Brooklyn Solutions: An Answer to Your Third Party Compliance Management Challenges!

In our last article, we introduced you to the oft-overlooked area of Third Party Compliance Management which is not adequately addressed in the majority of Third Party Risk Management solutions, despite beliefs to the contrary. And those of you who pay attention probably realized that in addition to telling you about the challenge, we were also going to tell you about one potential solution (and give you a starting point in your research).

One starting point is Brooklyn Solutions, founded in 2018 to automate and scale vendor management for compliance standpoint across the enterprise. In order to ensure compliance, they offer not one, but four core modules to address all the relevant areas — third party risk management, third party relationship management, and third party contract management in addition to third party compliance management (as they all feed into the compliance pie) — as well as two auxiliary modules for ESG (which is an area all its own) and Digital Assessment Frameworks (for automated digital assessments in the supply chain tail). They already have global customers with over 1,000 users across multiple industry sectors which they support with offices in the US, UK, and South America.

Note that their holistic approach to compliance management (by tracking the vendors the organizations interacts with, the contracts that govern key relationships, and risks they are subject to in order to collect the necessary information to ensure compliance) is not just because of the criticality of compliance (as lack thereof can result in massive fines and even criminal charges to executives in some countries), but because a lack of compliance with organizational policies and contracts can lead to an average overspend of 9% to 15% in contract value in an average organization as per Gartner, Deloitte, PWC, McKinsey & Company, Bain & Company, CIPS, and the WorldCC. In this economic climate, that’s not something any company can afford!

Considering how many CLM solutions are on the market, you’re probably wondering how so much value leaks, especially since the classic cause of lavish leakage was due to lack of good e-Procurement systems that could m-way match the invoice to the PO, the pricing to the contract pricing, the line items to the goods (and services marked) received, and so on to make sure what was paid was what was agreed to. That’s because most CLM systems that claim to “govern” a contract are actually just glorified electronic filing cabinets that track the metadata and alert you when it’s expiring. And even if they allow you to break out obligations, most don’t track the extent to which they are mapped, monitor the risks that can lead to disruptions that can lead to a significant loss, assess the downstream parties that can put you in non-compliance, ensure performance is at agreed upon levels, and so on. Furthermore, even though the more advanced systems will support negotiation, all that does is allow you to identify value (not capture it), or perform (process) analytics, and that’s just helping you get efficient in the partial process the system supports, not efficient in capturing the value. That’s why Brooklyn Solutions focuses on ongoing contract and risk management from a compliance viewpoint AFTER the contract is signed rather than focussing on all of the pre-contract-signing and onboarding activities that the majority of traditional S2P, CLM, and TPRM vendors are focussed on.

It does this by allowing the organization to define as many workflows and actions as it needs to define in order to ensure all processes necessary for compliance are met. The workflows can be tailored to precisely what the organization needs. We’re not going to go too deep into workflow construction, as you’re probably familiar with how it will work if you have a supplier / third party onboarding platform that also allows you to configure the process, but point out one key difference between workflow construction in Brooklyn Solutions vs. many other platforms. The one key difference we are going to point out is that the logic is not only conditional and fine grained but can trigger other processes based upon the responses which can themselves trigger other processes and allow for as much branching as needed to get the information an organization needs to manage the risk, maintain the relationship, fulfill the contract, and ensure compliance — and these (sub) workflows can even branch back into the right point of the main process when the time is right.

These workflows can also punch out to third-party systems and automatically pull in risk and compliance data into the platform, data which can trigger new risk and compliance workflows if the data that comes back is too risky or potentially non-compliant. The configuration capability is extremely flexible. Essentially, Brooklyn Solutions is an orchestration platform built for managing third parties, contracts, risks, and compliance in a cohesive whole.

Contract Management Overview

Since the contract management solution is focussed on obligations, SLAs & KPIs, issues and workflows and was designed to help the organization ensure that the negotiated terms are adhered to, and value achieved, it’s functionally a meta-data driven application and the entry point is an analytics dashboard that gives you deep contract analytics on obligations, reviews, documents, SLAs, (open) risks, and (current) actions. It’s easy to dive into any aspect and see detailed status; this includes diving into obligations and getting an overview of how many are pending, overdue, and non-compliant; into (open) risks and see those where there are actions and the status of associated actions; into documents and how they breakdown by active vs inactive contracts, addendums, etc.; and so on.

The obligation tracking is exceptional. You can fully define what the obligation is, who is involved, what workflow is required to complete it, whether or not it’s a critical path obligation for a contractual, risk, or compliance requirement, the relevant financials, and the frameworks being used as well as track activities and associated action items, associated documents, and status. The obligations can also be linked to related parties in the supply chain and tracked down to the source supplier or supplier that need to adhere to them easily using Sankey Diagrams.

Relationship Management Overview

Relationship management in Brooklyn Solutions isn’t the touch-feely relationship building that Procurement sells as a way to become a “customer of choice” and “reduce costs”, nor is it the activity definition and tracking capability of a traditional old-school SRM application (where the “R” stands for Relationship, and not Risk). It’s a data and metric tracking application focussed on SLAs and KPIs, performance scorecards and monitoring, and regular policy and governance reviews to ensure everything stays on the up and up.

It’s also one of the perfect solutions to plug into the Customer-Supplier-Management gap left by P2P/S2P systems between the PO and the Invoice as it allows you to

  • onboard suppliers and ensure core data requirements are collected and fulfilled
  • quickly get complete, 360-degree, supplier profiles
  • define and assign actions and issues and track the status
  • collaborate with the third party at any time
  • kick of governance reviews as needed

Supplier profiles not only consist of basic organization and contact information, but all associated contracts and documents, obligations, risk profiles and data, performance data and scorecards, associated actions (in all states), and interactions including meeting minutes and upcoming meetings. They also allow you to drill into the relationship hierarchy UP and DOWN the chain.

Risk Management Overview

The risk management application is all about tracking organizational risk ratings (as well as what a supplier can do to reduce their risk rating), risk indicators and monitoring risk levels and allowing the organization to quickly find out, for any supplier contract, obligation or compliance requirement what the currently assessed risk is. They are colour coded in a matrix that allows a buyer to quickly dive into the high or moderately high risks that could pose a critical compliance risk, dive in, and address them.

It’s also very easy to get an overview of the entire portfolio of risks tracked in the system, the risks with the worst scores or least/no controls, the suppliers with the most concentration of risk, the individuals who own the most risk (either through suppliers, contracts, relationships, etc.), and so on. You can quickly identify the high risks, which ones can be reduced, what can be done, and how the effort can be initiated, and kick it off.

All risks are scored on a 1 to 25 scale that is meant to gauge the impact vs. probability which is mapped against the organizational typical risk tolerance to quickly identify those risks that are too high with respect to organizational tolerance (red), slightly higher than tolerance (yellow), and well below (green), with orange between yellow and red and dark green between yellow and light green.

Compliance Management Overview

The fourth, and most important of the four primary modules, is compliance management which, unlike prior generation compliance and GRC (Governance, Risk, and Compliance) solutions that were built to help you collect compliance data for reporting, was designed to ensure the organization was digitally fit for audit. And yes, there’s a difference. When a platform collects data simply for the purpose of completing a report, it’s a static piece of data in one place that can be queried individually or spit out as part of a pre-coded data dump for report creation. It technically solves the reporting problem, but it doesn’t solve for audit.

When your organization undergoes an audit, it’s more about the data that goes in an annual report. Where did it come from? When? Who verified it? Why was it deemed acceptable? Did you explore all of the necessary elements in making the determination?

For example, if you’re undergoing a GDPR compliance audit because someone complained that you don’t protect personal data and you hand over a report that says all the personal data you have is encrypted, and that you have annually tested processes in place to verify that all personal data you aren’t legally required to keep by law on an individual can be quickly deleted, it still doesn’t satisfy a compliance audit if you use third-party data services (“processors”) to store and process some of that data.
If you haven’t a) fully verified they are fully compliant with the regulations and can do the same purges in your tests and b) fully verified any third parties they use can do the same, you can’t claim to be fully compliant. For example, a cloud service might use a third party for managing its database and another cloud service to identify personal data that might not be appropriately tagged. If those third parties used by your cloud service aren’t fully compliant, then your cloud service isn’t fully compliant and you aren’t fully compliant. And that’s trouble that you would not identify in a compliance solution built for reporting and not for audit.

Since Brooklyn Solutions was built for audit, you can drill into the supplier profile, see their connected parties, and, in particular, the third parties that manage their systems and data and whether they have completed their audits, have the appropriate certifications, and run (and report) the proper tests annually. If not, you can reach out to them directly, send them the surveys, collect the reports, and do your own compliance analysis if you need to. And then, when the auditor comes in and asks you to prove you did the necessary exercises to ensure compliance, you can go into the system, show them all the parties you directly deal with that may have access to your customers personal data, drill into them, show that you know all their suppliers, show that you ensured that each of them were compliant, and so on down to the last service provider in the chain that may, even indirectly, have access to your customer’s personal data. Since it can handle the GDPR example above, which is one of the toughest audits you could get, you know it can handle any other supply chain audit as well.

No matter what question the auditor asks about a report you submit, with a few pieces of information and a few clicks, you can drill in to not only show exactly what answered, but where the data came from, why, what processes you used in collecting it, and how confident you were. You can also show all of the historical actions, reviews, in-platform conversations, documents, etc. It’s a full fact-based history, not a partial viewpoint based on the memory of the best organizational expert.

Also the holistic TreeMap overviews of compliance areas or risk areas (based on financial risk impact or some other indicator) makes it quite clear to an organization just how well they are doing, or not doing (and quickly dive into the areas where the compliance is the least or the risk the highest).

The only real shortcoming is that, while it can be configured to ensure compliance for any global regulation you can think of, as of now, only four compliance requirements are fully supported out of the box: the German Supply Chain Act, the EU EBA/EIOPA guidelines, the UK PRA Outsourcing regulations, and GDPR. This is because they’ve spent the last five years building all of the core capabilities required for holistic third-party compliance management (and started in the Financial Services sector, coding for those regulations first).

However, now that they’ve built and fleshed out all the core capabilities, and natively integrated it all into one consistent view (for every module you purchase), which is backed up by powerful AWS QuickSight dashboards that can be drilled, filtered, and searched on any data dimension, they plan to start adding more out-of-the-box support for global regulations over the next few years. Whether it will be by area (of ESG, CSR, etc.) or industry has yet to be determined, but with all of the necessary capability built into the platform, it won’t be hard for them to add more acts in a relatively short time frame. It’s just regulatory expertise, obligation data element identification, and workflow coding at this point.

Roadmap

With respect to Brooklyn Solutions‘ near-term roadmap, they will soon be releasing a number of “Gen AI” capabilities built on appropriately trained next-generation large language models (LLMs) for natural language processing (NLP) that use human curated data sets relevant to the problem at hand. These new capabilities, which are designed to increase user efficiency, could make some users three times as efficient (or more) in their jobs as they are now. (Right now, power users in the platform have been measured to be 200% more efficient in their responsibilities than before when they were working without the help of Brooklyn Solutions.) The new “Gen AI” capabilities are being deployed to power the following new capabilities:

Meeting Agenda Generation
Identify the supplier or action team, and the platform will scan all associated actions, flows, contracts, risks, and compliance requirements and create an agenda based on open / incomplete items and changes since the last meeting (which can be quickly edited or adjusted based on the desires of the meeting organizer)
Executive Meeting Summary
Attach a transcript of the meeting meetings (which can be auto generated using the transcription capability of most modern video conferencing platforms) and any supporting documents and it will generate an executive summary
Report Generator
Similarly, select a supplier or contract and time-period, and items of interest (events, contracts, risks, compliance requirements, etc.) and the solution will generate a written summary of the items of interest, highlighting those that are (scored) high or low, fully formatted and exportable to docX, xlsX, and pptX
Automated Survey Creation
Identify the risk, capability, and/or compliance requirement you are concerned with, where you are concerned with it, how concerned you are with it, and how intrusive / work intensive you want it to be for your suppliers (by way of a max question count) and the platform will use its built-in knowledge of the risk, capability, and/or compliance requirements and its library of surveys/templates to auto-generate a survey and send it to all suppliers in, or dependent on, the region in question
Contract Clause Explainer
Highlight any clause in the contract and the solution will translate that clause into everyday layperson English (or for those clients in the UK, the King’s English on special request, as that requires a special configuration), and provide one or more examples of where that clause would come into effect and/or how it may be used
Contract Search by Topic
For example, if you want to identify all clauses in a contract that might relate to or satisfy GDPR, the solution will automatically identify the key requirements of GDPR, determine the most likely terminology that would appear in the contract, search for that, contextually analyze the clauses, and return those most likely to relate to GDPR with an everyday language definition of each. The same can be applied to any “contract clause” you can define, such as termination, audit right, price increase, and sub-contractor to name but a few.

Summary

In a nutshell, Brooklyn Solutions is one of the most complete Third Party Compliance Management solutions the doctor has ever seen. If compliance is an issue for your organization, be sure to add them to your shortlist.