risk-based approach to third parties

A Risk-Based Approach To Managing Third Parties

risk-based approach to third parties

This week Kroll released its 2012 FCPA Benchmark Report. In in this survey, it found that the majority of corporate compliance officers at U.S. multinationals believe they’re exposed to bribery risk and fall short on best practices when it comes to third party screening, facilitating payments and political donations.

As reported in the FCPA Blog in a piece entitled “Compliance Officers Troubled By Third-Party Risk,” some of the key findings of the report are as follows:

  • 69% of all respondents said their companies were either moderately or highly exposed to risk related to compliance with anti-bribery laws; this number jumps to 100% in the pharmaceutical industry and drops to 46% in the financial services industry.
  • 99% percent of respondents said they had anti-bribery provisions for employees in their companies’ codes of conduct.
  • 73% have anti-bribery provisions in place for third parties.
  • 71% require third parties to complete a disclosure listing affiliations with foreign officials (65% verify that third parties adhere to the company’s code of ethics and 73% confirm that each third party is free from sanctions pertaining to compliance with anti-bribery regulation).
  • 36% of respondents permit facilitating payments under certain circumstances; 60% do not permit facilitating payments under any circumstances.
  • 19% percent do not have a written policy with respect to facilitating payments.

I thought about some of these findings in the context of one of the presentations that I moderated at the Compliance Week 2012 event this week. In the presentation 3rd Party Due Diligence Best Practices in Establishing an Effective Anti-Corruption Program, Randy Corley, EVP, Global Compliance Officer at Edelmen Inc., discussed his company’s efforts to manage the risks involved with third parties under the Foreign Corrupt Practices Act (FCPA). He has developed a five-step process that he shared with the group.

Step 1: How Much is Enough? 

Under this step, Edelmen uses an initial screening process to establish scope. The goal is to have a realistic process so that it can be effectively managed and still be of sufficient value for the business unit decision makers, who have the ultimate responsibility over the company’s third parties. From this step, he ranks risks as high, medium or low and then proceeds to his next steps based upon this risk ranking.

Step 2: How Deep Do We Dig? 

Corley began by noting that in his company, this process is owned by the business unit. He made clear that this is a key step at which the company does a thorough third party risk assessment for each entity.

In this risk assessment, the following factors are evaluated: (1) geographic location, (2) government involvement, (3) initial internet search, (4) compensation to be paid to the third party, (5) scope of goods or services to be delivered, (6) skills and qualifications of the third party, (7) experience the company may have previously had with the third party and (8) client recommendations, if any.

Using these risk factors Edelmen establishes two parameters going forward. (A) What will be the level of due diligence to be conducted? and (B) Where will the level of authorization for authorization of this third party lie in the company?

Step 3: What Do You Need To Know? 

Initially, Corley said that Scope of review depends on risk assessment; high risk, medium risk or low risk. This risk ranking will determine the level of information collected and due diligence performed. The key element of this step is data collection. The initial step is to have the third party complete an application which should include requests for information on background and experience, scope of services to be provided, relevant experience, list of actual and beneficial owners, references and compliance expertise.

Step 4: What Did We Learn?

From this data, and other data, collected on the third party the next step is to move to verification and validation. This can be done through a variety of sources including third party search firms, internet searches, qualification and license checks, checks on politically exposed person (PEP), sanctions lists and reference checks. Thereafter, this information must be evaluated and any red flags that appear must be cleared.

If additional information is needed or points clarified, Corley emphasized that now is the time to do it and not wait until later in the process.

Step 5: Yes or No? And Then What? 

This step is really two parts. In the initial analysis you will need to determine who the ultimate decision maker will be in your organization. It may be someone in the compliance or legal department; it may be someone in the relevant business unit or a senior officer in the company.

If the decision is made by a non-compliance or non-legal company representative, there should be a compliance opinion on whether the third party has met your internal company criteria. Finally, do not forget the three most important things about your FCPA compliance program: document, document and document the entire process.

Also included by Corley in Step 5 is post-approval. It begins with the FCPA compliance terms and conditions as a basis. He noted that you should have an annual certification of FCPA compliance by your third party. He said that you should also require training that could take a variety of forms such as training put on by your organization, a mandated third party vendor or other trusted source. Lastly, Corley said that you should update due diligence at regular intervals, which he suggested should be no less than every two year.

The Kroll report suggests that third party risk remains a significant concern for the compliance practitioner. Corley’s five-step program offers a clear guide about how one company tackled this difficult issue. However, Corley emphasized that it is not form or over substance; you must use and evaluate the information you receive and build your compliance programs around your risk–not try to ram your risks into your compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com. © Thomas R. Fox, 2012

**********

thomas-fox-thomas-fox-lawAbout the Author

Thomas Fox has practiced law in Houston for 25 years. He is now an independent consultant, assisting companies with FCPA and international transaction issues. He recently published the book Lessons Learned on Compliance and Ethics: The Best from the FCPA Compliance and Ethics Blog, available on Amazon.

Thomas Fox can be contacted via email at tfox@tfoxlaw.com or through his website www.tfoxlaw.com

About the Author

Thomas Fox

thomas-fox-thomas-fox-lawAbout the Author Thomas Fox has practiced law in Houston for 25 years. He is now an independent consultant, assisting companies with FCPA and international transaction issues. He recently published the book Lessons Learned on Compliance and Ethics: The Best from the FCPA Compliance and Ethics Blog, available on Amazon. Thomas Fox can be contacted via email at tfox@tfoxlaw.com or through his website www.tfoxlaw.com