When was the last time you thought through your third-party management and due diligence process? Perhaps you inherited a system that was in place when you arrived, and you’ve never changed it. Perhaps you’re trying to manage it on an Excel sheet. Perhaps you know it’s a problem, but you’ve never actually done anything about it…
Considering that 90% of reported FCPA cases involve a third-party intermediary, and one-in-two global enforcement actions involved a third-party, your third-party risk management program is a crucial part of your compliance program.
Is your current third-party risk management and due diligence system up-to-scratch? Here are five questions you should be asking yourself to find out.
Question 1: Is my system truly risk-based?
The most frequent problem we see in due diligence program reviews is non-risk-based systems. This usually happens because a conservative lawyer or compliance person worried that a risk-based system might let a problematic party through the system, endangering the company. What tends to result from this blunt-instrument approach is over-spending and too much attention spent on lower-risk third-parties.
The DOJ endorses a risk-based approach. The DOJ’s Resource Guide to the Foreign Corrupt Practices Act states that “performing identical due diligence on all third-party agents, irrespective of risk factors, is often counterproductive, diverting attention and resources away from those third-parties that pose the most significant risks. DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low-risk area because greater attention and resources had been devoted to a higher risk area.”
Ask yourself whether lower-risk parties get a lower level of due diligence and whether the hoops those parties jump through are smaller than those required for higher-risk third-parties. If the answer is no, re-think your approach.
Question 2: Is my system consistently applied?
It’s all well and good to have a documented system on paper, but if it isn’t applied consistently and effectively, that can be worse than having no system at all. Many FCPA and sanctions cases involve incidents where the business conveniently avoided putting a high-risk third-party through the due diligence process, resulting in massive fines and exposure for the company.
Ask whether there are any loopholes in your system that would allow the business to go outside the process. Some companies have explicit or implicit guidelines that allow “business critical” third-parties to avoid scrutiny. Do everything in your power to ensure this isn’t allowed.
Question 3: Do I check to ensure the business is doing what it’s supposed to?
How do you know if your system is consistently applied? Have a process for spot-checking to ensure that the process is working.
If you can, have Internal Audit spot-check that the business is putting all in-scope third-parties through the system. If Internal Audit isn’t able to do this, put in a system where you check it yourself. By checking, you will know that your system is working the way it is supposed to. “Trust but verify” is a good motto when it comes to compliance.
Question 4: Is my approach holistic in nature?
It used to be that third-party due diligence was entirely focused on bribery risk. More mature due diligence programs focus holistically on third-party risk, considering areas such as sanctions, data privacy, modern slavery, environment/sustainability, and cyber-security. Some programs are now looking more broadly at reputational risk, especially in a highly-charged political environment where statements made by a company or CEO may adversely affect business.
Does your due diligence questionnaire encompass more than bribery risk? Are you performing periodic media monitoring so that you can catch reputational risk not coming directly from bribery? Have you ensured that other areas of the business aren’t performing duplicative due diligence, or asking your third-parties to complete multiple forms and due diligence questionnaires? Put together a holistic approach for more effective risk management.
Question 5: Have I benchmarked my program recently?
Trends change, as do prosecutorial expectations and regulations. What was considered a “good program” ten years ago may not stand up to scrutiny now. Best practices in due diligence are ever-evolving, and ignoring these shifts may put your company at risk, or may result in it spending more money than it needs to, or deploying resources inefficiently. Benchmarking and learning best practices are critical to keeping your program up-to-date.
Professional consultants can give you fantastic feedback about your program (like our Third-Party Risk Management Deep Dive which reviews 12 distinct areas of your third-party risk management process and provides scoring and pragmatic recommendations for improvement). Alternatively, you can follow best practices enumerated in Deferred Prosecution Agreements and Corporate Integrity Agreements. Lastly, you can read compliance-related blogs, attend webinars, read white-papers and attend conferences to keep up-to-date.
A good third-party risk management system will pay dividends in multiple ways. The business can avoid using bad actors that expose it to risk, and more importantly, know clearly with whom it is making deals. Your systems are only as good as their implementation, and asking yourself whether its working or not is the first step toward good third-party risk management.