Author: admin

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area the DOJ specifically articulated in the 2019 Evaluation that companies need to consider.

The key is to have a strategic approach to how you structure and manage your third-party relationships. This may mean more closely partnering with your third parties to help manage the anti-corruption compliance risk. It would certainly lead towards enabling your company to control risk while optimizing the performance of your third parties.

Amalgamate third-parties but have fallbacks. It is incumbent to consolidate your third-party relationships to a smaller number to more fully operationalize your compliance program. This will make the entire third-party lifecycle easier to manage. From the compliance perspective, you may want to have a primary and secondary third-party that you work with in a service line or geographic area to retain this redundancy.

Monitor any subcontracted work. If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third-party relationship has your approved compliance terms and conditions in their contracts with their subcontractors.

Legal Protections. This is where your compliance terms and conditions will come into play. Consider a full indemnity if your third-party violates the FCPA and your company is dragged into an investigation because of the third-party’s actions. Another important clause is that any FCPA violation is a material breach of contract. This means that you can legally, under the terms of the contract, terminate it immediately, with no requirement for notice and cure. Finally, you need a clause that requires your third-party to cooperate in any compliance investigation. This means cooperation with you and your designated investigation team, but it may also mean cooperation with U.S. governmental authorities as well.

Keep track of your third parties’ financial stability. This is one area that is not usually discussed in the compliance arena around third parties, but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third-party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward red flag that is raised in such circumstances. Those third parties under financial pressure may be more easily persuaded to engage in bribery and corruption than third parties that stand on a more solid financial footing.

Formalize incentives for third-party performance. One of the key elements for any third-party contract is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes.

Auditing third parties. Critical to any best practices compliance program and an important tool in operationalizing your compliance program, this is a key manner in which a company can manage the third-party relationship after the contract is signed and one which the government will expect you to engage in going forward.

Three key takeaways:

1. Have a strategic approach to third-party risk management.
2. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing.
3. Managing the relationship is where the real work begins.

As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance) devotes an entire prong to third-party management. It begins with the following: A well-designed compliance program should apply risk-based due diligence to its third-party relationships.  Although the degree of appropriate due diligence may vary based on the size and nature of the company or transaction, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions. 
This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2012 FCPA Guidance and in the Ten Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:

1. Business Justification;
2. Questionnaire to Third-party;
3. Due Diligence on Third-party;
4. Compliance Terms and Conditions, including payment terms; and
5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

1. Use the full 5-step process for third party management.
2. Make sure you have business development involvement and buy-in.
3. Operationalize all steps going forward by including business unit representatives.

After you complete your risk assessment, you must then translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his  BioProcess International article, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”:
Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.

A way to evaluate risks as determined by the company’s risk assessment is through a risk matrix. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of your remedial efforts or for continuous auditing. A variety of solutions and tools can be used to manage these risks going forward, but the key step is to evaluate and rate these risks. All your actions should flow from the risk ranking.
Three key takeaways:

1. Even after you complete your risk assessment, you must evaluate those risks for your company.
2. The DOJ and SEC are looking for a well-reasoned approach on how you evaluate your risk.
3. Create a risk matrix and rank your risks; then remediate and monitor as appropriate.