Few, if any companies, can avoid using third parties when entering new markets. But the financial and legal risks involved can be incredibly high. How to understand the risks and assess these relationships appropriately and in an organised way?
Your company is about to enter the new market of Troublestan. The economy there is still largely state controlled.
To maximise your revenues you’re looking to find a broker to handle sales and a local agent to help navigate the cumbersome bureaucracy. You need people who understand the market and can open doors, especially since you’re not even sure which door to open.
It makes a lot of sense to bring in help, but the financial and legal risks can be incredibly high. Anti-corruption laws care little whether your company pays a bribe or a third party you hired does. Either way, your company, and potentially, you personally, can be left on the hook.
“Gone are the days when organisations could wash their hands of liability or damage to reputation from outsourced work due to ethics and compliance failures,” said Marjorie Doyle, former Chief Ethics and Compliance Officer for DuPont and currently a consultant to companies on managing third party risk. “Bottom line: your third party’s actions on your behalf are, to a significant extent, your responsibility just like those of your permanent employees.”
And the risks can come from multiple directions. As many oil and gas companies found out, even the choice of a freight forwarder could open them up to significant criminal liability under the US Foreign Corrupt Practices Act.
The adoption of the UK Bribery Act, and the aggressive promotion of anti-corruption legislation of the OECD, mean the risks are only going to grow larger when working with agents and contractors.
Yet, despite the dangers, few if any companies can avoid using third parties at all. Consequently, it’s essential that companies working with them understand the risks and assess these relationships appropriately, and in an organised way.
“Both the FCPA and the UK Bribery Act mandate proportionate responses to corruption risk,” explained Julie Moriarty, Strategic Advisor, Bribery and Corruption Risk Management at SAI Global, a global provider of compliance and risk management solutions “meaning that not all third party partners require the same level of scrutiny or effort.”
Determining the corruption risk is a multi-step process. She explains it includes objective factors such as the type of third party and services that they provide, country in which they operate, level of government interaction, length of service, ownership status and whether the company appears on sanctions list.
She also argues that companies need to be very systematic in their approach. “One thing companies need to keep in mind when implementing third party due diligence efforts is that, in most cases, some kind of management system will be needed to ensure: (1) consistent due diligence practices across the organisation; (2) that high risk issues are always addressed; (3) centralised visibility into what are usually decentralised practices; and, (4) an accessible system of record exists for auditing and reporting purposes”
Some of the data companies will need to access on prospective agents and contractors is available readily and from public sources. The Transparency International Corruption Perceptions Index rates countries from the least corrupt (Denmark, New Zealand and Singapore) to the most (Somalia). It is available at www.transparency.org and can be a useful tool for determining the risk level.
Information on many companies is available from commercial sources such as Dow Jones Risk & Compliance and World-Check, which is a part of Thompson Reuters. These services allow business to quickly discover government contacts and sanctions of prospective business partners.
While they are good at covering the basics and may be adequate for low risk relationships in low risk areas, there are many times when more research is essential, including field research.
According to Diana Lutz, Managing Director at STEELE, “There is no single correct formula for determining which third parties to include in on the ground vetting. However, companies should ensure that they take a systematic, risk based approach.”
She explains that like any other risk, companies have to manage the risk of third parties making improper payments in a way that is effective within their culture, compliance program and operating environment. Factors such as the company’s background, past compliance concerns, existing compliance programs, and experience of personnel who will oversee interaction with the third parties can all affect whether in-person reviews are necessary.
While not a set formula, when using a risk based approach, there are certain rules of thumb. For example it’s prudent to initially examine third parties that are working in countries with a high risk of corruption, coupled with large single transaction size or high transaction volume. Also of concern: third parties working in industries, performing functions or being involved in transactions where corrupt payments occur more frequently.
If a need to do an enhanced review is identified, a company has to then decide whether it can conduct the review itself or ask a provider to handle the process. According to Ms. Lutz, factors to consider include:
• The impact on efficiency and independence if handling the investigation in-house
• The investigative expertise of existing resources
• Scalability of the approach
These considerations can be significant, especially when conducting volumes of reviews in distant, violence-prone or high corruption risk regions.
Whatever decision an organisation makes, the results of in-person reviews can be very illuminating.
Ms. Doyle reports that in one case she was conducting a review of prospective agent. “The business unit was very eager to work with this agent. But, when I got to his address I discovered an office with lots of names on the door and a room filled with empty, unused desks.”
Regardless of whether the review is handled by the company or a provider, it is essential, Ms. Doyle warns, to have a checklist of warning indicators to be aware of, along with a process for dealing with them. “The process could include steps such as audits and face-to-face visits.”
Al Gagne, the Director, Ethics & Compliance for Textron Systems Corporation cites a number of warning signs that companies should be aware of, including:
• An unusually short time frame to conclude transaction
• Insistence by a government official to involve the third party in the transaction
• High commissions or fees
Requests for payments to bank account outside of the home country or to a third party account
Ann Florkowski, Assistant Vice President of Global Compliance for ACE Group, notes that some of the other warning signs can be “Reluctance to supply information, reluctance to sign agreements adhering to our anti-bribery policy…a very limited time in business, and/or a history of operating under different company names.”
In addition to potential new agents and contracts, long-standing business relationships need to be examined regularly. Ms. Doyle recommends that a general audit be conducted every one to two years.
Prioritisation of audits of existing business partners should be based on risk. “Assuming you have a database of all your third parties, you should match them with the risk areas from the risk assessment for your business. If you have high risk in your business processes in a certain area, such as work ing with government officials, then you need to look at the third parties in that area first, closely and regularly.”
The audit should look for the same warning signs used when looking at prospective partners, but also some others. “I always like to see if any of the third parties have gotten ‘too cozy’ with the business person they are doing work for in the company,” said Ms. Doyle. “That could be the sign of a personal relationship, and oversight that has grown lax.”
She also advises that contracts be written to ensure that oversight happens regularly, and that it isn’t limited just to once every year or so. Instead, it is an ongoing process. “One of the things you should put in the contract is that they need to inform you whenever there is an ownership change.”
Ms. Doyle also cautions “The first thing you should do in existing relationships is look at the contract and see if there is the right to terminate it for any ethics or compliance violations or if there is a right to audit at any time.”
For some, auditing and monitoring of agents and contractors is supplemented by comprehensive training programs. One long time compliance offer reported, “We provide a third party online training module to educate business partners on anti-corruption risks and applicable laws and…in some cases live training sessions are conducted during annual distributor meetings to reinforce the message.”
One challenge to the third-party management process is securing the support of the business unit, which may see these programs as an unnecessary impediment.
Enrique Aznar, the Chief Integrity Officer at Millicom International Cellular reports that “According to our policies, local Integrity Managers must be involved in the due diligence process. The policies are circulated to all operations.” This approach helps the business unit buy in to the process.
Mark Snyderman, an ethics and compliance consultant, and former Senior Advisor on Anti-Corruption to the United Nations Global Compact, recommends approaching the issue from a risk perspective. “Business people understand risk, and they also know when they’re being asked to take excessive precautions to mitigate minor risk. Especially if you’re not currently doing much by way of third party due diligence, it’s important to start by concentrating on the high risk engagements.” He advises that it helps to make the risk appear concrete. “Providing the business people with a few pointed examples of how companies have been held liable for the actions of their agents is generally sufficient for them to understand that we need to be careful in engaging these folks.”
Mr. Snyderman is not alone in focusing on actual cases. According to another long-time practitioner, “We conduct multiple rounds of live, online and web-cast training on anti-corruption risks, highlighting high profile corporate violations that involve third parties.”
The bottom line is that third party risk is likely here to stay. For those businesses seeking to protect their bottom line, risk assessments and risk management practices, including tough vetting and auditing programs, as well as ongoing training, are increasingly a necessity.
About the author
Adam Turteltaub, CCEP, CHC Vice President of Membership Development, Society of Corporate Compliance and Ethics
The Society of Corporate Compliance & Ethics (SCCE) is a non-profit membership association dedicated to improving the quality of corporate governance, compliance and ethics. SCCE’s roles include facilitating the development and maintenance of compliance programs; providing a forum for understanding the complicated compliance environment; and offering tools, resources and educational opportunities for those involved with compliance.
The SCCE can be found online at