Checking In on “The Year of Third-Party Due Diligence”
Hui Chen, the Department of Justice’s Compliance Counsel, recently stated that 2015 was the year of due diligence and third-party compliance. A recent survey conducted by Kroll and Ethisphere provided a status check on how the due diligence compliance effort is going.
Many companies have heard the message about the importance of due diligence compliance and instituted due diligence systems, hopefully using automated programs. Companies that continue to rely on paper due diligence systems are only asking for trouble, or better have a small population of third parties.
Recently, Kroll and Ethisphere came out with an interesting survey on third party due diligence. A copy is available here.
Companies continue to rely on third parties – nearly one half of all companies responding to the survey have more than 1000 third parties, and almost 20 percent deal with more than 25,000. Risk-ranking systems are the only way to survive when handling this large a third party population. Interestingly, one in four companies lack confidence that their company’s controls could identify potential third party violations of anti-corruption laws.
Almost half of the respondents conceded that they lack adequate resources to support their company’s anti-corruption compliance program. With increasing growth and lack of adequate resources, companies have to redouble their efforts in due diligence and managing third party risk.
To do so, automation is essential, coupled with risk-ranking strategies to justify allocation of resources to higher risk third parties. For many companies, due diligence is a time and resource intensive process, especially considering the numbers of third parties companies are using. Compliance has to reach out and rely on business staff to gather additional information from the proposed third party.
The key to making any due diligence system work is risk-ranking based on documentation and a legal analysis of the proposed strategy for allocating resources. When combined with an advice of counsel memorandum, the company can demonstrate its good faith to review the riskiest third parties using the most efficient allocation of resources.
Interestingly, the Kroll/Ethisphere survey found that the most significant reason for third party malfeasance was a failure to conduct enough due diligence (48 percent). This may reflect perfect hindsight but it raises a question as to whether enough due diligence is being conducted based on the assigned risk, and whether the candidates are withholding important information needed for due diligence. If companies are cutting corners in the due diligence process, this is bound to come back and bite them for failing to act.
The three most common reasons for rejecting a proposed third party was consistent with the prior year’s survey – reputational concerns, questionable relationships with government officials, and unusual contract and payment terms.
The survey noted a positive development – almost three quarters of companies were relying on contractual provisions to communicate and enforce compliance expectations. I have always maintained that contractual provisions can be used as an effective tool to ensure third party compliance with specific compliance requirements.
A little over half of all companies require third parties to acknowledge a third party code, and a similar percentage require acknowledgment of the company’s code of conduct. This represents a new and welcome development – companies are adopting third party codes of conduct and imposing the requirements on their third parties as a condition to doing business.
Training of third parties continues to be a challenge. Only one-third of companies reported training third parties. I would expect that number to increase in the coming years as companies employ web-based training systems that provide easy access for third parties.