party risk management programs. In similar findings from a recent global study by KPMG, 77% of the 1263 risk professionals surveyed believed overhauling their third-party risk management model was overdue.

Re-energizing third-party risk management can take many forms. There is, for example, an increasing appetite among business to have much more real-time data on the performance of their third-party vendors. These are longer term goals for businesses and the technology to deliver these outcomes is still at an early stage. A key stage along this journey is for all businesses to have a complete understanding of the current arrangements they have with their third parties and there’s a readily available technology to help handle that key foundational step.

Source: https://www.nuix.com/blog/finding-contracts-wild-good-start-managing-esg-and-other-third-party-risks

Nuix Helps Australian Big Four Bank Manage Privacy Risks Across 240 million Documents

by | Mar 2, 2022 | compliance and threat prevention, Data Privacy, GRC, Nuix, Uncategorized

Under Australia’s Privacy Act, organizations that hold people’s tax file numbers (TFNs) must securely destroy or permanently deidentify those TFNs once they no longer have a legal reason for storing them. This might happen when someone stops being a customer.

Australia’s privacy regulations pay particular attention to TFNs because of the potential for them to be used in fraud and identity theft.

RISKS AND CHALLENGES

Managing these risks can be challenging. In large organizations, TFNs can be stored within vast oceans of data, in many different locations and file formats. This may include scanned handwritten documents such as application forms.

Without powerful technology to find and redact TFNs, the task of compliance can be almost impossible. If not dealt with properly, this sensitive information can be exposed in an instant by an embarrassing and costly data breach.

BIG FOUR BANK

To help proactively manage these risks, one of Australia’s Big Four banks recently deployed Nuix Workstation and the Nuix Data Finder plugin to find and redact TFNs across more than 240 million documents.

Using the unmatched power and speed of the patented Nuix Engine, bank staff quickly scanned the documents and identified those containing TFNs, significantly reducing the bank’s compliance risk profile within a very short timeframe.

PRIVACY DATA IS A GLOBAL ISSUE

Australian banks aren’t the only organizations facing this challenge. Healthcare providers, insurers, professional services firms and government agencies often hold enormous amounts of private and sensitive data. Privacy laws around the world strictly require organizations to only hold private data they need for business purposes and to ensure they remove any personally identifiable information they no longer have use for.

As volumes of data in the world increase at a compound annual growth rate of 23% – doubling every three years – this will become an impossible problem very soon unless organizations invest in the right technology to solve it.

Source: https://www.nuix.com/blog/nuix-helps-australian-big-four-bank-manage-privacy-risks-across-240-million-documents

Corporations: Listen to what your regulators are saying

by | Jul 22, 2021 | compliance and threat prevention, driving digital, GRC, information governance, Nuix, Nuix solution malaysia, Uncategorized

Regulator Report

The sea of cubicles is quieter than normal. All eyes seem to be turned toward the conference rooms at the far end of the room, where strangers in suits approach carrying cases of computer equipment. They enter the appointed spaces and close the door, where a sign printed on plain white paper is taped.

“This room is reserved indefinitely.”

This isn’t fiction; it’s a scene I witnessed firsthand working inside the financial services industry. While the silence and anxiety were more centered around the fact that one of our most precious resources – a 10-person conference room – was likely out of circulation for months, there was definitely a sense of trepidation as the regulators went to work.

I recalled that scene several times as we worked on the 2021 Nuix Global Regulator Report alongside Ari Kaplan Advisors. How valuable would the insights in the report have been for our business unit during those months of meeting our obligations to the regulators? How much anxiety would have been put to rest? Most importantly, how quickly would we have gotten that conference room back?

RESPONDING TO REGULATORS MORE EFFECTIVELY

During a Q&A webinar about the report, chief report author Ari Kaplan and Stu Clarke, Regional Director – Northern Europe at Nuix, addressed the topic of corporations working more effectively with regulators.

Based on their conversations with regulators, it became clear that regulated corporations should take control of their environment. “Holistically, it makes life much easier when an inquiry kicks off,” Stu said. “They have a much better understanding of where risks lie and where employees are working inside the organization,” making it that much easier to respond to inquiries.

It also helps to look at regulators as guides who are there to advise the company, not just punish it when it goes astray. Summarizing some of the comments during the webinar, regulators have a role to inform and guide the organizations they are responsible for. There’s a desire amongst the regulators to work more collaboratively and build an ongoing relationship, not just swoop in during a one-time event.

It also helps to understand where the regulators are coming from. “The regulators are incredibly savvy and have experience in private industry,” Ari said. “They are well-versed in the various tools and they talk to each other.”

HANDLING A CONSTANTLY CHANGING ENVIRONMENT

The regulatory environment adapts as the realities of day-to-day business change. “Things change rapidly,” Stu said. For example, “we weren’t talking about Microsoft Teams two years ago, and we can’t stop talking about it or using it now.”

Those changes are just another set of reasons to better understand what the regulators are looking for. Download the 2021 Nuix Global Regulator Report to learn more about regulators’ approaches to their respective industries, preferred technology and enforcement practices, all of which can help you work more efficiently during a regulatory inquiry.

source: https://www.nuix.com/blog/corporations-listen-what-your-regulators-are-saying