When it comes to anti-corruption compliance risk, it’s no surprise to compliance officers that third parties represent the single greatest worry. Monitoring third parties requires a rigorous third-party due diligence program, which takes into consideration the characteristics of each external partner to implement a comprehensive and effective compliance training program.
When it comes to anti-corruption compliance risk, it’s no surprise to compliance officers that third parties represent the single greatest worry. Statistics show that the overwhelming majority of Foreign Corrupt Practices Act (FCPA) cases and enforcement actions have involved third parties. Understandably, rigorous third-party due diligence programs become the focus of compliance departments.
However, though third-party due diligence is important, monitoring third parties after initiating a relationship requires just as many effort and resources. Your monitoring program could even impact your decision to onboard third parties in the first place, and comprehensive monitoring could allow you to take on more high-risk third parties. A monitoring program can include annual certifications, adverse media reports, new backgrounds checks or even full audits.
It could be said, in fact, that the ability to alter the behavior of anyone working for or on behalf of your company is the most effective form of mitigation. Let’s explore the mitigating role effective training can have on third-party risks in particular.
Considerations for setting up a third-party compliance training program
What type of third party is it?
To achieve a high level of accuracy when building out your compliance training program,
categorize your third parties. Not all types of third parties should undergo the same type of training, just as not all in-house employees are subject to the same training program.
Where are your third parties located?
Where your third party is determines what you should include in the training. Despite the fact that FCPA training and UK Bribery Act training should be delivered to most of your third parties, since these laws have global jurisdiction, local anti-bribery and corruption laws may differ from one place to another. Likewise, thresholds set for gifts and hospitality are not the same across geographies. Even cultural business practices diverge. Thus, identifying the location of your third parties should be one of the stepping stones to building out your third-party training program.
What are the needs of your third parties?
No generic, pre-packaged program can serve the purposes of your training. Tailor your compliance training to the needs of your third parties. The most classic example is to provide content in the local language, but considering the environment of your third party is also crucial. Ask yourself: Do they have access to computers to take the training? Should your training be customized to be accessed from a specific type of device? Would on-site training make more sense?
Can your third party identify with the training?
Training can be given in a variety of ways, but the more your third party can identify with it, the better. Including real-life scenarios, with which the third party can identify and which reflect his or her day-to-day tasks, will resonate more with the trainee. Again, consider the third party’s location and environment when coming up with personalized scenarios.
Implementing your new compliance training program
Create a compliance culture
Even though third parties are geographically removed from company headquarters,
creating a culture of compliance still applies to employees working on your behalf. Countless times, headlines have featured companies that were assumed to have—and may truly have had—a high level of transparency embroiled in corruption investigations or hit with large FCPA fines because some third party had bribed on the company’s behalf in Uzbekistan or Nigeria. Managers and employees who engage with third parties in high-risk countries should make it clear that that is not how you do business. If corrupt practices are widespread in your third party’s local environment, pressure to meet performance targets might push them in the unethical direction. Sensitize your third parties to adopt the values and business ethics of your company and not the local practices.
Centralize to customize
Especially for enterprises, it can be a challenge to join your due diligence program with your compliance training. Putting technology to good use could solve your problem. Centralizing all third party-related data in one place will provide you with the overview you need to customize your training to the different third-party groups. A clear visualization of high-, medium- and low-risk third-party groups will also allow you to make the right decisions on the frequency with which you should deliver compliance training. High-risk third parties will need to take training more often than low-risk ones.
Nudge your employees
Throughout compliance circles, nudging is another concept that has been closely associated with employee training. As much as training has been stressed as the means through which policies and procedures come to life, nudging, some argue, is more effective in steering towards the right behavior. Imagine the effect reminders, notifications of policies, code of conduct or other automated messaging could have on third parties submitting exception requests or filing expense reports. This effort would require implementing integrated and automated solutions to your compliance program. The effort, however, is definitely worth your while.
Keep calm and train on
In today’s complex, inter-connected business environment, third-party groups are indispensable. But they also carry significant compliance risk, so a solid plan for compliance training is a must. However, third-party groups differ by location and culture, so make sure the training is relevant to their daily lives. The best practices above will help you create a program that helps your organization avoid FCPA enforcement actions.