An important part of the job duties of any compliance practitioner is clearing red flags which might appear for a proposed third-party relationship during the due diligence process. It is mandatory that not only must all red flags be cleared but there also be evidence of the decision-making process to show to a regulator if one comes knocking.
The Justice Department Evaluation of Corporate Compliance Program states under Prong 10 the following, “Real Actions and Consequences – Were red flags identified from the due diligence of the third parties involved in the misconduct and how were they resolved?” There is no set formula or guideline for clearing red flags or evaluating due diligence. One approach came from two compliance practitioners at GE Oil & Gas, Flora Francis and Andrew Baird made at the 2014 SCCE Utility and Energy Conference on GE’s third party risk management, where they described the process by which GE reviews the risks around each third party with which it does business.
Some of the factors which GE considers, when evaluating a third party, include the following:
- Business Model: Do we need third parties to reach our customers or can we build the organization ourselves?
- In-house Capabilities: Do we already have the organization in place to handle these capabilities?
- Overlap: Do we already have a third party in the region/country that can handle our needs?
- Volume of Business: How much business will this third party bring to the company?
- Compliance Risk: Where is the third party located? Will they interact with government officials? Do they have same commitment to compliance?
- Regulatory Environment: Is it simple or strict? What are the chances of regulatory violations?
- Reputation: What is the third party’s reputation in the market?
GE takes this information and then break downs the risks down into low risk and high risk. A low risk received a limited review and analysis, while a high risk receives an escalated review and analysis consisting of the following reviews: compliance, legal, business leadership and finance.
But more than simply the level of review, I was interested in the ‘Risk Score Drivers’ that GE has developed. Once again, the speakers emphasized that these are GE’s risk score drivers and have been developed over time through the company’s internal analysis and processes. Nevertheless I found them to be a very useful way to think about third party risk. The risk score drivers listed were:
- Country channel where the third party is located in or where it sells into;
- Experience by the third party with the sales channel;
- Type of third party involved; agent, reseller, distributor;
- Commission rate, is it standard v. non-standard;
- Will any sub-third party relationships be involved;
- Will the third party sell to government entity or instrumentality;
- Do any of the third party’s principals, Officers or Agents work for a foreign government, state owned enterprise or political party;
- Was the third party mandated by customer or the end user;
- What is the third party’s contract duration;
- Is the third party involved in more than one project;
- Does the third party have any historical compliance issues;
- What is the percent of sales with products or services; and
- What is GE’s annual revenue with the third party?
GE compliance then takes these scoring factors and puts them into an evaluation matrix when determining the amount of risk involved and a Go/NoGo decision whether the company should move forward with a proposed third party.
One approach came from Randy Corley, Executive Vice President (EVP), Global Compliance Officer at Edelmen Inc. I found his questions to be very relevant when considering how far down the chain a company must go.
Step 1: How Much is Enough? Here your goal is to have a realistic process so that it can be effectively managed and still be of sufficient value for the business unit decision makers, who have the ultimate responsibility over the company’s third parties.
Step 2: How Deep Do We Dig? Here I think the question you should consider is how many tiers down you must go in managing your third parties? Clearly you should manage all direct counter-parties in the sales chain and those considered high-risk in the supply chain. Further, in the sales chain, I think you need to know directly if your business representatives are sub-contracting down your business representation, at least through one tier. On the supply chain, if a high-risk truly is a high-risk for bribery and corruption under your internal evaluation system, you should also consider digging down one tier.
Step 3: What Do You Need To Know? While with your first-tier relationships you may scope your review depending on your internal risk assessment and attendant risk ranking, your data collection down the chain may not need to be as robust. For counter-parties further down the chain than tier 2, a list of actual and beneficial owners, coupled with commitments to follow relevant anti-corruption legislation is needed. Such commitments should be secured through each tier’s contract with its counter-parties.
Step 4: What Did We Learn? If there is any information from which Red Flags appear, they must be cleared. If additional information is needed or points clarified, now is the time to do it and not wait until later in the process. Here I would rely on Jan Farley’s proscription not to stretch your compliance program too thin. Focus your training, communication and management on your direct counter-parties and communicate to them that your company expects them to manage their relationships with their direct counter-parties, which would include the clearing of any Red Flags that may have appeared.
Step 5: Then What? After you have made your decision you still need to manage the relationship. This will entail continuing compliance communications with your direct counter-parties on an ongoing basis. Preferably your business unit sponsor will do this but as the compliance practitioner, you should also be mindful of checking in from time-to-time with your third parties. As your compliance program matures, you also reach the point where you will need to consider auditing of your third parties from the compliance perspective. Finally, do not forget the three most important things about your FCPA compliance program: “Document, Document and Document” the entire process.
In the area of third parties, consider what risks you face in both your sales and supply chain. If there is a key player several tiers down the line who creates or builds a key component or delivers a critical service, you may want to put more management around that relationship from the compliance perspective. For anything below a tier 2; you may be able to manage your risks through having your direct tier 1 counter-party take the lead in managing such compliance risks. But make sure that the expectation is communicated to your direct counter-party so that if the government comes knocking you can show that not only did you contractually obligate your direct counter-party to do so but that you provided them the tools and training to do so. Finally, you will need to be able to show that your direct counter-party did so.
Three Key Takeaways
- There is no set formula for clearing of red flags or the evaluation of due diligence.
- Know when to say enough has been done.
- You must Document Document Document your evaluation of any red flags.
Make sure you document your evaluation of due diligence to show when a regulator comes knocking.Click to tweet
This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos ABAC accelerator, the leading platform for third party risk management. To learn more, go towww.opus.com.