Roberta Kanawaty Paoloni, Ethics & Compliance Lead Counsel, US & Canada, 3M

If you work with ethics and compliance, I am pretty sure the topic of “third party due diligence appeared in  your email inbox at least once this week, either because you received an email offering services to conduct due diligence, there is an event on the topic, or you actually have conduct one yourself.

One of the bigger challenges of implementing an effective compliance program is to ensure three things: that third-party assessments are embedded into company processes, that they effectively identify, capture, and mitigate the risks involved in a relationship, and that they create awareness about the “quality” of partners being selected.

Channel Partner Challenges

Third party assessments are particularly important for companies that operate through channel partners, which are distributors responsible for representing the company and selling its products to the private and public sectors. The are many advantage to employing channel partners, including increased market reach, better and more tailored logistics, and additional sales and marketing efforts. However, it’s also a reality that channel partners are often companies that may not invest in a sophisticated compliance infrastructure, or may be at an early stage of that journey.

In Latin America, it is not uncommon for channel partners to be family-owned and operated companies. Some may have formal and structured compliance processes, but many organizations are less sophisticated and work at the direction of their owners.

Hence, when talking about channel partners, a pertinent question is how companies’ due diligence processes can not only capture open source, publicly-available information, but also have the ability to detect other underlying risks. What is the third party’s compliance culture? How much they have or are they willing to invest in implementing controls or a more holistic compliance program?

Another parallel concern regarding due diligence is that these processes can represent a “snapshot” of a third party at a particular moment in time. If not updated periodically, companies can be surprised by how much that initial picture can change. Antibribery enforcement that started with the “Car Wash” operation in Brazil around 2014 demonstrated this problem: companies that would not have even be flagged for concerns in 2013 have ceased to exist now because of their involvement in corruption investigations.  Such cases are becoming more frequent.  An effective due diligence processes must be able to capture this dynamic.

For that, some companies have developed well-structured monitoring systems where third parties marked with relevant red flags, or that represent a high risk, are monitored in real time for any adverse public information. This is an effective way to remain updated and to respond to changes in that high-risk relationship. However, real time monitoring requires investment and a robust system to flag issues that are relevant and respond when they arise.

Duty of Information and Audit as Tools

Depending on the size, industry, and financial strength of different businesses, the appetite to invest in a due diligence resources can vary. For these reasons, instead of creating a monitoring system, it is not uncommon that companies will seek out alternatives to complement their due diligence processes. A common way of doing this is through the inclusion of compliance provisions in agreements. While these provisions can vary from company to company, almost all of them have two key themes: (i) duty of information, and (ii) audit rights by the counter party.

Duty of information applies when something occurs with one of the parties that might impact their agreement from a compliance perspective, otherwise called a “notifiable event.” Even though this can be a way for one party to be kept updated of any relevant events involving the other party, these obligations are not always exercised in the most effective manner and there may be disagreement about what constitutes a “notifiable event”.

This is where audit rights, and exercising them well, become an effective tool. Audit rights are often a controversial part of the negotiation of antibribery provisions, since there are always questions around the scope of such audits, what will trigger them, what will be done with the results, what level of information is included in the scope and who pays for the audit.  However, the controversies around audit rights are less difficult if those rights are exercised, not as a response to an issue, but in a preventive manner and as part of a larger third-party due diligence program. Moreover, audits done by third parties may be even more acceptable, based on the interest of the company to expand businesses with that organization or help the channel partner improve their compliance program.

When done with a specific purpose in mind,  audits can be beneficial to (i) identify risks that can’t be captured by a due diligence report, such as culture and stage of development of the channel partner’s compliance program, (ii) identify decision gates and related controls, and (iii) create more awareness about the business and dynamics of the relationship between the companies. Creating more awareness has the benefit of strengthening the relationship. It’s a chance for the company to audit the channel partner, but also for the channel partner to discuss and report issues they have with the company and even trigger meaningful investigations. Finally, from the compliance professional’s perspective, these audits are a unique chance to conduct “live” due diligence inside the premises of the channel partner, learn more about the business, and have a first-hand account of the challenges that channel partners may experience with end-users and final customers.

Successful third-party audits need to partner with the internal business relationship owners. The compliance department will establish criteria for selecting partners to be audited and the scope of the audit, but the business must be aware of the activity. The independence of the compliance department is key to an effective due diligence exercise, both in case difficult decisions need to be made in regards to that relationship, or so that the channel partner feels comfortable to discuss any issues in the relationship. In particular, this enables them to report any business conduct issues related to the team that manages them. However, collaboration with the internal “owners” of the business partner relationship is not optional.  They need awareness and are critical in facilitating data requests and a successful audit.

The most effective third-party due diligence process cannot rely on a single process but rather should be composed of a series of risk-based tools and processes to dynamically manage the risk, including external due diligence, monitoring, exercise of audit rights, and risk-based contract provisions.


About the Author:

Roberta Kanawaty Paoloni is the Ethics and Compliance Lead Counsel for 3M US and Canada Area. Mrs. Paoloni has 15 years of experience in legal departments of multinational companies, where she has been able to provide legal support and counsel for several different sectors, including health care, industry, traffic and safety, and automotive, while also acquiring strong experience in regulatory and EHS matters. For the past 5 years, Mrs. Paoloni has dedicated herself exclusively to Ethics and Compliance at 3M, where she led the department in Latin America, and now in US and Canada.