Risk-Based Compliance: A Framework for Analysis

Most companies understand that certain business relationships present more risk than others. This situation is also present under the FCPA.

In its 2008 Anti-Bribery and Anti-Corruption Survey, KPMG noted that 76% of the respondents reported that assessing FCPA risk was “challenging”. Further 82% of respondents reported that performing effective due diligence on third parties was noted to be “challenging”.   This information was reported from a survey of 103 business executives who have direct responsibility for FCPA compliance within their organizations.

This is in contrast to some companies such as GE and HP which make clear upfront that they demand robust compliance business practices from the third parties with which they do business, including: vendors; suppliers; and, channel operations business partners. GE states in its Integrity Guide for Suppliers, Contractors and Consultants, “Suppliers that transact business with GE are also expected to comply …and adhere to the standards of business conduct consistent with GE’s obligations as set forth in the ‘GE Compliance Obligations…”

In October, 2009, HP sent an announcement out to its over 155,000 channel partners that they had to complete compliance training (and pay for it) by the end of October or risk losing their status with HP.

I. Risk-Based Compliance: Some Guidance

In order to assess any risk a company must have a framework in place to begin this analysis. The benefits of a risk-based compliance system are clear. In situations where risks are low, due diligence and overall compliance obligations can be correspondingly less burdensome. However, if a compliance risk is anything but low, due diligence should be increased to a higher level. To make this risk-based determination, a company must institute a structure to make an appropriate assessment.

While it is clear under the 2005 US Sentencing Guidelines that having a written compliance policy is always preferable, the Sentencing Guidelines themselves provide no specific guidance on quality or quantity of due diligence for third parties with which a company has business relations. However, there is sufficient guidance in other FCPA materials and analogous compliance arenas on how to assess risks, so that direction can be provided to US and foreign companies on how to focus their due diligence.

1 – AML Approach

Writing in the FCPABlog, Scott Moritz of Daylight Forensic & Advisory LLC, suggested that a risk-based approach based upon the regulatory programs in anti-money laundering (AML) governance. In the AML areas, the concept is that certain third parties represent a higher compliance risk than others. Geography, nexus to government officials, business type, method of payment, dollar volume — all are risk indicators.

Moritz suggests that critical to this AML risk-based approach is “the strategic use of information technology, tracking and sorting the critical elements — including risk-ranking, as well as enhanced due diligence and ongoing monitoring of high-risk parties proportionate to their risk profiles.” This would include monitoring of the most sophisticated and up-to-date data bases and boots-on-the-ground spadework by professionals trained to research specific risk-profile information.

2 - Halliburton/Expro Approach

This risk-based approach was commented upon favorably by the DOJ, in Release Opinion 08-02. In this Release Opinion the DOJ reviewed and approved Halliburton’s proposed acquisition of the UK entity, Expro. The DOJ spoke directly to a risk-based approach by noting that Halliburton had agreed to provide the following:

. . . a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which will address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. Such work plan will organize the due diligence effort into high risk, medium risk, and lowest risk elements. [Emphasis supplied]

3 – AON Approach

This risk-based approach has also been accepted by UK’s Financial Services Authority in its settlement of the enforcement action against the insurance giant AON, earlier this year. As a part of the settlement AON agreed to the following

AON… designed and implemented a global anti-corruption policy … limiting the use of third parties … whose only service to Aon is assisting it in the obtaining and retaining of business solely through client introductions in countries where the risk of corrupt practices is anything other than low. These jurisdictions are defined by reference to an internationally accepted corruption perceptions index. Any use of third parties not prohibited by the policy must be reviewed and approved in accordance with global anti-corruption protocols.

II. Risk-Based Compliance: A Suggested Approach

As shown by the above discussion, there are several methods that could be used to assess risk in the area of third parties. The approach suggested by the AON Settlement with the FSA would refer “to an internationally accepted corruption perceptions index” such as is available through Transparency International or other recognized authority. The approach suggested by Release Opinion 08-02 would provide categories of “High Risk, Medium Risk and Low Risk”. Finally Scott Moritz has suggested an approach that incorporates a variety of risk-assessment tools, including, “the strategic use of information technology, tracking and sorting the critical elements”.

While no single approach would seem to be the most preferred, I would suggest an approach which incorporates all three of the above approaches into one risk based assessment program for third parties. Based upon the assessed risk, an appropriate level of due diligence would then be required. The categories suggested are as follows:

1. High Risk;
2. Low Risk;
3. Minimal Risk; and
4. Generalized Service Provider.

High Risk

High Risk is defined as a third party which presents the highest level of compliance risk because of the presence one or more of the following factors:

1. The third party is based in or delivers goods/services from a high risk country;
2. The third party delivers its goods/services in a high risk country;
3. The third party has a reputation in the business community for questionable business practices or ethics; or
4. The third party has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions.

Low Risk

Low Risk is defined as a third party which presents the highest level of compliance risk because of the presence one or more of the following factors:

1. The third party is based in or delivers goods/services from a low risk country;
2. The third party, located has no involvement with any foreign government, government entity, or Government Official; or
3. The third party is subject to the US FCPA and/or Sarbanes-Oxley.

Minimal Risk

A Minimal Risk involves a situation where a third party which provides goods or services that are non-specific to a particular job or assignment and the value of the transaction is USD $10,000 or less.  These types of third parties are typically vendors which are office and industrial suppliers, equipment leasing companies and such entities which supply such routinely used services.

Generalized Service Provider

A Generalized Service Provider garners the lowest level of risk and should require a minimal level of due diligence by a company. This risk level includes third parties which provide goods or services that are widely generally and available to the public and do not fall under the definition of Minimal Risk.  These types of third parties include those which provide transportation, food services and educational services.

III. Conclusion

FCPA enforcement history has made clear that companies which do not measure their compliance risk run a greater risk of engaging a third party who could saddle them with a greater compliance peril. Further in the current economy all company resources are strained. This article has presented a framework by which a compliance professional can marshal his resources in a manner to give the greatest effect where there is the greatest need. It also provides evidence that a company has instituted a thoughtful, reasoned approach to compliance which can be not only audited by defended, should the need arise.

© Thomas Fox – October 2009

**********

About the Author

Thomas Fox has practiced law in Houston for 25 years. He is now assisting companies with FCPA compliance, Risk Management and international transactions.

He was most recently the General Counsel at Drilling Controls, Inc., a worldwide oilfield manufacturing and service company. He was previously Division Counsel with Halliburton Energy Services, Inc. where he supported Halliburton’s software division and its downhole division, which included the logging, directional drilling and drill bit business units.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.

Tags: anti-corruption, anti-money laundering, Compliance, fcpa, foreign corrupt practices act, ge, halliburton, HP, Risk, risk-based compliance, Thomas Fox