LEGAL
Insights & Trends
No man is an island, entire of itself; Every man is a piece of the continent, a part of the main.1
Replace the word man with organization, and the seventeenth-century English poet John Donne is describing the postmodern twenty-first century organization. The modern organization is an interconnected web of relationships and interactions that span traditional business boundaries. Complexity grows as these interconnected relationships and transactions layer themselves in intricacy.
In this context, organizations struggle to identify and govern their relationships with a growing awareness that they can face reputational and economic disaster by establishing or maintaining the wrong business relationships. When questions of business practice, ethics and corruption arise, the organization is held accountable for the actions of those whom they do business with, and it must ensure adequate due diligence has been done to ensure it is doing business with the right individuals and organizations.
This is particularly critical in the context of knowing the ultimate beneficial owner (UBO) in business relationships. An organization needs to understand “the natural person(s) who ultimately owns or controls a customer and/or the person on whose behalf a transaction is being conducted. It also incorporates those persons who exercise ultimate effective control over a legal person or arrangement.”2
The fragmented governance of relationships can lead organizations to inevitable failure. Reactive, document-centric and manual processes fail to actively manage risk and compliance in the context of the relationships. Silos of data leave the organization blind to intricate relationships of beneficiary exposure that fail to get aggregated and evaluated in the context of the overall relationship. An ad hoc approach to relationship management results in poor visibility across the organization because there is no framework or architecture for managing risk and compliance as an integrated part of the relationship.
The physicist, Fritjof Capra, made an insightful observation on living organisms and ecosystems that also rings true when applied to relationship management and, particularly, the UBO:
“The more we study the major problems of our time, the more we come to realize that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent.”3
Capra’s point is that biological ecosystems are complex and interconnected and require a holistic understanding of the intricacy in interrelationship as an integrated whole rather than a dissociated collection of parts. Change in one segment of an ecosystem has cascading effects and impacts to the entire ecosystem. This is true in relationship management. What further complicates this is the exponential effect of relationship risk on the organization.
Business operates in a world of chaos. Applying chaos theory to business is like the “butterfly effect” in which the simple flutter of a butterfly’s wings creates tiny changes in the atmosphere that could ultimately impact the development and path of a hurricane. A small event cascades, develops and influences what ends up being a significant issue.
Dissociated data, systems, and processes leave the organization with fragments of truth that fail to see the big picture of relationship performance, risk, and compliance across the enterprise and how it supports the organization’s strategy and objectives. The organization is constantly reacting to relationship risks appearing around it and failing to actively manage and understand the complexity inherent in relationships and nested relationships as to who really is the beneficiary in a transaction. The organization needs to have holistic visibility and situational awareness into these relationships.
To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual relationship (the tree) as well as the interconnectedness of relationships (the forest) to identify the UBO. Risk in these relationships is nonlinear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationships and impacts in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, effect is proportional with cause; in the nonlinear world of business, third-party management risk is exponential. Business is chaos theory realized. The small flutter of customer and third-party risk exposure can bring down the organization. If we fail to see the interconnections of risk on the nonlinear world of business, the result is often unpredictable. Consider the following:
Relationship management, particularly understanding and identifying UBOs, fails when information is scattered, redundant, unreliable and managed as a system of parts that do not integrate and work as a collective whole. The third-party management information architecture involves the structural design, labeling, uses, flow, processing and reporting of relationship management information. This is achieved by combining trusted data, human expertise and intuitive technology to develop an integrated Know Your Customer (KYC) or third-party risk management program to govern relationships.
A successful process, information, and technology architecture for KYC or third-party risk will be able to integrate information across internal business systems and external databases. This requires a robust and adaptable information architecture that can model the complexity of customer and third-party information, transactions, interactions, relationship, cause and effect, and analysis of information.
Some core technical capabilities organizations should consider in a KYC and third-party management platform are:
In essence, the organization from top management down should have a 360-degree contextual awareness of what is happening with customer and third-party relationships with regard to performance, risk, and compliance. Contextual awareness requires that customer and third-party management have a central nervous system to capture signals found in processes, data, and transactions, as well as changing risks and regulations for interpretation, analysis, and all-inclusive awareness of risk in the context of these relationships. As regulation and enforcement tightens up on noncompliant organizations, a solution that delivers on the above requirements is becoming more of a requisite than ever before.
Michael Rasmussen is an internationally recognized pundit on governance, risk management and compliance (GRC) – with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance and policy management. With 22+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architecture, and select technologies that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester.
1 A famous line from English Poet John Donne’s Devotions Upon Emergent Conditions (1624) found in the section Meditation XVII.
2 http://www.fatf-gafi.org/about/?utm_campaign=e4&utm_medium=social&utm_source=FRblog&utm_content=knowyourowner
3 Fritjof Capra, The Web of Life: A New Scientific Understanding of Living Systems (New York: Anchor Books, 1996), 3.
-->
