Building a Due Diligence Infrastructure (Part IV of IV)
A due diligence infrastructure is designed to demonstrate a company’s good faith commitment to compliance with anti-corruption laws by: identifying corruption risks; and mitigating such risks to ensure that the company does not violate the law.
A much simpler way to put it is – a company’s due diligence system is designed to negate any inference of intent to violate the FCPA. A due diligence system keyed to this fundamental principle should promote a company’s ethical and law-abiding conduct through its business activities conducted by third parties.
With these critical principles in mind, a due diligence infrastructure requires several components:
(1) An automated system to organize and document the company’s due diligence activities;
(2) A pre-defined set of policies and procedures needed to conduct due diligence, renew due diligence, and define basic, enhanced, and focused due diligence inquiries;
(3) A procedure for effective elevation of third party risks so that compliance, legal, and business managers are able to review and respond to third party risks;
(4) A system for providing and documenting advice and counsel, including written representations and warranties tailored to specific risks, documentation of legal directions, and actions taken based on legal analysis; and
(5) A robust set of requirements for monitoring and auditing third parties through a range of techniques and interventions.
I have tried to present these ideas in a clear and concise manner, but everyone should recognize that this is more than a mouthful and requires a real commitment of time and resources.
In this new age of ethics and compliance, and considering the significance of third party risks, companies are fast moving to employ automated due diligence systems. The reason for that is obvious – a due diligence system requires significant resources and cannot be manually conducted, unless the company is small and has limited resources.
Technology is the great enhancer to ethics and compliance, and automated systems for due diligence are perhaps the most important development in the compliance field in the last five years. For that reason, I have urged companies to define their due diligence needs, carefully consider all available options, and compare each of the solutions to make sure it meets the company’s needs for the foreseeable future.
Second, a company should adopt due diligence policies and procedures to ensure that company managers and employees are well aware of the due diligence program and the specific requirements. It is also important to define in advance the principles that will be applied to the due diligence reviews.
Third, a company has to conduct training on the due diligence program and the responsibilities of each employee to comply with the requirements. This process should include appropriate procedures for elevating third party concerns within the company and making sure that employees know who to notify and what types of issues may become significant relating to a third party.
Fourth, a due diligence infrastructure has to build on advice of counsel for design and adoption of written representations and warranties by third parties, as well as review and approval of specific actions taken. This is not only with respect to individual third parties, but also with respect to decisions made by the CCO to allocate resources or make general decisions as to ranking and analysis of groups or categories of third parties.
Finally, the CCO has to work closely with legal and the internal auditor to design a monitoring and auditing program that ensures that adequate auditing of third parties is conducted. It is one thing to secure contractual provisions providing audit rights to a company, but it is quite another to exercise those rights in a meaningful fashion.