To do business today, companies rely on far-flung, interconnected networks of third-parties. Local partners offer market knowledge and in some cases, these partnerships are legally required. But ensuring anti-corruption compliance by third parties over whom a company may have little control can be a complex task.
In emerging markets, where the business sector may be less developed from a compliance perspective, the difficulty can be exponentially greater. Given that most bribery resolutions involve some third party misbehavior, this is a major issue for companies.
The most visible business impacts of corruption include reputational harm, financial losses, legal proceedings, and disruption of business operations. The long-term effects can also be damaging—corruption can expose a company to continued extortion; charges and enforcement actions can increase insurance premiums; and companies can also be excluded from bidding on government and international financial institutions contracts.
Meanwhile, enforcement continues. The latest report from OECD Working Group on Bribery published in 2018, states that as of December 2017, members to the OECD Anti-Bribery Convention had criminally sanctioned approximately 560 individuals and 184 entities. Laws also continue to be strengthened. According to the same report, in 2017 alone, three countries enacted significant anti-bribery reforms. The momentum has not stagnated. In recent months, the Mexico Government has been making moves in line with its “zero tolerance for corruption” policy—charging the former head of the state-owned oil company with bribery and tax fraud.
Every company today works with third parties: from agents, consultants, distributors, and resellers to government service providers, transportation companies, professional services firms, and joint venture partners. Given this vast range, it is a complex task for a company to fully manage and monitor corruption risks. However, there are some processes that can be put in place to minimize exposure.
Understand Your Risk
Risk-ranking third parties into categories such as high, medium, and low risk will help companies tailor due diligence and use resources wisely, an expectation of enforcement authorities and just good practice. Factors to consider when performing risk assessments include where the third party is located; how business-critical it will be; whether it will have touch points with government officials; and how it will be paid. When you have risk-ranked your third parties, you can determine the amount and type of due diligence that you should undertake.
It’s also important to know why you are using specific third parties in the first place. If your company is under the spotlight by enforcement officials, you will need to be able to explain the business rationale for hiring that third party. The 2019 U.S Department of Justice Criminal Division Evaluation of Corporate Compliance Programs Guidance emphasized this point as well. As part of the process of hiring or considering a third party, consider these questions: How did we learn about this third party? Were they recommended by the government or others? Do we have expertise in-house already? Many companies today are looking to reduce risk by minimizing the number of external partners.
Conduct Appropriate Due Diligence and Follow Up
Depending on the risk, your due diligence process can range from an ownership review, financial health check and a sanctions or black list review for low risk partners, to interviews, site visits, and hiring an outside investigative firm to look into the potential partner for those you consider high risk. If you find red flags, take appropriate follow-up measures and document the process.
Get It in Writing
If you proceed with a third party relationship, ensure that you use the contracting process to secure compliance commitments. You have the greatest leverage with a potential business partner before the contract is signed. At a minimum, contracts should include:
- A scope of work and compensation structure
- Compliance representations and warranties
- Compliance training requirement
- Audit rights (consistent with local law) and an agreement to cooperate in any investigation
The DOJ Guidance also stressed that prosecutors expect to see contract terms that specifically describe the services to be performed by the third party, with the compensation described as well. This is good practice—once the terms are defined clearly, it is harder for a third party to argue that they are acting on behalf of a company.
Set the Tone
Once the deal is signed with a third party, there are several steps that will help to offset risks and guide appropriate behavior.
Communication and training are vital elements of an anti-corruption program. First, you should train your own employees on how to manage the third party relationship and ensure that training is specific to their role and the risks they may face. Whoever owns the business relationship should be trained on how to follow-up with third parties and how to do checks on whether they have the systems in place to avoid corrupt behavior.
Additionally, it is important to regularly communicate with your third parties to ensure they understand your code of conduct and anti-corruption policies and requirements, provide compliance reminders, and answer questions that may arise.
If you have been able to secure a compliance training requirement in your third party contract, check to ensure it is actually being carried out. Many companies today also provide targeted training for third parties, or at the very least, a training requirement.
In high-risk scenarios, it often isn’t enough to tell your business partners what you expect by giving them your code of conduct or having them certify compliance—although those things are obviously important. You may need to go deeper in terms of engagement through training, capacity building and technical assistance.
Manage the Relationship
Monitoring your program is another essential element of an effective anti-corruption program. Conducting annual “health checks” can be valuable for ensuring that the program is running smoothly and policies and contract terms are being followed. Monitoring should also include periodic unannounced site visits, formal audits and transaction testing.
What should you do if something goes wrong? First, you act quickly to fix any problems that arise using the remedies you have negotiated in the contract. You should also use information from your monitoring to improve your processes and keep problems from recurring.
The spotlight is on anti-corruption today—from new laws to increases in enforcement activity. Companies putting systems in place to prevent bribery now will reap the rewards in the years to come.
About the Author:
Leslie Benton is a Vice President at Ethisphere, where she engages with global companies on assessing and benchmarking anti-corruption programs and building capabilities across organizations and with third parties. Additionally, she leads the anti-corruption initiatives at the Center for Responsible Enterprise And Trade (CREATe.org); and is one of the ISO 37001 Anti-Bribery Management Systems Standard drafters as a member of the U.S. Technical Advisory Group to the ISO committee developing ISO 37001.