What constitutes a risk-based approach?

By Dennis Haist, General Counsel and Compliance Advisor for Steele CIS

 Does your current or proposed third-party compliance programme meet regulatory expectations? Would US and overseas regulators agree? How can you be sure?

The rise of new anti-bribery and anti-corruption (ABAC) laws and the enforcement of those laws around the world have increased the scope of corporate compliance department responsibilities. A major element of any corporate ABAC programme involves the performance of due diligence on third-party intermediaries. And, for good reason. Regulators routinely uncover evidence that a corrupt act was committed by an intermediary acting on the company’s behalf, both with and without the company’s knowledge.

Performing risk-based due diligence on intermediaries has become a critical practice for companies to confidently mitigate third-party risks. Assigning the appropriate level of due diligence for the company’s third parties requires assessing risks objectively and systematically. In order to build a credible and practical risk model, company executives must understand how the company operates across its business units, regions and subsidiaries.

While debate remains around how much due diligence to conduct and how often, there is no debate as to the necessity of conducting risk-based third-party due diligence. That leaves compliance professionals in a precarious position. Despite the fact that there is consensus in the market that a risk-based approach represents a best practice, there is clearly confusion as to what constitutes a risk-based approach.

A company and its officers cannot choose to abstain from performing third-party diligence, either. The era of turning a blind eye is behind us. In fact, there have been several instances in which individuals and companies have been prosecuted and convicted where actual knowledge of payments was not present but would have been, had sufficient due diligence been performed. Building a credible ABAC programme is paramount in protecting corporate reputation and assets, shielding executives and management from personal liability and providing significant competitive advantage in a challenging global business environment.

Companies face many hurdles in their race to implement risk-based due diligence

Despite the significant risks posed to companies by intermediary relationships and the need for risk-based due diligence, business and compliance leaders often struggle to adopt even the most basic controls to effectively on-board third parties and manage and monitor risk.

There is a simple reason for their inaction: the complexity of creating or redesigning a compliance programme so that it can effectively vet third-party relationships can be overwhelming. Adding to the complexity and causing confusion is the widespread misinformation and misuse of terminology regarding regulatory expectations. One extreme argues that a cursory approach, such as a database check applied to all third parties, is all that is necessary, while the other extreme argues the need to invest in robust, proactive countermeasures.

One clearly accepted standard is that risk-based third-party due diligence and ongoing monitoring are critical elements of any ABAC compliance programme. This in itself is overwhelming because of the sheer volume of third parties that most large US companies engage.

How companies benefit from risk-based due diligence

Corporate compliance professionals often believe that their companies have well-designed compliance structures for monitoring risk and enforcing ethical behaviour within their organisations. But the truth is that most are struggling with the best way to expand and design programmes that truly identify and manage risk with business partners and intermediaries.

A risk-based approach is a methodical and systematic process of knowing the company’s business, identifying its risks and implementing best-practice measures that mitigate those risks. Recognising and being able to articulate the value and purpose of a risk-based approach to managing third-party due diligence is an important step in building credibility in the compliance programme.

Building the foundation: ensuring stakeholder support and alignment

The process of creating a sustainable risk-based ABAC programme involves several steps.  The first is to identify the right stakeholders to participate in the development and rollout of the programme. This must include key business leaders, the general counsel, compliance officer and likely member(s) of internal audit, procurement and IT.

Importantly, without involvement from the sales and business development teams, the process will be flawed from the start. After all, the business development team knows the business process with which the compliance process will need to integrate. Forgo input from the business about how they onboard third parties and there is significant risk of implementing a compliance programme that is overly complicated and impractical, which could adversely impact the health of the business.

“A well-structured risk model will improve the quality of data, reduce due diligence costs and strengthen the credibility”

The compliance manager and those responsible for implementing the programme must know the business before they can understand the company’s risks. Before any assessment of third parties can be conducted, it is critical to understand exactly how the business functions in all of the markets and jurisdictions in which it operates. This requires one or more senior managers to visit various operating locations to understand their sales processes and how they conduct business in each region. How are people conducting themselves in the regional offices? Do practices vary by business line or business unit? What cultural or social norms are influencing the conduct of business? These questions are best answered by in-person interaction and observation.

The variances in these business practices inherently create legal exposure if not properly controlled. By understanding the business process, compliance managers will better understand the complexity and severity of the company’s risks. Moreover, by understanding those risks, they can then make more informed decisions about the resources and framework that need to be deployed in order to mitigate exposure.

With this information in hand, companies can form the framework of their third-party risk model. A well-structured risk model will improve the quality of data, reduce due diligence costs and strengthen the credibility of an organisation’s programme in the eyes of regulators.

A step-by-step approach to implementing risk-based compliance

With more than 26 years of experience, STEELE CIS specialises in helping multinationals deploy credible and defencible compliance programmes designed to withstand regulatory scrutiny. Our practical expertise in developing risk-based due diligence programmes for Fortune 1000 companies in more than 190 countries allows our clients to breathe easier knowing that we’ve helped guide their third-party compliance efforts. From our experience, implementing a risk-based approach to third-party due diligence generally involves the following steps:

  1. Develop a risk inventory

Aggregate third-party data that the company has relationships with across all IT systems. Normalise the data and cleanse it for duplicates and errors, then determine the type and purpose of the relationship. There will likely be many more third parties than originally estimated. Examine ERP and CRM systems, accounts payable records, point-of-sale data, business reviews and any other source that may reveal use of an intermediary. This process must be as robust as possible, automated and run continuously to capture and include newly added third-party relationships.

  1. Perform an initial risk assessment and create third-party risk profiles

Determine the general risks that may be posed by the intermediary. Is it in a country known to be a high risk for corruption? How much business does it do with the company? What percentage of the intermediary’s business depends on your business? What is the compensation structure? Does it interact with government officials? How much control do you have over the third party?

There are approximately two dozen common risk factors that most companies will consider for inclusion in their risk calculation, but the key is to select only those risk factors that are consistently captured or carried out in the company’s business process, since including a risk factor that is only relevant some of the time can skew the risk score calculation.

Based on the risk calculation, third parties should be associated with a risk profile and tier that has a prescribed scope of due diligence. Also during this process, applicable contract documents can be checked to ensure that they contain ABAC representations and warranties and audit rights. If the on-boarding process for third parties includes completion of a due diligence questionnaire, answers to certain questions can factor into the risk associated with the third party.

  1. Conduct investigative due diligence

Address those third parties in the high-risk category first. This is where most resources should be spent. Those in the low-risk category can be assessed later in the process. Allocating resources in this manner will ensure the most efficient use of time and money and, based on our knowledge and experience, will be viewed favourably by the US Department of Justice and the Securities and Exchange Commission.

“A robust compliance programme can protect corporate reputation and assets, shield board members and management from personal liability and provide competitive advantage”

When conducting due diligence on a third-party intermediary, there are several considerations that should be addressed: the nature of the services being delivered; shareholder and management identification; relationships with government officials; the intermediary’s use of third parties; historical compliance issues; conflicts of interest; and the third party’s internal control structures. There are many issues that are specific to each company; therefore, it is not possible to follow a prescribed formula, but these considerations can be used as a basis.

  1. Resolve red flags

Address red flags or deficiencies identified during the due diligence phase. In some extreme cases, it will be more efficient to sever ties and walk away, but often it is possible to remedy issues with the third party by providing training, contract revisions and other steps. A robust and auditable investigation conducted in line with the company’s anti-corruption policy is required to ensure a credible and defensible programme.

  1. Commit to ongoing monitoring

Depending on the nature of the relationship and the level of risk, it will be necessary to monitor and re-evaluate existing third parties on a regular basis. Expect that risk profiles will change as some lower-risk third parties may become higher risk in the future, while high-risk third parties must be reviewed frequently to ensure compliance with established terms and conditions.

Risk-based due diligence: no longer optional, but there’s help at hand

Corporations that implement effective risk-based third-party due diligence programmes are demonstrating to regulators that they are serious about tackling corruption. With energetic enforcement by regulatory agencies around the globe expected to continue to increase, the risk to companies, executives and boards of directors continues to rise. Possessing a robust compliance programme can protect corporate reputation and assets, shield executives, board members and other management from personal liability and provide significant competitive advantage in a challenging global business environment.

While it is important to follow the structure of a programme as outlined here, each company has a different appetite for risk based on its industry, size and the countries in which it operates. Therefore, no two compliance and risk models will be identical. STEELE’s compliance professionals understand that there must be a degree of customisation and flexibility to ensure that a risk-based compliance programme fits a company’s culture, risk appetite and budget.

One Sansome Street,Suite 3500, San Francisco, California 94104, USA

http://ethicalboardroom.com/regulatory/third-party-compliance-programmes/