Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.

The 2020 Update stated, “A well-designed compliance program should apply risk-based due diligence to its third- party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.

Three key takeaways:

  1. A Level I due diligence should only be used where there is a low risk of corruption.
  2. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared.
  3. Level III due diligence is deep dive, boots on the ground investigation.

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizingcompliance. It is also an area the DOJ specifically articulated in the 2020 Update that companies need to consider.

Managing your third-parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.

Three key takeaways:

  1. Have a strategic approach to third-party risk management.
  2. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing.
  3. Managing the relationship is where the real work begins.

As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. It begins with the following:


Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in  that  industry  and  geographical  region.    Prosecutors  should  further  assess  whether  the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.

This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:

  1. Business Justification by the Business Sponsor;
  2. Questionnaire to Third-party;
  3. Due Diligence on Third-party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

  1. Use the full 5-step process for third party management.
  2. Make sure you have business development involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives.

After you complete your risk assessment, you must then translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his  BioProcess International article, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”:

Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.

William C. Athanas, in his Industry Week article, “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, posited that companies assume that FCPA violations follow a bell curve in which most employees are responsible for most of the violations. However, Athanas believed that the distribution pattern more closely follows a hockey-stick distribution, where virtually all violations are committed by just a few people. Athanas concluded by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick,” to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as intensive training sessions or detailed analysis of key financial transactions involving those employees with the greatest means and motive to commit a violation.

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These become the focus of your most significant risk management efforts, couple with  audit and monitoring going forward. A variety of tools can be used to continuously monitoring risk going forward. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program, rather than letting the compliance program inform the risk assessment.

Three key takeaways:

  1. Even after you complete your risk assessment, you must evaluate those risks for your company.
  2. The DOJ and SEC are looking for a well-reasoned approach on how you evaluate your risk.
  3. Create a risk matrix and rank your risks; then remediate and monitor as appropriate.

It is certainly a challenging time for the American Democracy. For his high crimes and misdemeanors against the Constituion and American democary, President Trump has now been impeached for a second time. In the midst of the this, Tom and Jay are back to look at some of the top compliance articles and stories which caught their eye this week.

  1. Recidivist Deutsche Bank settles a second FCPA matter. Tom takes a 5-part deep dive on the FCPA Compliance and Ethics Blog. Matt Kelly looks at red flags and internal controls on Radical Compliance. Tom and Matt take a deep dive on Compliance into the Weeds.
  2. How the FCPA is big business. Harry Cassin explains in the FCPA Blog.
  3. Is an industry sweep headed your way? Dick Cassin explains in the FCPA Blog.
  4. Why you should welcome the NDAA? Matthew Stephenson in GAB. Jonathan Marks on Board and Fraud.
  5. How to use KPIs in your compliance program. Vera Cherapanova in the FCPA Blog.
  6. What are your Board resolutions for 2021? Steve Durbin in CCI.
  7. 2020 was a year of ethical challenges. Mike Volkov explains in Corruption Crime and Compliance.
  8. What are the C-Suite challenges brought on by Coivd-19? Shanil Williams in CCI.
  9. A new month is here and a new guest on The Compliance Life. Gwen Hassan- Director of Compliance at CNH Industrial. In this month’s second episode, In this second episode, we take up the tricky issue of balancing a role as a legal eagle for the company as well as her role in compliance. We also explore the different skill set needed for each of these careers and how it is possible to have both in one person. Check out the episode here.
  10. This month, on 31 Days to a More Effective Compliance Program, I look back over 2020 and set out some of the key enhancements you need to do for your compliance program in 2021. Day 9 | 360 Degrees of Compliance Communications; Day 10 | The Use of Social Media in Compliance; Day 11 | What is Effective Compliance Training?; Day 12 | Financial Incentives for Compliance; Day 13 | Institutional Justice and Fairness; Day 14 | Risk Assessments; and Day 15 | How do you evaluate a risk assessment?. Note 31 Days to a More Effective Compliance Program now has its own iTunes channel.
  11. Join Tom on the Convercent event, “Future-proof your compliance program for 2021”, on Wednesday, January 20th | 11:00 am -1:00 pm ET. For details and registration, click here.
  12. Join K2 Integrity on January 27 to hear Olivia Allison and Joanne Taylor discuss the latest E
    U regulatory developments in whistleblowing programs and investigations. Information and Registration here.
  13. Compliance Week is accepting nominations for its Excellence in Compliance Award. Submit your nominee here.

Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.