One of the areas many companies do not focus on enough is possible corruption in their supply chain for goods and services provided on a company’s behalf. The FCPA risks can be just as great through those entry points as they can be through the sales side of an organization. You need to know whom your company is doing business with through this channel as much as you need to know your agents seeking business opportunities on your behalf. Most companies have exponentially more vendors than sales agents, so this task may seem daunting. However, a well-thought-out plan to risk rank your company’s third parties on the supply chain side can go a long way toward ameliorating this issue. The key is setting reasonable parameters and then managing those third parties that present real corruption risk to your organization.
This determination of the level of due diligence and categorization of a supplier should depend on a variety of factors, including such factors as whether the supplier is (1) located or will operate in a high-risk country; (2) associated, or recommended, or required by, a government official; (3) currently under corruption investigation, or has been recently convicted of any form of corruption; (4) a multinational publicly traded corporation with a recognized exemplary system of compliance and internal controls; or (5) a provider of widely available services and products that are not industry specific. You should note that any supplier with foreign government touchpoints should move up to a higher level of scrutiny.
I suggest that you create a three-tiered risk matrix consisting of (1) high-risk suppliers, (2) low-risk suppliers, and (3) minimal-risk suppliers. Below this final category is another category for providers of goods that are commonly available and pose almost no corruption risk.
It would be best to risk ranking the third parties your supply chain might engage with for FCPA exposure. It should be based on your company’s experience and risk going forward. As with all third-party risk management issues, you must “Document, Document, and Document.”
Three key takeaways:
- Risk rank your supply chain based on well-conceived strata.
- Consider not only the compliance risk but also your business risk.
- Only manage those suppliers who present a corruption risk.