Jay Martin, Chief Compliance Officer at BakerHughes, a GE company continually reminds us that a key to compliance is execution. There is one area of compliance where that is no more true than in step five of the five-step process in the management of third-parties, or managing the relationship after the contract has been executed. This is where the rubber meets the road for your compliance program. Helpfully, the Department of Justice (DOJ) in its Evaluation of Corporate Compliance Programs, laid out several factors which you should consider in this area.
In Prong 10 – Third Party Management, it stated:
Management of Relationships – How has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties?
If you do not manage the third-party relationship it can all go downhill very quickly and you might find yourself with a potential FCPA violation. Now the DOJ has explicitly adopted this approach as a key determination of whether you have operationalized your compliance program.
There are several different ways that you should manage your post-contract relationship. There should be a Relationship Manager for every third-party with which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship. Some duties may include:
- Point of contact with the third-party for all compliance issues;
- Maintaining periodic contact with the third-party;
- Meeting annually with the third-party to review its satisfaction of all company compliance obligations;
- Submitting annual reports summarizing services provided by the third-party;
- Assisting the company’s compliance function with any issues with respect to the third-party
The Relationship Manager can be the Business Sponsor who prepared the Business Rationale. By using the Business Sponsor as the Relationship Manager, your company will further operationalize compliance by continuing to have the business unit lead the front-line relationship, communications and contact with the third-party. As noted compliance commentator Scott Moritz has said, “This puts the onus on each stakeholder.”
Just as a company needs a SME in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third-parties also need such a resource. A third-party may not be large enough to have its own compliance staff so any company using third-party representatives should provide a dedicated resource to third-parties. This will not create a conflict of interest nor are other legal impediments to providing such services. They can also include anti-corruption training for the third-party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third-party.
Third-Party Oversight Committee
A Third-Party Oversight Committee further operationalizes compliance. It reviews all documents relating the full panoply of a third-party’s relationship with a company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third-party who might represent a company. In addition to the basic concept of process validation of your management of third-parties, as they are recognized as the highest risk in anti-corruption compliance, this is a manner to deliver additional management of that risk.
After the commercial relationship has begun the Third-Party Oversight Committee should monitor the third-party relationship on no less than an annual basis. This audit should include a review of remedial due diligence investigations and evaluation of any new or supplemental risks associated with any negative information discovered from a review of financial audit reports on the third-party. The Third-Party Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Code of Ethics and compliance program. In addition to the above remedial review, the Third-Party Oversight Committee should review all payments requested by the third-party to they are within the company guidelines and are warranted by the contractual relationship. Lastly, the Third-Party Oversight Committee should review any request to provide the third-party any type of non-monetary compensation.
A key tool in operationalizing the relationship with a third-party post-contract is auditing the relationship. You should secure audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a base line, any audit of a third-party should include, at a minimum, a review of the following:
- the effectiveness of existing compliance programs and codes of conduct;
- the origin and legitimacy of any funds paid to Company;
- books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
- all disbursements made for or on behalf of Company; and
- all funds received from Company in connection with work performed for, or services or equipment provided to, Company
If you want to engage in a deeper dive you might consider evaluation of some of the following areas:
- Review of contracts to confirm that the appropriate FCPA compliance terms and conditions are in place
- Determine that actual due diligence took place on the third-party
- Review FCPA compliance training program; both the substance of the program and attendance records
- Does the third-party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism
- Does the third-party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes, review all relevant files relating to any such violations to determine the process used and the outcome reached
- Review employee expense reports for employees in high-risk positions or high-risk countries
- Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials
- Review the overall structure of the third-party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third-party’s compliance program designed to identify risks and what has been the result of any so identified?
- Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third-party
- With regards to any petty cash activity in foreign locations, review a sample and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances
Operationalizing compliance works to not only protect companies that may fall under DOJ or Securities and Exchange Commission regulatory scrutiny. The true significance of operationalizing compliance is that it makes companies more efficient from a business process perspective and generally more proficient as businesses. I often say that compliance is the business solution to the legal problem of laws such as the Foreign Corrupt Practices Act (FCPA). However, by operationalizing your compliance program you can take this concept a step further and potentially makes your business more profitable.
Managing 3rd parties after contract is signed is where the rubber of compliance meets the road of operationalization.Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2018