I am currently studying Medieval England including the reign of Alfred the Great. As you might expect with someone monikered as ‘The Great’ he is certainly considered right up there with the greatest Kings of England. Not only did he largely drive out the Viking invaders from his country but he also set the stage for the unification of England under one crown, for the first time since the days of Roman Britain under the Caesars. One of the innovations he developed was fortified towns, called burgs, from which to resist Viking raids and incursion. But more than simply walled cities for defense, within these fortified towns was a wide road running down the middle of the town called the ‘High Street’ and a street situated next to the town’s walls appropriately called ‘Wall Street’. These streets were wider than the others in the town to facilitate the movement of troops in the time of crisis, such as a Viking raid. In other words, Alfred evaluated the risk to his kingdom and put multiple layers of steps into place to manage those risks.
In the Foreign Corrupt Practices Act (FCPA) compliance world, one of the key components that the Department of Justice (DOJ) wants to see is a risk assessment and a company managing its risks, based upon said risk assessment. One company’s response to a risk or set of risks does not necessarily mean that another company must follow it. The DOJ’s Ten Hallmarks of an Effective Compliance Program are broad enough to allow companies to manage their own risks, hopefully effectively. I thought about this concept when I was listening to a presentation by Flora Francis and Andrew Baird of GE Oil & Gas at the 2014 SCCE Utility and Energy Conference in Houston this week on GE’s third party risk management. First of all, if you have the chance to hear a couple of nuts and bolts compliance practitioners from GE like these two speak, run, don’t walk, to their presentation. GE’s commitment to compliance is well known but also the company’s willingness to share about their compliance program is a great boon to the compliance community. Lastly, is the gold-standard nature of the GE compliance program and while it may be more than your company needs to manage their own risks, the GE compliance regime does shine a light that we can all aspire to in our own compliance programs.
Both speakers made clear that GE’s program was the company’s response to its assessed risks. Further, the compliance program has evolved, not only as the company’s risks have evolved but also as the company has determined what works and does not work as well. Within the realm of third parties’ the prescient question from compliance to the business unit would be ‘What is your “Go To Market Strategy” and how will your use of third parties assist you in carrying out that strategy?’ Some of the factors the speakers cited could include your company’s market coverage strategy, product segmentation, pricing and margin expectation, an added capability which your company may not possess such as technology, and finally there could be local legal requirements for a local content third party in certain countries.
Some of the factors which GE considers, when evaluating a third party, include the following:
- Business Model: Do we need third parties to reach our customers or can we build the organization ourselves?
- In-house Capabilities: Do we already have the organization in place to handle these capabilities?
- Overlap: Do we already have a third party in the region/country that can handle our needs?
- Volume of Business: How much business will this third party bring to the company?
- Compliance Risk: Where is the third party located? Will they interact with government officials? Do they have same commitment to compliance?
- Regulatory Environment: Is it simple or strict? What are the chances of regulatory violations?
- Reputation: What is the third party’s reputation in the market?
I was also intrigued to learn about the risk analysis process that GE uses with its third parties. Initially the process breaks the risks down into low risk and high risk. A low risk received a limited review and analysis, while a high risk receives an escalated review and analysis consisting of the following reviews: compliance, legal, business leadership and finance.
But more than simply the level of review, I was interested in the ‘Risk Score Drivers’ that GE has developed. Once again, the speakers emphasized that these are GE’s risk score drivers and have been developed over time through the company’s internal analysis and processes. Nevertheless I found them to be a very useful way to think about third party risk. The risk score drivers listed were:
- Country channel where the third party is located in or where it sells into;
- Experience by the third party with the sales channel;
- Type of third party involved; agent, reseller, distributor;
- Commission rate, is it standard v. non-standard;
- Will any sub-third party relationships be involved;
- Will the third party sell to government entity or instrumentality;
- Do any of the third party’s principals, Officers or Agents work for a foreign government, state owned enterprise or political party;
- Was the third party mandated by customer or the end user;
- What is the third party’s contract duration;
- Is the third party involved in more than one project;
- Does the third party have any historical compliance issues;
- What is the percent of sales with products or services; and
- What is GE’s annual revenue with the third party?
GE compliance then takes these scoring factors and puts them into an evaluation matrix when determining the amount of risk involved and whether or not the company should move forward with a proposed third party. If the decision is made to move forward and create a commercial relationship, the third part must agree to commit to the compliance standards of GE; stay current with and obey all applicable legal and regulatory provisions; comply with all contractual provisions; grant to GE audit rights; agree to report any compliance violations; certify to all compliance requirements on a regular basis; receive and complete compliance training and to allow regular site visits. GE also requires each third party to have a relationship manager assigned to it who is there to establish ongoing communication, provide ongoing training and to provide a platform for business improvement. Internally GE has processes in place to refresh due diligence; review, renew and update as appropriate contracts; conduct regular site visits and periodic audits.
Flora and Andrew ended their presentation with the following quote from the US Sentencing Guidelines about the question – ‘When is Enough, Enough?’ When you can show the government agency asking that you have taken appropriate steps to design, implement, and enforce a compliance program that is generally effective in preventing and detecting criminal conduct.
Their presentation was an excellent mechanism for the compliance practitioner to assess their third party management program. Although they made clear that this program was not for all companies, there is enough meat present for anyone to use in evaluating where you might be and where you might need to go in management of your third parties. And just as Alfred the Great constructed a defense-in-depth in his fortified towns, so the GE program for the management of third party risk has several layers of protection so that when the crisis does arise, they can adequately respond when the government comes knocking.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2014