The global fight to tackle bribery & corruption is increasing and a failure to mitigate such risks can lead to costly penalties, contract debarment and business disruption. Alongside, bribery & corruption, companies must also be aware of their obligations under sanctions regimes and related measures to address other issues such as money laundering and wider financial crime while still being able to effectively meet their strategic objectives. Managing regulatory compliance within a company can be challenging on its own, but companies must also ensure their risk exposure from third-party business partners (suppliers, agents, distributors etc.) is being addressed. What measures do you need to take to mitigate third-party risk in this evolving landscape of anti-corruption, sanctions regimes and other regulatory initiatives?
Identifying and managing your business risk
Given the rapidly changing nature of the global risk landscape and the increasing expectations of enforcement agencies it is critical that you conduct a risk assessment to understand your company's particular risk exposure. Consider the specific risks associated with the industry you operate within (e.g. Is there a significant dependency on third-parties within your business), the geographic markets in which you operate (e.g. What kind of track record do these countries have to tackling issues such as bribery & corruption) and the third-party's own attitude to ensuring it meets your compliance standards (e.g. Do they apply your staff training and audit controls?).
Effective Third-Party Due Diligence is Essential
Regulators and enforcement agencies have high expectations regarding third-party due diligence. For example, official government guidance supporting such measures as the US Foreign Practices Act and UK Bribery Act which carry extraterritorial provisions expect companies to implement proactive and proportionate due diligence processes to reduce the risks of bribery and associated financial crime.
Given the increased risk, companies need to take a pro-active approach to conducting due diligence and on-going monitoring of third parties. What should your due-diligence strategy entail?
1. Assess your due-diligence needs. This includes aligning your process to business and regulatory requirements, evaluating the availability of intelligence - or gaps in it - to determine where you need supplemental information, and identifying the internal resources, including personnel, needed to support the process.
2. Gather information. A typical due-diligence process begins with a request for key information from the prospective client or third-party, often in the form of a questionnaire. For corporate entities, the request might also require submission of incorporation documents, details on key shareholders and beneficiaries, group structure, board members, any political connections and official references. For individuals, the request might also require proof of identity, their source of wealth and funds and any potential political links depending on the nature of the anticipated relationship.
3. Conduct watch list screenings. Names of companies, individuals and NGOs, should be checked against global sanctions lists. In addition, you should check individuals against politically exposed persons (PEPs) lists to determine government or official connections. By conducting watch list and PEP checks early in the process, companies can quickly determine if a potential business opportunity should be treated with a higher degree of risk or even exited.
4. Determine risk levels. Using the information gathered in the initial stage and the watch list screening, you can begin to classify potential clients, suppliers or other third parties as ‘low', ‘medium' or ‘high' risk, allowing your to apportion due diligence resources as appropriate and to conduct a more efficient due-diligence process. Additional risk assessment should include the third party's country of origin and that jurisdiction's track record for dealing with bribery and corruption, along with other factors such as dependence on local agents, industry sector, state-owned businesses or other government involvement. Financial risk, such as the type of compensation model used for rewarding third-party personnel, implementing specific audit rights and whether the third-party has anti-bribery and corruption policies in place may also be considered.
5. Verify information. The objective of the due diligence process is to set about verifying the information provided by the third-party to establish if they can truly deliver the services expected of them and if essential factors such as financial stability, perceived business reputation, litigation history and regulatory checks uncover any concerns. The higher the level of risk identified by the upfront assessment process the greater the degree of due diligence applied and the wider the level of checks which may extend beyond the third-party to their management team, ownership structure, subsidiary companies and business associates.
6. Create an audit trail. It is critical at each stage of the process that a consistent and comprehensive audit trail is maintained to including all relevant documents retrieved, assessments given and decisions taken should you need to review a business relationship or demonstrate to regulators the steps taken to mitigate risk in the event of an enforcement investigation.
Ultimately, you need to develop a robust, flexible and scalable due-diligence process that can adapt as your business strategy and local regulations change. In addition, you need to conduct routine reviews of the process to ensure that your process is, indeed, evolving to mitigate risk today - and in the future. Failing to establish a robust due-diligence process could leave your company exposed - not only to the financial penalties for compliance violations, but the reputational damage that arises from any alleged wrongdoing - even when it occurs through a third party. Are you prepared?