One of the areas many companies do not focus on enough is possible corruption in their supply chain for goods and services provided on a company’s behalf. The FCPA risks can be just as great through those entry points as it can be through the sales side of an organization. You need to know who your company is doing business with through this channel as much as you need to know your agents seeking business opportunities on your behalf. Most companies have exponentially more vendors than sales agents, so this task may seem daunting. However, a well thought out plan to risk rank your company’s third-parties on the supply chain side can go a long way towards ameliorating this issue. The key is to set reasonable parameters and then management those third-parties which present true corruption risk to your organization.

This determination of the level of due diligence and categorization of a supplier should depend on a variety of factors, including, such factors as whether the supplier is (1) located, or will operate, in a high risk country; (2) associated, or recommended or required by, a government official; (3) currently under corruption investigation, or has been recently convicted of any form of corruption; (4) a multinational publicly traded corporation with a recognized exemplary system of compliance and internal controls; or (5) a provider of widely available services and products that are not industry specific. You should note that any supplier, which has foreign government touch points, should move up into a higher level of scrutiny.

My suggestion is that you create a three-tiered risk matrix consisting of (1) high-risk suppliers, (2) low-risk suppliers, and (3) minimal-risk suppliers. Below this final category is another category for providers of goods which are commonly available and pose almost no corruption risk.

You need to risk rank the third-parties which your supply chain might engage with for FCPA exposure. It should be based on your company’s experience and risk going forward. As with all other third-party risk management issues, you must “Document, Document, and Document”.

Three key takeaways:

  1. Risk rank your supply chain based on well-conceived strata.
  2. Consider not only the compliance risk but also your business risk.
  3. Only manage those suppliers which present a corruption risk.