“Wait, maybe we should include pencil suppliers in the anti-bribery due diligence program. I mean, we buy A LOT of pencils. Also – let’s include glass suppliers in scope. I mean, we need glass to create our products, so a lack of glass would tank our supply chain. And what about our cleaning crews. They are in the office every night so we should run them through anti-bribery due diligence as well.”
The scoping exercise at Jarls Fire Soda for their new anti-bribery tool was not going well…
Everyone seemed to think that every type of third-party should be included because surely everyone posed some risk of bribery right?
What if they got it wrong and there was a bribe? Isn’t it better to just include everyone? Just in case?
A huge part of our work here at Spark Compliance is helping clients implement or update their third-party due diligence programs. Over and over again we see the scope of third-party programs creep bigger and bigger.
What starts with well-intentioned ideas about a risk-based approach turns into an expensive hammer-like catch-all program divorced from the reason it was put in place to begin with.
Instead of narrowly focusing on third-parties exposing the company to specific compliance-related risks, the program morphs into an unmanageable beast that doesn’t tame risk in a meaningful way. Or if it does, the amount of time taken on unnecessary third-party reviews frustrates the business and makes people unwilling to participate.
Eventually, the business stops complying or figures out how to work around the system.
There are ways to deal with this, but it takes guts and a willingness to push yourself and the business into challenging conversations.
Creating the right third-party scope.
When you’re at the stage of creating a third-party scope, there is a way you can help make it easier to navigate.
Ask these four questions:
- What’s the tool for?
- What’s the story?
- What other screening is out there?
- What’s the worst that can happen?
What’s the tool for?
Most large companies have several software solutions for managing and screening third-parties. Finance may use a payments system, procurement may use a sourcing system, and legal may use a contracts management system.
A big reason for scope creep is that people don’t understand exactly what the compliance tool is to be used for. It may be that in the future, third-party due diligence tools will be able to screen for every possible compliance and enterprise-related risk, but today isn’t that day.
For the most part, compliance-related screening tools focus on sanctions or anti-bribery risk. Some tools are exclusively or primarily used for sanctions screening, while other tools focus more on bribery risk, as well as incorporating sanctions review.
There are more and more ESG-related screening tools, modern slavery-related tools, and import/export checking tools, but none that do all of the above with any skill.
When you’re stuck, the first question to ask is why did we purchase the software in the first place?
If the software was purchased to manage bribery risk, then the in-scope third-parties should actually pose bribery risk. By focusing narrowly on the risk the software was purchased to mitigate, we can single out the third-party types that pose risk.
In our example, Jarls Fire Soda bought the screening tool to deal with bribery risk.
This leads to the next question…
What’s the story?
If you’re having trouble narrowing the scope of third-parties that should be in scope, try posing this question to yourself/the business: can you think of a story where this would happen?
For Jarls Fire Soda, the fact that they buy lots of pencils is neither here nor there.
Could someone be bribed at the company to choose Acme pencils? Sure. But the third-party due diligence tool isn’t going to detect that, so pencil producers and sellers should be out of scope.
What about glass suppliers and their criticality to the supply chain? Nope – what bribery risk are glass suppliers, or any suppliers, to the company? Glass producers are a supply chain risk, but not a bribery one.
What about the cleaners? Are they going to bribe anyone on our behalf? Almost certainly not.
Therefore, these three types of third-parties should be out of scope.
If you or the business can’t come up with a story where the risk you’re trying to manage can be attributed realistically to the type of third-party in consideration, bite the bullet and leave that third-party type out of scope.
Are you still having trouble leaving some third-parties out of scope? Go to question three…
What other screening is out there?
A good way to stave off the business’s concerns about leaving some types of third-parties out of scope is to find out all of the other ways that third-parties are reviewed at the company.
At some companies, there is a requirement for a multi-bid process requiring reference checks if the deal rises to a certain level.
At most manufacturing companies, quality audits are regularly completed for key suppliers to identify quality or capacity issues.
Many times, finance or procurement do a creditworthiness check that would flag payments requested to a different jurisdiction than the one in which the company is registered. Perhaps that would flag anti-money laundering concerns.
Most companies have multiple ways of vetting third-parties. One of the reasons to limit the scope to the risk that you’re trying to manage is so that there are fewer redundancies in the third-party approval process.
By knowing what’s already happening, you can not only help streamline the process, but you can also calm nervous co-workers who would be happier for everyone to go through the compliance screening tool to assure them that other non-compliance-related risks are being managed.
Jarls Fire Soda’s working group started to feel a bit better when they realized all of the finance, procurement, and business-related checks that their pencil provider, glass supplier, and cleaning company had to go through, but they were still nervous to reign-in scope.
They needed to go to question four.
What’s the worst that can happen?
A good way to help reluctant people to apply a risk-based approach is to ask them to explain the worst-case scenario if something went wrong.
For Jarls Fire Soda, the worst-case scenario with the pencil sellers was the sales rep trying to bribe the procurement staff. The glass providers could only bribe Jarls’ staff as well, as could the cleaning company.
In other words, none of these types of third-parties would be bribing someone else on the company’s behalf. Contrast this to a sales agent bribing a government official and it begins to be easy to see which third-parties should be in-scope and subject to the full panoply of due diligence checks.
Jarls Fire Soda’s compliance officer won the day.
The sales agents, customs brokers, lobbyists, and distributors stayed in-scope for anti-bribery due diligence, while suppliers, vendors, and customers were kept out.
Waiting for the holy grail
As we wait for the fully-integrated, intelligent, multi-risk third-party tool, we need to make good use of the ones we have now by ensuring they are operating correctly for the risks they are supposed to mitigate. That effort begins and ends with proper scoping.
Use the questions above to help maintain the guardrails to keep the right (risky) third-parties in, and the other third-parties out.
Scoping done well will help your program to thrive.