Summary
This document contains a guide on utilizing Third Party Categories that power the Due Diligence module in the GAN platform.
-
the Workflow Builder creates a systematic rule-based approval process for Third Party Companies and Persons
-
the workflow can be branched based on setting conditions
-
each workflow branch is concluded with a final status
-
the steps within the Workflow Builder are arranged by a GAN Administrator - the workflow itself sits behind a Third Party Category
-
Emails are used to communicate with users as a third party progresses through a workflow
-
One Step and Two Step workflows can be configured by a client. A GAN Admin can build Custom Workflows, which is a Due Diligence process that can be configured with multiple steps
The Workflow that progresses forward in time until the process is completed, sits behind a Third Party Category to ensure that a common process was followed in making the right decision.
Introduction
When creating a third party, an appropriate category must be selected as it will determine the trajectory of the approval process. Essentially, the GAN platform treats a category as a workflow. Shorter workflows such as a One or Two-Step can be configured by a Compliance Manager, whereas a GAN Admin will be able to configure a custom workflow on behalf of the customer.
It is also important to note that a number of product features displayed below are feature flags (FF) configured by the GAN Admin inside the company settings that are specific to the tenant instance (clientname.gan-compliance.com)
How to Guide
Step 1: Under the Due Diligence menu, find and click on Third-Party Categories
Step 2: Click on the +CREATE button to create a category to group your third parties, which will ultimately determine the approval workflow that is initiated
Step 3 - BASIC INFORMATION: A new page will open, where you may start by designating a Title and optionally a Description for the Category, which will be visible to all users with access to the Due Diligence module.
The Title and Description can be amended after saving the Category.
Step 4 - WORKFLOW SETTINGS: Along with a custom workflow built by a GAN Admin, a user with the Compliance Manager or Due Diligence Compliance Manager role may configure a One-Step or a Two-Step Workflow.
Optional Step 5: One-Step Workflow can be figured with a questionnaire that can be taken both internally through the Action of Take Questionnaire or sent externally by the Action of Send Questionnaire. After the questionnaire, a Final Approval is required, which is carried out by a user with the Due Diligence-Approver role.
Optional Step 6: Two-Steps Workflows include two questionnaires: an internal and an external questionnaire. Within the first step of the Two-Step workflow, the Action button allows to Take Questionnaire. The second step allows for a questionnaire to be sent externally by the Action of Send Questionnaire. After the questionnaires, a Final Approval is required, which is carried out by a user with the Due Diligence-Approver role.
Optional Step 7: Custom Workflow is only visible when logging in as a GAN Admin. This allows the GAN Admin to build a wide array of workflows for specific use cases based on client needs. The Admin role enables access to the Workflow which makes it available for the Category’s use.
Step 8: Irrespective of the workflow used, in order to apply meaningful scoring you may need to adjust two sliders:
a) Location vs Questionnaire
Location vs Questionnaire dictates how much the respective element will weigh into the overall risk scoring of Third Parties in the specific category.
For example, 50.00 as shown in the image below means that the location selected on third party creation will be worth 50% of the overall score. The other 50% will be decided by averaging the scoring on the questionnaires inside the workflow. This is modified by moving the slider either right or left.
Users are not able to configure individual questionnaire weights when multiple questionnaires are used in the workflow.
b) Risk Score Interval
Both sliders will be applicable to all questionnaires within a workflow/category
Step 9: Connected to the Location vs Questionnaire slider, you can also utilize the Advanced CPI Scoring to influence the risk level.
Company Location (default) - this takes the CPI (Corruption Perception Index) score of the country selected on Third Party Creation
Minimum CPI (highest risk) Score - a GAN Admin can enable the FF that displays the CPI Question Type in the Questionnaire Editor. The Country (or countries depending on the question configuration for multiple selection) input by the end-user determines the risk score. The risk score is calculated by taking the minimum CPI as published by Transparency International (highest risk) of a country (or the lowest score from a selection of countries). There are Locations that are not covered by the Corruption Perception Index, where a list is detailed in the Appendix below.
Averaged CPI Score - if Multiple Selection is enabled on the CPI Question from the Questionnaire then an average is calculated to display risk score indication
Optional Step 10: Within a workflow, every branch ends in a Final Approval i.e. a final state such as Approved, Approved with Mitigations (FF) or Rejected. When reaching this state, a Final Evaluation Date is stored on the third party profile. By doing so, on a Category level, a GAN Admin can set an automated task that sends an email notification to renew due diligence on a third party. Depending on the use case, you can also set a single default rule that will apply to all categories through the Review Scheduler.
Optional Step 11: Automatic Risk-Based Mitigations (FF)
Should a client wish to use Approved with Mitigations, an additional feature is available that allows to automatically trigger mitigations on a third party category for specified risk levels. This Advanced Setting (when configured via a separate FF) is available to the GAN Admin, Compliance Manager, and Due Diligence -Compliance Manager.
When setting up automated mitigations, the user is able to select the mitigation task for the associated risk level as well as select the responsible person(s) for completing the task.
a) Mitigators - a defined list of users determined by the person configuring the automated mitigation
b) Entity Owners - the owner of the third party at the time in which the mitigation is added to the third party. For example, third party owner(s) are able to be modified via the Manager Actions by users with certain roles. If the owner is modified after the mitigation is initiated, the mitigator will not be updated.
c) Anyone with access - any user with access to the third party will be able to complete the mitigation. This means users with roles such as compliance manager, due diligence-compliance manager, due diligence -third party manager, and more! will be able to complete the mitigation even if they are not related to the third party in any manner such as owner or approver.
Final Step 12: Scroll to the top of the page and ensure to SAVE the configuration.
Once saved, you can no longer amend and update either sliders for Location vs Questionnaire or Risk Score Interval
Appendix
Locations not on the Corruption Perception Index
These locations will not be included in CPI scoring, or in Risk Rate calculation.
Country Code | Full GAN Country List | Transparency International 2019 CPI Score |
AX | Åland Islands | n/a |
AS | American Samoa | n/a |
AD | Andorra | n/a |
AI | Anguilla | n/a |
AQ | Antarctica | n/a |
AG | Antigua and Barbuda | n/a |
AW | Aruba | n/a |
BZ | Belize | n/a |
BM | Bermuda | n/a |
BQ | Bonaire, Sint Eustatius and Saba | n/a |
BV | Bouvet Island | n/a |
IO | British Indian Ocean Territory | n/a |
KY | Cayman Islands | n/a |
CX | Christmas Island | n/a |
CC | Cocos (Keeling) Islands | n/a |
CK | Cook Islands | n/a |
CW | Curaçao | n/a |
FK | Falkland Islands (Malvinas) | n/a |
FO | Faroe Islands | n/a |
FJ | Fiji | n/a |
PF | French Polynesia | n/a |
TF | French Southern Territories | n/a |
GI | Gibraltar | n/a |
GL | Greenland | n/a |
GP | Guadeloupe | n/a |
GU | Guam | n/a |
GG | Guernsey | n/a |
HM | Heard Island and McDonald Islands | n/a |
VA | Holy See (Vatican City State) | n/a |
IM | Isle of Man | n/a |
JE | Jersey | n/a |
KI | Kiribati | n/a |
LI | Liechtenstein | n/a |
MO | Macao | n/a |
MK | Macedonia, the former Yugoslav Republic of | n/a |
MH | Marshall Islands | n/a |
MQ | Martinique | n/a |
YT | Mayotte | n/a |
FM | Micronesia, Federated States of | n/a |
MC | Monaco | n/a |
MS | Montserrat | n/a |
NR | Nauru | n/a |
NC | New Caledonia | n/a |
NU | Niue | n/a |
NF | Norfolk Island | n/a |
MP | Northern Mariana Islands | n/a |
PW | Palau | n/a |
PS | Palestine, State of | n/a |
PN | Pitcairn | n/a |
PR | Puerto Rico | n/a |
RE | Réunion | n/a |
BL | Saint Barthélemy | n/a |
SH | Saint Helena, Ascension and Tristan da Cunha | n/a |
KN | Saint Kitts and Nevis | n/a |
MF | Saint Martin (French part) | n/a |
PM | Saint Pierre and Miquelon | n/a |
WS | Samoa | n/a |
SM | San Marino | n/a |
SX | Sint Maarten (Dutch part) | n/a |
GS | South Georgia and the South Sandwich Islands | n/a |
SJ | Svalbard and Jan Mayen | n/a |
SZ | Swaziland | n/a |
TK | Tokelau | n/a |
TO | Tonga | n/a |
TC | Turks and Caicos Islands | n/a |
TV | Tuvalu | n/a |
UM | United States Minor Outlying Islands | n/a |
VG | Virgin Islands, British | n/a |
VI | Virgin Islands, U.S. | n/a |
WF | Wallis and Futuna | n/a |
Want to know more?
Suggested next read: What is a Due Diligence workflow?
Questions are welcome
Contact us through your GAN Solution Delivery Manager, GAN Account Manager or GAN Support.
© 2020 GAN INTEGRITY INC. ALL RIGHTS RESERVED | The information contained in this document is solely for the intended recipient and may not be used, published or redistributed without the prior written consent of GAN INTEGRITY INC. While every care has been taken in preparing this document, GAN INTEGRITY INC. reserves the right to revise its contents without prior notice.