3rd-Party Risk Assessment Policy

1. Purpose

The purpose of this policy is to outline the process for assessing and managing risks associated with engaging third-party entities. This ensures that all third-party relationships are established with due diligence, aligning with our company's ethical standards and risk tolerance.

2. Scope

This policy applies to all third-party entities, including suppliers, vendors, contractors, and business partners, engaged by the company. It covers the identification, assessment, and ongoing monitoring of risks associated with these third parties.

3. Policy Statement

Our company is committed to conducting business with integrity and transparency. As part of this commitment, we implement a comprehensive risk assessment process for all third-party engagements to safeguard against potential legal, financial, and reputational risks.

4. Procedures

4.1 Initial Screening

Identification of Third Party:

Identify all potential third parties before engagement.

Gather basic information, including the nature of the business, ownership structure, and geographic location.

Preliminary Risk Assessment:

Perform a high-level review to categorize the third party into risk tiers (low, medium, high) based on initial findings.

4.2 Due Diligence Process

Documentation Review:

Collect and review relevant documentation, including business licenses, financial statements, certifications, and compliance records.

Risk Factor Evaluation:

Legal Compliance: Check for compliance with applicable laws and regulations, including anti-corruption and anti-bribery laws.

Financial Stability: Assess the financial health and stability of the third party.

Reputation: Conduct background checks for any history of unethical behavior, legal issues, or adverse media coverage.

Conflict of Interest: Identify any potential conflicts of interest that may affect the relationship.

Risk Scoring and Rating:

Assign a risk score based on the evaluation criteria and determine the risk rating (low, medium, high).

High-risk entities may require additional scrutiny or management approval.

4.3 Approval and Contracting

Approval Process:

Review the risk assessment report with relevant stakeholders.

Obtain necessary approvals from management for engaging high-risk third parties.

Contractual Safeguards:

Include specific clauses in contracts to mitigate identified risks, such as compliance with laws, audit rights, and termination clauses for non-compliance.

4.4 Ongoing Monitoring and Review

Regular Monitoring:

Monitor the performance and compliance of third parties regularly through audits and performance reviews.

Update risk assessments as necessary, especially if there are significant changes in the third party's circumstances or the nature of the relationship.

Reporting and Record Keeping:

Maintain comprehensive records of all due diligence activities, risk assessments, and approvals.

Report findings and concerns to the relevant internal stakeholders.

5. Roles and Responsibilities

Compliance Team: Responsible for conducting due diligence, maintaining records, and monitoring compliance.

Management: Reviews and approves high-risk engagements and provides oversight for the risk assessment process.

Legal Department: Drafts and reviews contractual terms to ensure adequate risk mitigation.

6. Review and Updates

This policy and its procedures will be reviewed annually or as needed to ensure they remain current and effective in managing third-party risks.

Approval and Effective Date:This policy is approved by the Senior Management/Board of Directors and is effective from 2021-01-01.

Contact Information:For any questions or concerns about this policy, please contact the Compliance Department at compliance@dgs-online.com