What are the methods to assess the risks of your Supply Chain vendors? Other than perhaps financial due diligence, such as through Dun & Bradstreet or quality control through your QHSE group, the Supply Chain probably does not command your Compliance Department attention as do other types of third party business partners such as agents, distributors and joint venture partners. This may be coming to an end as most Compliance Professionals recognize that third parties which supply goods or services to a company should be scrutinized similarly to other third party business partners. In the recently released Deferred Prosecution Agreement with Panalpina and six other oil-field service companies, the Department of Justice specifically noted that regarding business partners, such as Supply Chain vendors, a company should, ”it should institute appropriate due diligence” so as to help ensure compliance with the FCPA.
However to initiate “appropriate due diligence” a company must first rate the compliance risk of any third party, such as a Supply Chain vendor. The risk rating will inform the level of due diligence required. There are several methods that could be used to assess risk in the area of supply chain and vendors. The approach suggested by the UK’s Financial Services Authority (FSA) in its settlement of the enforcement action against the insurance giant AON would refer “to an internationally accepted corruption perceptions index” such as is available through Transparency International or other recognized authority. The approach suggested by the Department of Justice, in Release Opinion 08-02 would provide categories of “High Risk, Medium Risk and Low Risk”. Finally, writing in the FCPA Blog, Scott Moritz of Daylight Forensic & Advisory LLC has suggested an approach that incorporates a variety of risk-assessment tools, including, “the strategic use of information technology, tracking and sorting the critical elements”.
This commentary proposes an approach which would incorporate all three of the above cited analogous compliance areas into one risk-based assessment program for supply chain vendors. Based upon the assessed risk, an appropriate level of due diligence would then be required. The categories suggested are as follows:
- High Risk Suppliers;
- Low Risk Suppliers;
- Nominal Risk Suppliers; and
- Suppliers of General Goods and Products.
A. High-Risk Suppliers
A High-Risk Supplier is defined as a supplier which presents a higher level of compliance risk because of the presence of one or more of the following factors:
- It is based in or supplies goods/services from a high risk country;
- It has a reputation in the business community for questionable business practices or ethics; or
- It has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions.
B. Low-Risk Suppliers
A Low-Risk Supplier is defined as an individual or private entity located in a Low-Risk Country which:
- Supplies goods or services in a Low-Risk Country;
- Is based in a low risk country where the goods or services are delivered, it has no involvement with any foreign government, government entity, or Government Official; or
- Is subject to the US FCPA and/or Sarbanes-Oxley compliance.
C. Minimum Risk Suppliers
A Minimum Risk Supplier is an individual or entity which provides goods or services that are non-specific to a particular job or assigment and the value of each transaction is USD $10,000 or less. These types of vendors include office and industrial suppliers, equipment leasing companies and such entities which may supply routinely used services.
D. Suppliers of General Goods and Products
A Supplier of General Goods and Products is an individual or entity which provides goods or services that are widely available to the general public and do not fall under the definition of Minimal-Risk Supplier. These types of vendors include transportation, food services and educational services providers.
This proposed rating is but one method to allow a company to assess its risks involving its Supply Chain vendors. As has been noted in both the Consultative Guidance to the United Kingdom Bribery Act and in the Panalpina settlements, both documents list the risk rating as a key component of a best practices anti-corruption and anti-bribery compliance program. A company need not engage in full due diligence for all Supply Chain vendors. However it must implement and follow a system to rate each vendor for that vendor’s FCPA compliance risk and evaluate and manage that relationship accordingly.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2010