When it comes to imposition on the business, third-party due diligence programs often rank highest on the list. Third-party program rollouts or expansions are frequently fraught with challenges. One of the greatest challenges is deciding what to do with third-parties that the business is already using, frequently referred to as “legacy third-parties.”
Part one of this blog series reviewed the considerations compliance officers should mull over when determining what to do with legacy third-parties. Part two below describes various options available to deal with legacy third-party challenges. As you’ll see, there is no one-size-fits-all answer to the third-party conundrum.
There are several ways of dealing with legacy third-parties. You can…
Go All In
Want to rip off the bandage? Go all in and include the whole gambit of legacy third-parties in your new or expanded program. The benefits of this approach are numerous. First, although the business will likely complain, the bulk of the third-party review will be done all at once, meaning that once the initial discomfort is over, the third-party program will be significantly less onerous. Second, the business won’t suffer fatigue as the third-party program continuously expands, with businesspeople being repeatedly called upon to give information about new categories of their currently-used third-parties. Third, this approach is usually the most efficient. Doing the work all at once means that it goes quickly.
On the downside, going all-in may create a giant bottleneck of false positives and potential hits to clear. If you have a small team or little capacity, this could take months (see Part I for more details on capacity considerations).
Only Screen at Contract Renewal or if the Contract is Amended
Many companies choose to screen legacy third-parties only when the contract is renewed, renegotiated, or amended. This approach can be highly successful. The business will already be in steady contact with the third-party about the relationship and renewed financial or other due diligence may already be part of the process. Adding on compliance-related due diligence will likely be less of an imposition at this time than at others. Additionally, if problems are brought to light during the review, it is easier to include mitigation in the contract, such as the requirement to train staff on anti-bribery, or the inclusion of audit/termination clauses for compliance-related misconduct.
The downside to this approach is that it may take years to get through a complete review of all of the legacy third-parties – if you ever finish. For older third-parties, contracts may be of indefinite term, meaning they never require renewal or formal renegotiation, so you may never capture those third-parties in the system. You may also miss a bad actor for months or years, potentially exposing the company to liability.
Use a Risk-Based Approach
One choice is to use a risk-based approach to the inclusion of legacy third-parties. This will involve choosing criteria as filters. Popular criteria choices for this approach include choosing high-risk third-party types (e.g., sales agents, customs brokers, etc.), using CPI scores to process third-parties from higher-risk countries, and/or using a spend threshold so that third-parties receiving larger amounts from the company are prioritized for screening.
The upside to this approach is that it comports with nearly all prosecutorial and regulatory guidance. Using a well-thought-out risk-based approach is often a defensible way of handling legacy third-party issues. On the downside, once again, you may miss a problematic third-party if they aren’t caught in the sub-group that you’ve chosen. Missing a sanctioned party can create massive fines and doing business with one can be a strict liability offense. If chosen, this approach must be carefully crafted.
It simply may not be possible for you and/or your team to handle the glut of work that would come from including legacy third-parties in your review program. If it is impossible with your current resources to include at least some legacy third-parties, explain the risk to senior management and the board. If they choose to accept the risk that this course of action brings, be sure to document the decision-making process. Remember that having some third-party due diligence is better than not having a third-party due diligence program at all and take comfort in that.
Document, Document, Document
Once you’ve chosen your approach, be sure to make contemporaneous notes to describe how you came to your decision. If you choose any approach other than going all-in, be sure to detail how you applied a risk-based approach to your final determination. Contemporaneous notes are the most effective way to defend your program if an unscreened third-party commits illegal or unethical conduct on the company’s behalf.
There is no perfect answer to the problem of legacy third-parties. There are, however, good options. By decisively choosing your path, you’ll make life easier on the businesspeople, third-parties, and on yourself.