Time to revisit compliance strategies as global enforcement escalates
April 14, 2014
Consider yourselves forewarned. In her speech to the Global Anti-Corruption Conference in June 2013, U.S. Acting Assistant Attorney General Mythili Raman made a point of saying that the government’s “recent enforcement actions… highlight another important shift in the anti-corruption realm—
» the development of stronger anti-bribery enforcement programs in foreign countries,
» the continuing and encouraging rise in cross-border cooperation, and
» the increasing efforts of our foreign law enforcement partners to hold individual perpetrators accountable.”
Given these thoughts about worldwide compliance enforcement, it’s a good time for companies to revisit their risk assessment practices and models, especially as they relate to anti-bribery and corruption matters.
New business deals as well as planned expansions or contractions come with inherent risks. A comprehensive risk assessment plan will not only help you mitigate anticipated operational, commercial and reputational concerns, but also aid in uncovering and responding to unforeseen issues.
Standard components of an effective compliance framework include due diligence on prospective vendors and suppliers, joint venture partners and agents; internal investigations and compliance reviews; communication of anti-corruption policies to all relevant parties; ongoing monitoring, testing and auditing; documentation and reporting; and employee and third party training. An important benefit of these exercises is that they can constitute an affirmative audit trail that a company has in place compliance policies and programs—and has executed them—in the event of a regulatory inquiry or litigation.
Ideally, a company’s risk assessment strategy will guide it in matching the level of due diligence it takes with the severity of the risk it wants to mitigate. Nowhere is this a greater challenge than with examining third party relationships—and nowhere is there greater compliance risk. Whenever there has been an enforcement action in the past few years, it has almost always come back to a third party.
In the face of what can be an overwhelming challenge, companies have responded to vetting third party relationships with myriad solutions. For example, some companies are now requiring that every third party have an internal sponsor, who must complete a business case and get corporate approval before creating such a relationship.
Others take a one-size-fits-all approach that applies the same vetting parameters to every third party. This leads to several pitfalls: if the inquiry is limited to the lowest levels of fact-finding, significant risks might never be detected. Even more daunting and very costly—and in many cases unnecessary—across-the-board higher levels of reviews can produce thousands of individual reports which then begs the question: Who is going to read them?
Finally, organizations can also encounter numerous obstacles in their efforts to roll out a global compliance program. Differing decision-makers, business operations, workflows, time zones, languages and cultural perspectives can all pose time-consuming and expensive challenges to manage third party risk and an effective compliance program.
A far more efficient—and productive—approach can be to segment third party relationships by categorizing them according to established best practices to determine appropriate levels of risk, and then design and implement the necessary due diligence. However, as in most endeavors, the devil is in the details. The following proposed best practices offer a place to start:
- Get buy-in from the board and executive leadership. Effective programs need appropriate financial support. Look to recent enforcement actions to determine prosecutorial focus and communicate those facts to the board within the context of an organization’s operations. When leaders understand and acknowledge the risks at stake, they are more apt to provide the necessary resources.
- Establish a methodology to effectively segment third parties. Segmentation factors important for companies to consider include, but are not limited to: country of origin, country of payment, length of relationship, nature of the relationship, criticality of the relationship, time in business, annual revenue, industry/market, level of oversight and foreign government interaction. Based on the results of this risk assessment and segmentation of third party relationships, companies can then devote appropriate levels of due diligence in line with the severity of potential risk.
- Employ technological tools to aid in high-volume situations. With most organizations running extremely lean around the world, there are rarely enough resources available to manage the vetting of hundreds—or more likely, thousands—of associated third parties. Customized data management platforms offer an efficient and cost-effective way for companies to track, manage, report and store the individual evaluations of third party relationships via code of conduct notification to third parties, questionnaires, risk scoring and ordering, and conducting of due diligence.
Third party relationships have proved to be the Achilles’ heel for many a compliance program. With regulatory attention escalating worldwide, how confident are companies that third parties aren’t exposing them to significant risk? Analyzing and segmenting third parties into risk categories is an approach that can ultimately help companies avoid fines or other legal sanctions while at the same time strengthening business continuity, brand integrity and the bottom line.
By Michael Varnum, a former managing director at Kroll.