In my last corporate position, my company was at the compliance forefront because we required compliance related audits for vendors in the supply chain. This was cutting edge in 2007-08. However, now an audit for adherence to compliance requirements has become a standard best practice in the management of business relationships with third-party vendors in the supply chain. In several settlements of enforcement actions through both DPAs and NPAs, in the 2012 FCPA Guidance and, most recently, in the 2019 Guidance, the DOJ made it clear that a best practices compliance program includes the right to conduct audits of the books and records of its suppliers to ensure compliance. Many companies have yet to begin their audit process for FCPA compliance on vendors in their supply chain. This is a missed opportunity from both the compliance perspective and greater business efficiency.

Any organization which audits a business partner in its supply chain should consult with legal, audit, financial and supply chain professionals to determine the full scope of the audit and a thorough and complete work plan should be created based upon all these professional inputs. After an audit, an audit report should be issued. This audit report should detail incidents of non-compliance with the compliance program and recommendations for improvements. Any reported incidents of non-compliance should reference the basis, such as contractual clauses, legal requirement or company policies.

 Three key takeaways:

  1. Is your supply chain vendor committed to the audit process?
  2. Capture the data, analyze the data, report on the data.
  3. Supply chain audits are no longer cutting edge but are now simply best practices.

Continuous improvement can take many ways, shapes and forms. Typically, when it comes to third-party risks, a Chief Compliance Officer (CCO) or compliance professional will consider the ownership structure to see if there is any involvement by a government official or employee of a state-owned enterprise, or a close friend or family member. There may also be inquiry into knowledge of anti-corruption legal regimes such as the Foreign Corrupt Practices Act (FCPA) and compliance programs. Other information about criminal and legal history and references, both professional and commercial, may also be required. Hopefully these indicia are reviewed and updated on a regular basis. In this current economic environment, this information is even more critical.

One thing that is most generally not considered is the financial health of the third-party. It turns out such an oversight may have some significant ramifications for an accurate picture of a third-party. The financial health of third parties is not only a key metric but also a key due diligence tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed.

A third-party which is in a weakened financial position can come back to damage your business in a variety of ways. Obviously, a company which is under financial strain is more susceptible to cutting corners to obtain business. You can almost begin to see the fraud triangle forming at this point and a rationalization for committing a FCPA violation forming in the mind of a third-party.

But it is more than simply being open to potentially illegal conduct such as violating the FCPA to get business. James Gellert, Chairman of Rapid Ratings International Inc. has noted, “Cybersecurity is, obviously, a hot topic for everybody. A company that, at the beginning of a working relationship, maybe onboarding or the due diligence procurement event, one may do a series of checks from a compliance and info security perspective and that company looks fine, it gets green lit and it comes on board as a supplier. Over time, if that company is weakening in its financial condition, the chances are likely that they are going to begin under-investing in maintaining the quality of their cybersecurity program. In a case like that, over time, a company partner of that firm is taking increased risks for cybersecurity breach, because that company is weakening but because they’re not managing the financial condition of it on an ongoing basis, they’ve missed a leading indicator of that cybersecurity problem and when that problem actually hits, it’s too late, it’s effecting revenue, it’s effecting reputation, it’s effecting all sorts of things.”

A database of financial health is important because “traditional risk management has focused more on protecting downside risk and detecting downside risk is being able to understand where a company or a partner exists on a spectrum of risks that can be from poor to really good, and that means a user of our data is in a position to be able to do more than just protect from a company’s failing for one reason or another, but be able to align with the strongest partners and that creates resiliency and a third-party ecosystem.”

This is considering your third parties in a much broader manner which allows a more robust assessment of their strengths and weaknesses. The financial health of a third-party may provide indicia of the anticipated compliance performance of the third-party. Such information can be useful for business planning, particularly around strategic risk. Understanding the financial viability of third parties, be they traditional vendors, business partners, or even fourth parties, can help you meet your compliance requirements, maintain operational stability, through the avoidance of business disruption and support business continuity initiatives. Even better, you can cut through siloes to develop risk management strategies across multiple business functions.

This moves compliance into the business process cycle, creates greater efficiencies and at the end of the day, more profitability. This type of approach allows the compliance function to demonstrate solid return on investment (ROI) going forward. It also allows compliance to cut through many corporate siloes including such disciplines as business development, supply chain or procurement, manufacturing and finance.

Continuous improvement through monitoring of ongoing financial health is a tool where technological solutions can have an impact. Understanding the financial viability of third parties can help the compliance practitioner meet the Department of Justice (DOJ) requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2020

 

Continuous improvement can take many ways, shapes and forms. One thing that is most generally not considered is the financial health of the third-party. It turns out such an oversight may have some significantly ramifications for an accurate picture of a third-party. The financial health of third-parties is not only a key metric but also a key due diligence tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed.

Continuous improvement through monitoring of ongoing financial health is a tool where technological solutions can have an impact. Understanding the financial viability of third-parties can help the compliance practitioner meet the DOJ requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward.

 Three key takeaways:

  1. What is the financial health of your third-parties?
  2. Poor financial results can open a company to engaging in risky behavior.
  3. Financial health monitoring can be used as continuous improvement.

Welcome to the newest addition to the Compliance Podcast Network, Compliance and Coronavirus. As the Voice of Compliance, I wanted to start a podcast which will help to bring both clarity and sanity to the compliance practitioner and compliance profession during this worldwide health and healthcare crisis. In this episode, I am joined by Michael Cherkasky, Executive Chairman and Head of Exiger Government Services. We discuss how the coronavirus health crisis will test the mettle of your organization and why the preservation of your human capital is job Number 1 for every compliance professional during this crisis.

For more information on Exiger, check out their website here.

This podcast is sponsored by SAI Global. To learn how you can protect your business operations and workforce during these uncertain times, visit saiglobal.com/risk for free resources, expert guidance, and industry-leading technology.

When was the last time you considered the health of your company’s third-party management program? A good way to test that well-being is to perform a check-up on your program. It would include the following areas of exploration.

Do you have a database of all your third-parties and their information? (Or is it still in a spreadsheet?) In this step, you should review the full list of all third-parties including such basic information as name, location, type of services provided, contract files and dates, principals of the third-party and primary contact, due diligence files and any other information you might need to manage the third-party relationship going forward.

Have you done a risk assessment of your third-parties and prioritized them by level of risk? Here check and double-check which third-party services present the greatest risk to your company by asking some of the following questions: (a) Is the third-party’s service critical to your business?; (b) Is the third-party’s service performed with little company supervision or oversight?; (c) Does the third-party have access to any company funds, resources or assets?; (d) Can the third-party fund the company contractually?; and (e) Does the third-party obtain any foreign governmental licenses, certifications or other approvals for your company? When was the last time you asked these questions of the Relationship Manager?

Do you have a due diligence process for the selection of third-parties, based on the risk assessment? You should use the information determined through the risk assessment to “tailor the level of diligence to the level of risk.” From this starting point, assign risk profile to categories, such as high, medium and low. The higher the risk, the more due diligence will be required to vet the third-party. Finally, how often does your company receive updated due diligence reports? Is it on a daily, quarterly, semi-annual or annual basis?

Once the risk categories have been determined, we would then move to revise your written due diligence process. Obviously, you need to have a written policy and defined procedures to implement your due diligence policy. However, when was the last time it was reviewed or updated? What happens if you, the compliance professional, wins the lottery (or gets run over by a bus)? Would a substitute know what to do or would there be a written reference for your replacement? You should consider the following: (a) who is responsible for implementation; (b) list of red flags and how such red flags are to be dealt with and cleared; (c) a procedure to pay for any due diligence performed; (d) reference checks on third-parties; (e) procedures for in-person interviews for third-parties in a high-risk category; (f) conflicts of interest checks; and (g) process for documentation and storage of the information.

Once the third-party has been selected based on the due diligence process, review all contracts to ensure appropriate compliance terms and conditions are in place. However, Also ask when was the last time you considered your compliance terms and conditions or reviewed all of your third-party contracts to ascertain if they include the following required terms: (a) anti-corruption and anti-bribery certification; (b) requirement that the third-party maintain accurate books and records and that your company has audit rights; (c) indemnity rights; (d) anti-corruption and anti-bribery training for the third-party’s employees; (e) an anonymous reporting mechanism for ethics complaints; (f) require the third-party to obtain pre-approval to subcontract out any of its work for your company; (g) require the third-party to report any ownership change back to your company; and lastly (h) clear termination rights.

Does your company use Relationship Managers for third-party management? For just as your company would never have an employee who is not supervised, your company should not have a third-party which does not have company oversight. Do you rotate Relationship Managers? What training has the compliance function provided to them as the company’s point of contact for third-parties?

When did you last check your third parties for any new red flags which may have arisen after the initial due diligence was performed or completed? At what interval do you update or renew your due diligence? How about a change from the company side regarding sales, sales practices, products or services which might become high-risk?

Many companies understand the maxim “know your customer” (KYC) nevertheless, in today’s global economy this maxim may well need to be expanded to “know your third-party” (KYTP). The bottom line is that there is no out when it comes to third-party risk management and third-party compliance efforts. A good place to start is with a third-party checkup program.

A third-party check-up can go a long way towards identifying any gaps in your third-party risk management program. If you would like any more information, give me a shout. Best of all you can do this while working from home or remotely.