One of the areas many companies do not focus on enough is possible corruption in their Supply Chain (SC) for goods and services provided on a company’s behalf. The FCPA risks can be just as great through those entry points as it can be through the sales side of an organization. You need to know who your company is doing business with through the SC as much as you need to know your agents seeking business opportunities on your behalf.

As most companies have exponentially more vendors than sales agents, this task may seem daunting. However a well thought plan to risk rank your company’s third parties on the SC side can go a long way towards ameliorating this issue. The key is to set reasonable parameters and then management those third parties which present true corruption risk to your organization.

This determination of the level of due diligence and categorization of a supplier should depend on a variety of factors, including, such factors as whether the supplier is (1) located, or will operate, in a high risk country; (2) associated, or recommended or required by, a government official; (3) currently under corruption investigation, or has been recently convicted of any form of corruption; (4) a multinational publicly traded corporation with a recognized exemplary system of compliance and internal controls; or (5) a provider of widely available services and products that are not industry specific. You should note that any supplier, which has foreign government touch points, should move up into a higher level of scrutiny.

My suggestion is that you create a three-tiered matrix for SC risks, with the three levels consisting of (1) High-Risk Suppliers, (2) Low-Risk Suppliers, and (3) Minimal Risk Suppliers. Below this final category is another category for providers of goods which are commonly available and pose almost no corruption risk. 

A High-Risk Supplier presents a higher level of compliance risk because of the presence one or more of the following factors: (a) It is based or operates in a country that poses a high risk for corruption, money laundering, or commercial bribery; (b) It supplies goods or services to a company from a high-risk country; (c) It has a reputation in the business community for questionable business practices or ethics; or (d) It has been convicted of, or is alleged to have been involved in, illegal conduct. Other factors you may wish to consider include some or all of the following: (1) the Supplier is located in a country that has inadequate regulatory oversight of its activities; (2) the Supplier is in an unregulated business; (3) the Supplier’s ultimate or beneficial ownership is difficult to determine; (4) your company has an annual spend of more than $100,000 with the supplier; (5) the Supplier was established or registered in a jurisdiction where ownership is not transparent or that permits ownership in the form of bearer shares; (6) the Supplier is registered or conducts business in a jurisdiction that does not have anti-corruption, anti-money laundering (AML) and anti-terrorism laws comparable to those of the US and UK; or (7) the Supplier lacks a discernable and substantial business history.

A Low-Risk Supplier is an individual or a non-publicly held entity that conducts business in a Low-Risk Country. Some indicia include that it (1) supplies goods, equipment or services directly to a company in a Low-Risk Country; (2) a company has an annual spend of less than $1,000,000 with the supplier; and (3) the supplier is not involvement with any foreign government, government entity, or Government Official. However, if the supplier has other indicia of lower risk such that it is a publicly-held company, it may be considered a Low-Risk Supplier because it is subject to the highest disclosure and auditing and reporting standards such as those under FCPA or similar law.

Below the high and low risk categories I would add two other categories of suppliers that present very low compliance risks. The first is ‘Minimal-Risk Suppliers’ which generally provide to a company goods and services that are non-specific to a particular project and the value of the transaction is USD $25,000 or less. Some examples might be for the routine purchase of fungible items and services, including, among others: Office supplies, such as paper, furniture, computers, copiers, and printers; Industrial or factory supplies, including cleaning materials, solvents, safety clothing and off-the-shelf equipment and parts; Crating and other standard materials for packing products for shipping; Leasing and rental of company cars and other equipment; and Airline or other travel tickets or services. It may also include legal services from professional firms that are approved and overseen by a company’s Legal Department; Investigative services from professional firms that are approved and overseen by a Legal Department and that do not interact with government agencies on behalf of a company; and Accounting and financial services from professional firms that are approved and overseen by a company Finance Department or Audit Committees and that do not interact with government agencies on behalf of a company.

Finally, are the category of third parties that provide widely available services and products, ‘Common Product and Services’, that are not industry specific, are offered to the public at large and do not fall under the definition of Minimal-Risk Supplier. These include, among others, wide circulation newspapers, magazines, florists, daily limousine and taxi, airline and food delivery (including coffee shops, pizza parlors and take out) services. These third parties raise even less than Minimal Risk to a company, especially when their services and products are provided in a non-high risk country. Suppliers in this category require no FCPA due diligence.

You need to risk rank your third parties which your company might engage through your SC for FCPA exposure. It should be based on your company’s experience and risk going forward. As with all other third party risk management issues, you must document, document, document.

Three Key Takeaways

  1. Risk rank you supply chain based well-conceived strata.
  2. Consider not only the compliance risk but also your business risk.
  3. Only manage those suppliers which present a corruption risk.


This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to