Putting the Pieces Together: Integrated Due Diligence Programs
One of the many challenges in the compliance profession centers on coordination and integration. There are plenty of compliance experts who can describe a perfect world – how to design a specific program and procedures to implement the program. Vendors are ready to line up at a chief compliance officer’s door and sell them products which will carry out a specific program.
The challenge for CCOs (and for vendors) is to build integrated compliance programs which cut across various functions and compliance needs in an effective manner. For anti-corruption compliance programs, due diligence of third parties is the most important area for an integrated program.
I recently conducted a webinar on this subject — a video recording is available here on my You Tube Channel.
An integrated third-party due diligence program should be based on four basic principles:
- To identify all third-parties and measure their risk
- To respond to specific risks and implement proactive strategies to minimize risk, when appropriate
- To weigh business need and justification against risk
- To minimize overall risk to enterprise
The system is built on a system of risk analysis which guides the allocation of compliance resources based on a risk ranking and monitoring system. The system requires documentation of every step of the program, including the design and implementation of the program, the establishment of risk thresholds for certain actions and interventions, and advice of counsel memos to ensure proper legal analysis and protections.
Once a company defines and identifies all of its third parties (a difficult task for many organizations), the company can apply screening procedures to calculate the risk of each third party. A different formula, which is modified to reflect circumstances, should be applied at the renewal of a third-party relationship. Between initial screening and renewal, the company should conduct periodic and regular risk monitoring calculations of third parties, and if the risk exceeds certain thresholds, an affirmative intervention program should be used to reduce the risk.
A formal third-party due diligence audit program should be conducted each year based on risk calculations and use of all audit tools (e.g. transaction testing, specific issue tests, desk audits, and formal compliance and financial audits).
A consistent formula for assigning risk values should be applied at each stage – screening, renewal, monitoring and formal audit calculations. The formula can be designed using a number of variables which are relevant to the business and the specific industry (e.g. country of operation, extent of government interaction (sales and regulatory), percentage of government sales, foreign official or family member ownership, allegations of misconduct and/or corruption, existence of a written contract with appropriate anti-corruption certifications). However the formula is designed and the weights assigned to specific factors, the most important consideration is consistency. A formula which is applied across-the-board and is not intended to skew results or ignore significant red flags will provide a company significant protection, minimize risk and protect a company from an enforcement action based on its due diligence program.
The biggest cause of major enforcement actions is a systemic breakdown in compliance controls. A company which is committed to an integrated due diligence program, carries it out in good faith with documentation and advice of counsel, can never – ever – be charged with a systemic breakdown. Even in the worst case, a company with an integrated program may miss the risks involved in a third party but any violation is likely to be contained to a specific third party and can quickly be remedied to avoid any serious compliance breakdown.