Getting Started on Due Diligence of Third Parties (Part I of IV)
This week I am posting a series on due diligence. Also, I just released a new e-book on due diligence which can be downloaded here.
There are basically two types of people. People who accomplish things, and people who claim to have accomplished things. The first group is less crowded. – Mark Twain
In a former life (or even present life), Mark Twain had to have been a Chief Compliance Officer. His comments apply with uncanny precision to corporations. One can say that corporate politics often mirrors basic human motivations and behaviors.
In the corporate world, CCOs face a difficult take in attempting to bring compliance initiatives to fruition. Recognizing that third party intermediaries are often a significant, if not the most significant, risk that global corporations face, CCOs often begin their work by tackling one of the more difficult subjects – due diligence, third party monitoring, and overall third party risk management.
CCOs usually carry a banner when beginning this assignment – FCPA violations always involve some form of third party misconduct. Third parties rarely act alone but they are often significant players in a bribery scheme. In many cases, they are not only the main actors but they are the instigators who enlist the willing assistance of corporate officials.
To respond to this obvious risk, CCOs are faced with a daunting task – how to rein in the use of third parties, require compliance with due diligence procedures, and then monitor and audit the third parties to develop a documented record of efforts taken by the company to ensure compliance by third party actors.
Many CCOs rush into this process by first trying to collect information to identify the number and type of third parties being used by a company. Such a process can take months and depends on cooperation by business staff that does not understand why they are being asked to provide such information and may not see it as a priority.
CCOs who take this unfortunate first step have to take a step back and start over. What should they do?
CCOs have to secure a statement or action of support from the company’s CEO. A first and necessary step to facilitate this process is to make sure the CEO authorizes, is aware of, and supports the CCOs task – to collect information, analyze the nature of the risk, and then design a due diligence program that responds to those risks.
Second, as part of the task, a CCO must enlist the support of others in the corporate hierarchy to support his or her effort – for example, the General Counsel, the Head of Procurement, and CFO each recognize the need for designing and implementing corporate controls to mitigate third party risk.
A CCO who “goes it alone” is doomed to fall on an inadequate effort that reflects a fundamental lack of corporate support. The CCO may, in fact, be able to initiate a due diligence system, but the program will fail to address all of the third party risks. Whether intentional or not, the CCO will face internal resistance because of inadequate justification and support from corporate leaders. The CCO will fail to garner corporate “buy-in” to the due diligence process.
A due diligence program that is built with patience and through a team effort will have a much greater chance of success. No due diligence program is perfect, and there are certain to be third parties that fall through the cracks or are never required to submit to due diligence. However, with the support of the CEO and other significant actors, a CCO has a good chance of eventually implementing an effective due diligence system.