Amid a climate of increasing regulatory enforcement, demands for companies to be more transparent, and the growing threat that a compliance violation could cause reputational damage, compliance officers are taking a closer look at their internal programs.
One major area of concern: the compliance risks posed by hiring third parties.
There is plenty of available information that addresses such risks. Global regulatory guidance (here and here) sets forth specific expectations for managing third-party compliance. Additionally, various global organizations recommend principles (here, here, and here) that further highlight the need to effectively manage third-party risks.
Key guidelines address due diligence on third parties, contractual terms and commitments, training for third parties on compliance expectations, third-party audits, and reporting channels for raising concerns about third parties.
For companies with well-established compliance functions, these key guidelines — as well as the companies’ internal compliance processes — are often well-embedded into the business.
However, they don’t always prevent a well-orchestrated violation. A number of recent prosecutions — Sanofi, Mobile Telesystems, Cognizant, and Fresenius — involved transactions that were routed through third-party intermediaries.
The violations included third parties being given shares in subsidiaries; using a shell third party to funnel funds to public officials; payments to third parties in which public officials had ownership interests; and paying third parties to facilitate obtaining licenses by channeling funds to public officials.
Those companies and many others had, and continue to have, policies and procedures associated with third-party compliance.
On a case-by-case basis, the level of due diligence may be tuned to the risk level assessed for a particular third party. The business rationale for the activity may be well documented. Payment terms may not deviate from accepted practice. And compensation under one third-party contract (such as a turnkey arrangement) may legitimately not be comparable to compensation under another third-party contract.
To a certain extent, however, the effectiveness of due diligence depends on the availability of relevant information about a third party or individuals in open or subscribed sources. In many cases, a compliance officer may not know that there’s an issue with an identified third party.
What fails in these cases, besides the factors known to cause control failure? Sometimes, the culprit is ineffective compliance intelligence and influence (CII).
CII encompasses a compliance function’s knowledge of key people across a company’s risk functions, forming relationships with them, and strategically exerting appropriate influence on them to provide intelligence that can enhance compliance.
That’s not about gathering gossip, but it might be about becoming lunch or sports companions with them and listening to their work frustrations.
The intelligence gathered could, for example, be along the lines of:
In many cases the people who provide this intelligence — they could be, say, an administrator, a mid-level executive, or a secretary to a senior executive — do not necessarily consider the issues they share to be compliance violations. Nor are they necessarily aware that they’re supporting the compliance officer’s agenda.
While processes enable companies to be sure that every action is channelled through laid-down compliance requirements, CII helps by constantly validating the intent behind such actions.
Sundar Narayanan is director of forensic services for Mumbai, India-based SKP Business Consulting.