Mon, Apr 14, 2014
Consider yourselves forewarned. In her speech to the Global Anti-Corruption Conference in June 2013, U.S. Acting Assistant Attorney General Mythili Raman made a point of saying that the government’s “recent enforcement actions… highlight another important shift in the anti-corruption realm—
Given these thoughts about worldwide compliance enforcement, it’s a good time for companies to revisit their risk assessment practices and models, especially as they relate to anti-bribery and corruption matters.
New business deals as well as planned expansions or contractions come with inherent risks. A comprehensive risk assessment plan will not only help you mitigate anticipated operational, commercial and reputational concerns, but also aid in uncovering and responding to unforeseen issues.
Standard components of an effective compliance framework include due diligence on prospective vendors and suppliers, joint venture partners and agents; internal investigations and compliance reviews; communication of anti-corruption policies to all relevant parties; ongoing monitoring, testing and auditing; documentation and reporting; and employee and third third-party training. An important benefit of these exercises is that they can constitute an affirmative audit trail that a company has in place compliance policies and programs and has executed them in the event of a regulatory inquiry or litigation.
Ideally, a company’s risk assessment strategy will guide it in matching the level of due diligence it takes with the severity of the risk it wants to mitigate. Nowhere is this a greater challenge than with examining third party relationships and nowhere is there greater compliance risk. Whenever there has been an enforcement action in the past few years, it has almost always come back to a third party.
In the face of what can be an overwhelming challenge, companies have responded to vetting third party relationships with myriad solutions. For example, some companies are now requiring that every third party have an internal sponsor, who must complete a business case and get corporate approval before creating such a relationship.
Others take a one-size-fits-all approach that applies the same vetting parameters to every third party. This leads to several pitfalls: if the inquiry is limited to the lowest levels of fact-finding, significant risks might never be detected. Even more daunting and very costly and in many cases unnecessary across-the-board higher levels of reviews can produce thousands of individual reports which then begs the question: Who is going to read them?
Finally, organizations can also encounter numerous obstacles in their efforts to roll out a global compliance program. Differing decision-makers, business operations, workflows, time zones, languages and cultural perspectives can all pose time-consuming and expensive challenges to manage third party risk and an effective compliance program.
A far more efficient and productive approach can be to segment third party relationships by categorizing them according to established best practices to determine appropriate levels of risk, and then design and implement the necessary due diligence. However, as in most endeavors, the devil is in the details. The following proposed best practices offer a place to start:
Third party relationships have proved to be the Achilles’ heel for many a compliance program. With regulatory attention escalating worldwide, how confident are companies that third parties aren’t exposing them to significant risk? Analyzing and segmenting third parties into risk categories is an approach that can ultimately help companies avoid fines or other legal sanctions while at the same time strengthening business continuity, brand integrity and the bottom line.
The Kroll Investigations, Diligence and Compliance team partners with clients to anticipate, detect and manage regulatory and reputational risks associated with global ethics and compliance obligations.