Due Diligence and Risk Priorities (Part III of IV)
Believe it or not, life principles can be used in compliance, especially in due diligence. I always tell my kids that life has a way of setting priorities. As you get older, life becomes simpler and your priorities become clearer. Now watch this transition – the same goes for due diligence, not the age part but the priorities part.
Once you assemble information and data about your third parties, you can set priorities and simplify your due diligence process. Risk-based analysis of your third parties allows a CCO to allocate resources to address the higher risk relationships before the lower risk third parties.
With the information about your third parties, you can then start to slice and dice the data to develop some informational lists. Nothing is set in stone, but I consider each reference list as a guide to developing an overall list of priorities.
As an initial step, it is important to look a little deeper into the categories I outlined in Part II of this series. Not all third party categories can be compared using the same factors – it is an apples-and-oranges comparison in some cases. But within certain categories a comparison can be made.
First, I separate vendors and suppliers into distinct lists. Second, I examine those third parties retained for regulatory assistance into a separate category.
Only a small number of vendors and suppliers act in a representational capacity that could result in FCPA liability. As an example, a vendor acts on behalf of a company (e.g. bringing a special shipment of goods across the border) by the company when crossing the border from one country to deliver the goods to the company. If the vendor bribes a customs officer to get the specialty shipment across the border, the vendor is then paying a bribe on the company’s behalf. In the absence of a representational component to the vendor or supplier’s activities, the company cannot be held liable under the FCPA.
This analysis, however, only addresses FCPA liability. There may be other reasons to conduct due diligence of the vendor acting in a non-representational capacity – for example, there can be significant reputational risks in dealing with a vendor (e.g. human trafficking or slave labor issues), or the vendor could be part of a bribery scheme involving the company’s sales staff or a sales agent as a means by which to gain unauthorized access to money (e.g. shadow vendor).
With respect to an agent retained for regulatory purposes, the risks of such an agent engaging in bribery cannot be measured or compared based on factors relating to revenue – the value of a regulatory permit often cannot be measured by dollars paid to an agent, or the value of an overall project; instead, regulatory requirements are often mandatory and prevent further corporate activity or can result in serious delays if not obtained within normal timeframes. For these reasons, these agents are often ranked based on the country in which they operate.
That leaves three significant categories of third parties that have to be examined – business agents, distributors and resellers, and professionals. Third party nominees rarely have any significant corruption risks depending on the amount of any power of attorney or authority they have to conduct financial transactions on the company’s behalf.
Business agents, distributors, and resellers can be organized by countries of operation, amount of money/revenues they generate, the length of time the company has had a relationship with the third party, and the existence of a written contract. Of course, there is room for additional factors that can be relevant, such as whether the third party has had prior allegations of misconduct, has a robust ethics and compliance program, and has conducted training and provided certifications of compliance.
Professionals, like regulatory agents, have a varying role that can depend on the importance of the specific role played by the professional. For example, if a professional is lobbying the foreign government for a critical regulatory approval with a significant success fee, the nature of such representation can be extremely risky. Alternatively, if the professional provides legal services that includes routine corporate filings, the risk of bribery is minimal. Again, an analysis of risks among the third party professionals is important to conduct.
Shining light on the scope and scale of third parties is a critical part of patiently building a third party risks management program. A focused risk analysis will clarify quickly which third parties require greater attention over other third parties. Further, as part of the process, when identified, business managers may be able to reexamine the need for a specific third party and whether to continue the relationship with the third party.