It used to be companies were fairly comfortable with the idea that risk ended at the factory door. Outsource a solution, and it was less likely to tarnish the company’s reputation or lead to fines and other penalties.
Not so today. Melamine contamination showed the risks of outsourcing manufacturing, both vividly and tragically.
And, in the area of anti-corruption, blaming a bribe on a third party is no defense, as company after company has discovered.
Such was the case for Vetco International. The company had used a freight forwarder to ship its parts and get them through customs in Nigeria. In order to accomplish these tasks the freight forwarder was alleged to have been paying bribes in violations of the U.S. Foreign Corrupt Practices Act (FCPA).
As a result of that allegation, the subsequent investigation and the revelation that other bribes may have been paid, Vetco International found itself in a settlement with the Department of Justice for tens of millions of dollars. The planned sale of the company by its investors was also greatly delayed.
With potential penalties such as these, avoiding third party risk all together may sound attractive, but for many businesses that is just not possible. The question is: how do you work with third parties in as prudent a way as is possible?
“You need to sit down and assess the risk so that you prioritize what level of diligence you need to do. It’s can’t be a shotgun approach. You have to think of the risk factors for your company and the potential for harm.”
Marjorie Doyle, who was brought in by Vetco International to lead the company’s compliance program after this incident, suggests that companies begin with a risk assessment. “You need to sit down and assess the risk so that you prioritize what level of diligence you need to do. It’s can’t be a shotgun approach. You have to think of the risk factors for your company and the potential for harm.”
She explains that the assessment must address the fact that the risk level will vary greatly by country. One oft-used resource is Transparency International’s Corruption Perceptions Index, which measures perceived levels of public-sector corruption in 180 countries and territories around the world.
In addition to understanding country-specific risk, businesses need to assess the risk based on what service the third party is providing. According to Ms. Doyle, “If they’re just providing food services, there’s a big difference versus a customs services provider.”
Understanding those risks can be difficult when looking at them from a distance. “Clients face difficulties determining what is ‘really’ going on in offices and businesses located in jurisdictions far from the Head Office,” reports Lisa Kate Osofsky of Control Risks, a firm, which advises clients on a variety of regulatory risks and issues relating to white collar crime, including anti-corruption.
“It is understandable to want to delegate oversight responsibilities in these situations but doing so can result in loss of control and an inability to monitor appropriately business practices that may come under regulatory and legal scrutiny in the jurisdiction of the Head Office.”
Effective oversight begins with conducting a thorough assessment of the prospective third-party vendor.
At its most basic, it consists of a desktop review of the vendor’s financials and bona fides as well as a search of publicly available sources of information on the company. There are a number of services, including TRACE International, The Red Flag Group and The Steele Foundation that can provide help with this process and other related due diligence.
“Ethical due diligence should not stop there however,” says Ruth Steinholtz, former General Counsel of Borealis AG and consultant on ethics and leadership issues, “It is important to look at the proposed terms of the agreement to determine whether the financial terms are consistent with actual value being received. Otherwise, the services described may merely be a cover for an illegal payment.”
“In addition, it is crucial to determine if the vendor’s strength comes from business acumen or from being a relative of a highly-placed government official.”
In addition, it is crucial to determine if the vendor’s strength comes from business acumen or from being a relative of a highly-placed government official.
At a conference by the Society of Corporate Compliance and Ethics, a US Department of Justice official warned that a recommendation by a government official of a sales agent could be a red flag.
Ms. Doyle recommends that companies have an internal group to conduct high risk due diligence. She also recommends that this group make personal visits. “You need to do a thorough interview, including questions about their ethics and compliance program.”
She also suggested that this is an appropriate time to make the third party aware of the company’s own compliance expectations.
Some companies have also begun extending their compliance program to their vendors. Michael Levin is Vice President of Integrity Interactive, a compliance and ethics risk management consulting group.
According to Mr. Levin “Initially there was a walk before you run approach, with companies just wanting to communicate their standards, and document that the communication had taken place.
“The next step was to actually gather some affirmation or certification that the vendor will actually uphold those standards. And now we are seeing more and more companies extending their compliance training programs to their third party vendors.”
According to Mr. Levin, there is often a difference in the training provided to upstream versus downstream vendors. Upstream the training tends to be in the area of environmental and labor issues as well as the UN Global Compact. Quality expectations also tend to be an area for training. Downstream the educational programs tend to be much more about issues that can be highly detrimental to the business: corruption, unfair competition, and interactions with governments.
Even with training in place and an aggressive vetting process, ongoing monitoring is critical. According to Ms. Doyle somebody in the company, once the third party is hired, must have the responsibility to manage that relationship and conduct regularly scheduled audits, reporting, for example, any changes in ownership
She also recommends performing an evaluation of the third party much as would be done for an employee of the company.
Ms. Osofsky reports, “Our clients have found it helpful to run so-called corruption ‘health checks,’ where we interview employees at all levels, determine the extend of their understanding of corruption and crime risk, and feed this information back to management and legal teams.”
Of course, even with the best vetting and monitoring, problems can occur.
“If you sense something is wrong you have to dig down and investigate. You can’t let it go,” says Billy Jacobson, the Vice President, Co-General Counsel and Chief Compliance Officer of Weatherford International. Mr. Jacobson is also the former Assistant Chief for FCPA Enforcement at the U.S. Department of Justice.
According to Mr. Jacobson, “It could start with talking with the business folks who are in charge of this relationship, and that’s often a good place to start. But, if your concern is not mitigated, then oftentimes it is critical to talk to the third party him or herself.”
Mr. Jacobson reports that Weatherford International insists on audit rights over third parties and that there are times when those rights need to be exercised.
Unfortunately, even after an audit what really happened may still not be clear, he says. “Honestly, a lot of the time it is hard to prove anything one way or the other, and in the real world you are left with a nagging suspicion. In that circumstance, if we can’t substantiate that there is a violation of law or our policy, we will sever that relationship anyway, paying what is owed. But you have to walk away.”
Ending a relationship is not an easy process and can cause great anxiety for business units that depend on the third parties. Care must be taken to terminate in accordance with the terms of the contract in order to avoid potentially damaging lawsuits.
“Those instituting the strategy must evaluate and re-evaluate circumstances over time as business changes and develops. They must be willing to ask the difficult questions and ensure that they understand even the most complicated transactions and relationships proposed.”
“The hallmark of a successful due diligence strategy is vigilance and fearlessness,” says Ms. Osofsky. “Those instituting the strategy must evaluate and re-evaluate circumstances over time as business changes and develops. They must be willing to ask the difficult questions and ensure that they understand even the most complicated transactions and relationships proposed.”