Most companies operating in the global arena are familiar with the ongoing regulatory enforcement of antibribery and corruption (ABAC) statutes. But confusion still reigns over how best to implement a robust, risk-based compliance program that provides the best possible protection at a cost that fits within a company’s budget.
Given the recently published resource guide on the Foreign Corrupt Practices Act (FCPA), published jointly by the Securities and Exchange Commission and the Department of Justice, taking such a risk-based approach to conducting third-party ABAC due diligence is the standard all companies should ensure they meet.
Since conducting due diligence on third parties is both a cornerstone and a cost driver of any ABAC compliance program, building a credible and well-documented program that systematically and objectively defines and assesses third-party risk is critical.
As with any business program, the key to effective planning is to begin with a clear set of objectives. For an ABAC program, critical objectives include gaining a thorough understanding of how the business operates with respect to anti-bribery and corruption — and with that understanding, conducting a comprehensive ABAC risk assessment relative to third parties.
The result will be the foundation for a well-planned, risk-based ABAC program. While there are common steps to creating an ABAC compliance program, there is no one-size-fits-all, off-the-shelf program. Just as each company’s appetite for risk is different, so is each risk-based ABAC program.
There is a great deal to consider with respect to a given business in determining what kinds of risk factors an ABAC program should manage. Translating those factors into a risk model that can demonstrate consistency will serve both as the road map for your program and the key ingredient in defining the intentionality and credibility of your program before regulators.
Companies need a current and complete inventory of their third parties, as well as an understanding of the culture, business norms, and use of technology in the environment where each of those third parties operates.
Getting your arms around your third parties requires that every company conduct and document a systematic inventory. Most common is an initial exercise to classify third parties into broad groups that clearly define their relationship with the company, such as agents, distributors, resellers, joint-venture partners, or others that might somehow represent the company’s interests.
Each classification of third party often carries its own set of nuanced risks. These are based on how each type of third party generates revenue and interacts with foreign officials, public and private customers, vendors, and other prospects in the countries where they do business.
For example, a technical consultant retained in India would represent a lower risk than a sales and marketing consultant engaged in the same country to assist in tendering goods or services to the government. Similarly, a local Turkish joint-venture partner that is an equal or majority partner and represents the joint venture before the government would represent a higher risk than a minority partner that does not have responsibility for governmental interface.
There are also risks in the way third parties are paid and how closely they are tied to the company. A third party using the company’s trademark or brand name, for example, carries different risk implications than if it represents itself as independent from the company.
A third-party distributor that gets sales leads, market-development funds, and rebates from the company, for instance, and does not distribute competitors’ products, would represent a higher risk than a distributor representing the company’s competitors, which is neither overly dependent on sales of the company’s products or services nor closely identified with the company.
If an illegal payment is made by a distributor, it’s likely that regulators will look at how the company benefits from the distributor that is engaging in the illegal act. In other words, the more the company benefits, the greater the duty of the company to know the distributor.
If a given third party manages export-control requirements on behalf of the company, risks are magnified considerably if there is potential for illegal reexport or transshipment of sensitive or dual-use technology to entities in countries that are not permitted to receive such technology.
Among the questions to be asked are: How long has the company worked with the third party? How much activity does the third party perform on behalf of the company? Is the relationship exclusive, or does the third party work for other organizations as well? These provide a more comprehensive set of factors for establishing or adjusting a third party’s risk profile.
While conducting a methodical inventory of third parties is an important start to a good due-diligence plan, alone it is insufficient. The next phase in building a risk model begins by assigning levels of risk to the various risk factors associated with each third party.
The model can be a complicated or simple matrix, depending on the complexity of the company’s business. But it’s possible — even necessary — through such a process to rank third parties on a defined risk scale. This is an important element in identifying where the risks are most acute, and thus where due diligence and resources should be focused.
For higher-risk third parties, the due-diligence plan might necessarily include field investigations or verification of any number of detailed assertions made by third parties. It might be necessary to explore a third party’s ownership structure, principals, criminal and civil litigation records, business reputation, and even the physical business location to gain comfort that serious risks are adequately addressed.
On the opposite extreme, for lower-risk parties the required level of due diligence might simply be having the third party complete ABAC compliance training and agree to abide by the company’s antibribery policies.
Between those extremes, there are various scopes of due-diligence effort that might be most appropriate, such as a global database check or an open-source investigation.
The FCPA resource guide offers a clear view that a risk-based approach to conducting third-party due diligence should be standard practice. In fact, companies that forgo the risk-assessment process face great peril if they take a more random approach to deciding where they will place their greatest due-diligence efforts.
By not addressing their highest-risk third parties first with the appropriate level of due diligence, they risk the opportunity to stop (or never begin) doing business with a high-risk third party before a violation of law occurs. They also risk having their compliance program deemed ineffective by regulators, if and when they self-disclose such an event to them.
They also face potentially unnecessary expense if they take an ultraconservative approach and conduct intensive due diligence on third parties representing lower risk that would warrant a lower level of due diligence.
An efficient and effective ABAC compliance program is best achieved by developing a risk model that systematically and objectively rates the risks of third parties and prescribes an appropriate scope of due diligence. Such an approach allows companies to focus resources where they are most needed: on the highest-risk third parties.
Dennis Haist is general counsel at STEELE CIS, a global business advisory and risk-management company that provides investigative due diligence, risk assessments, and compliance program development.