This document contains a description of the Workflow Builder that powers the Due Diligence module in the GAN platform.
the Workflow Builder creates a systematic rule-based approval process for Third Party Companies and Persons
the workflow can be branched based on setting conditions
each workflow branch is concluded with a final status
the steps within the Workflow Builder are arranged by a GAN Administrator - the workflow itself sits behind a Third Party Category
Emails are used to communicate with users as a third party progresses through a workflow
The Workflow Builder is composed of various steps that are assembled by a GAN Implementation Manager (an administrator at GAN Integrity). A risk level is assigned at the final approval step, where questionnaires, screening results, and risk reports from GAN partners (arrangeable building blocks of the workflow) allow approvers to build a picture of the third party.
The client's approval process of a third-party (Company and Person) relationship is mirrored, systematically. The user submitting the third party details into the GAN platform must categorize the third party Company, whereas for Persons this is optional. Depending on the category selected by a user, the associated workflow will be triggered. It is possible to re-categorize a third party if revetting is enabled on the tenant instance (Client’s GAN platform); this restarts the approval process with the applicable workflow that is associated to a category.
Saving Third Party Details
The underlying workflow is immediately initiated upon a third-party profile being saved. The information provided on the Company or Person profile is submitted through to the first step of the workflow that was configured for the client configuration. This information submitted as part of the profile (e.g. Country, Address, Name) can be edited by users with access to the respective third party. The updating of the information does not impact the approval process; preceding steps nor succeeding steps would be impacted as the details are merely updated to retain a complete picture of the third party. This also applies to any Additional Fields (custom fields under the Third Party profile), where information supplied at the initiation of the workflow is the data that is processed through the entirety of the approval process.
Workflows are built using steps (interconnected milestones that form hurdles) by a GAN Implementation Manager. The blueprint of the approval process supplied by a client is mirrored systematically by a series of interconnected steps.
Status Name and Description
Each of the workflow steps listed below can have a customized status name that appears for the users. Without a status name, the label in the UI will only appear as Progress. The Status Name should be kept short up to 60 characters (e.g. a title). The Status Description is an elaboration of the Status Name and does not have a character limitation. Intermediary steps that are transitional cannot have a customized label as these are owned by the system.
Send email notifications to Subscribers
Once a transition between steps occurs, an email with a pre-set template can be sent to designated users with a Due Diligence role. This can be used for a user that is not active in the specific Due Diligence process to be made aware that there is a third-party undergoing a due diligence process.
The Sanction Screening workflow step allows for the integration with the Regulatory DataCorp (RDC) database to activate during an approval process. This covers various international, national and local watchlists such as fugitive, disciplinary actions, regulatory violation, legal sanctions, etc. In comparison to a Full Background screening described below, a Sanctions screening request from the GAN platform is tied to a smaller scope. This provides matches if certain companies and persons entered on the creation page are on a prohibited list.
A Full Background Screening against the RDC’s Global Regulatory Information Database (GRID) would occur at this step of the approval process. Any matches pertaining to risk events that are found in a variety of sources such as Sanctions Watchlists, Politically Exposed Persons (PEPs), and Adverse Media will be highlighted in the GAN platform. A search result must be returned via the integration with RDC to progress forward within an approval process. Matches and thus reviewing the RDC profile remains optional.
Following a Sanction or Full Screening workflow step, a screening selection step can be built in as part of the approval process. Once a search result is returned from the RDC integration, a user will be able to see the Actions menu to continue on the approval process, irrespective of the search results being reviewed by a user. Instead, the user must now approve the results and provide a single box commentary to justify the progression. Optionally, if no matches were found, an auto approval of the third party can be instigated. The Screening Selection is carried out by designated users, who are built into the approval process. However, a user with a higher level of Due Diligence access is able to Manage Approvers to select any other users with the appropriate Due Diligence Role such as Due Diligence Approvers, Third Party Managers, and Compliance Managers.
Following a Sanction or Full Screening workflow step, a screening analysis further enhances the review process of risk events attained from the RDC GRID. The differentiating factor between Screening Selection and Screening Analysis is that the step requires a designated user to clear individual risk events found on the match selection and optionally provide commentary on each of them.
Stop & Go Approval (Auto or Manual)
This workflow step allows for a chance to review all the information thitherto that was captured as part of the approval process. The mid-process approval allows the delegation of responsibility prior to continuing further into the process. Although a process can be stopped at any time by rejecting the third party, the review provides an ample opportunity for designated users to digest information.
Additional Fields can be used in this workflow step to divert the workflow along a different branch based on a user input; yes or no answers to questions can direct the workflow along a different approval path.
The Auto option immediately triggers an email to all designated users, where one of those users can progress the approval process. Manual allows the user from the preceding step to determine, which user (or users) should receive an email notification to prompt them for a review. This function also allows users to see a list of users they can escalate to for further guidance.
These approvals can also be Dynamic, which means that certain answers to the questionnaire re-direct the review to the applicable approvers. Furthermore, Dynamic Approvers can also be tied to fields in relation to the specific data entered on the third party e.g. the location form field entered on the Third Party Creation form. An Additional Field (custom input field on the Third Party Creation Form) may also be used to determine the trajectory of the approval. Last but not least, the Risk Range determined by a questionnaire can also route the approval to a specific user(s).
This is a series of questions intended to be directed to a user known to the GAN platform or a user within the organization. The user actioning the step may choose to Take the Questionnaire or Send it further to a user via the system. Should the email be forwarded to another user outside of the confines of the system, the activity log will register that firstname.lastname@example.org submitted the questionnaire. Questionnaire Links expire within 30 days. A client may choose to enable the Evaluate function, which allows the sender to send back the questionnaire.
This is a series of questions intended to be directed to an external user in relation to the GAN platform. The user actioning the step can choose to Send the questionnaire to a third party The email template will automatically populate depending on the setup, but the email in itself can also be customized. A reminder email also follows a similar logic, where the frequency of reminders can be configured for the specific third party. Questionnaire Links expire within 30 days. A client may choose to enable the Evaluate function, which allows the sender to send back the questionnaire. However, there is only one template available for the Evaluate function thus it would be the same email sent internally and externally.
This step allows the sending of multiple questionnaires simultaneously, where all questionnaires have to be completed prior to progressing further within the third party approval process. The questionnaires can be internal, external, or a combination.
Control Risks and External Provider Reports
Enhanced due diligence (EDD) reports can be captured within the clients' instance of GAN ICM. Ordering reports with varying levels of investigation can be built-in as a workflow step as part of EDD. Thorough reports help assess risk with more information thus helping approvers make the right decision.
The system applies a risk label to the third party, while a customized comment can be shown for all third parties that were automatically approved. Based on meeting certain conditions, a Third Party can be Automatically Approved without user intervention. Thus the third party reaches the end-point of a workflow with a risk rating. The section on workflow branching below describes details on using branching and setting conditions.
Third Party Evaluation (Auto or Manual)
The Third Party Evaluation is the final step in the approval process; the third party reaches an end-point in the workflow and it is given a Final Evaluation Status. The final approval can be Approved, Rejected, or if enabled Approved with Mitigation. If mitigations are enabled, the mitigation tasks will need to be completed before the Third Party approval is deemed as complete. At any time, a user with the appropriate role can terminate workflow progression through the ‘Manager Actions’ menu followed by Rejected. Through revetting, a new version of the third party can be taken through the same or new workflow i.e. category.
The Final Evaluation is assigned to final approvers that are known to the system. Solely, users logged into the system with the appropriate Due Diligence Role have the ability to approve a third party. Similar to Stop & Go (Reviews), the Auto option will route the final approval request immediately after the prior step is complete. An email is sent to all known approvers, while the manual option is for a user to select one or multiple approvers from a curated list. Auto or Manual Final Evaluations must be agreed during the workflow building process.
As with Stop & Go reviews, these approvals can also be Dynamic, which means that certain inputs re-direct to the applicable final approvers. Dynamic Approvers can also be tied to fields in relation to the specific data entered on the third party e.g. the location form field entered on the Third Party Creation form goes to a specific user for final approval. An Additional Field (custom input field on the Third Party Creation Form) may also be used to determine the trajectory of the final approval.
The approver would assign a risk rating to the third party, justify with commentary, and add an approval status. This function also allows users to see a list of users they can escalate to for further approval. An additional field that is unique to the client instance can also be used to capture any additional justification for the decision.
The Third Party Evaluation is the final step within a workflow and is also the end-point for any workflow branches (deviations from the norm).
The systematic approval process of a third-party follows a pre-defined set of rules and associated sub-rules, where branching is supported. Branching essentially means the approval process is diverted to a different route based on meeting pre-defined conditions.
A rule is the starting point of a workflow branch, where sub-rules are subsequent deviations. Aside from the very first step, rules need to be interconnected with each other to avoid the workflow breaking i.e. the system needs to know what the ensuing step is. When using Conditions to branch the workflow, each condition needs to be routed to an end-point. The end-point of a workflow is through a Third Party Final Evaluation (final approval to assign a final status to the third party) or automatic approval.
A state of a Third Party can be referenced within a step to build a branch within the workflow.
e.g. If a 3rd Party equals Location (Denmark) then trigger an associated step like a country-specific questionnaire. If not applicable, then skip a few steps and proceed to final evaluation.
e.g. If a Screening Match was found then send for a review to the following approvers.
For any condition within a step, an alternative route must be pre-defined otherwise the system stops at a dead-end and the approval process cannot continue any further.
Questionnaire Answer Conditions
Answers to certain key questions can be used to divert the route of a workflow by triggering a step based on a given answer.
e.g. Do you have ties to an official of any government/government agency?
Yes / No. If the question was answered 'Yes' then the workflow could branch to an additional questionnaire.
The number of key questions should be kept to a minimum. Complex branching can potentially have significant implications such as but not limited to consistency and/or future adjustments.
Note that Questionnaire Answer Conditions can be used in combination with the flags to provide a more comprehensive end result.
Any vs All
When setting conditions, it is possible to define whether all conditions or any one of the conditions need to be met in order to proceed to the successive step.
e.g The Questionnaire Risk Rating can be ANY of Very High, High, Medium, Low or Very Low to proceed to the next step.
e.g. The Questionaire Risk Rating must be High and meet the Condition of Location (Denmark), where all these defined conditions need to be met prior to proceeding to the next step. If these conditions are not met then a sub-rule must be included for the system to understand the route of the third party.
Want to know more?
Suggested next read: Due Diligence Questionnaires and Risk Scoring
Questions are welcome
Contact us through your GAN Solution Delivery Manager, GAN Account Manager or GAN Support.
© 2020 GAN INTEGRITY INC. ALL RIGHTS RESERVED | The information contained in this document is solely for the intended recipient and may not be used, published or redistributed without the prior written consent of GAN INTEGRITY INC. While every care has been taken in preparing this document, GAN INTEGRITY INC. reserves the right to revise its contents without prior notice.