Day: January 17, 2021

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizingcompliance. It is also an area the DOJ specifically articulated in the 2020 Update that companies need to consider.
Managing your third-parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.
Three key takeaways:

1. Have a strategic approach to third-party risk management.
2. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing.
3. Managing the relationship is where the real work begins.

As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. It begins with the following:
Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in  that  industry  and  geographical  region.    Prosecutors  should  further  assess  whether  the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.
This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:

1. Business Justification by the Business Sponsor;
2. Questionnaire to Third-party;
3. Due Diligence on Third-party;
4. Compliance Terms and Conditions, including payment terms; and
5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

1. Use the full 5-step process for third party management.
2. Make sure you have business development involvement and buy-in.
3. Operationalize all steps going forward by including business unit representatives.