Globalization and the rapid rise of outsourcing have vastly increased companies' dependence on multi-tiered suppliers and other third parties. While this has led to greater efficiencies, it has also added new legal, financial and reputational risks as companies are increasingly in investigators' crosshairs-and media headlines-due to the actions of rogue third parties.
Stricter national and international laws now clearly hold companies responsible for the corrupt practices of their business partners. Examples include the OECD Anti-Bribery Convention, the United Nations Convention against Corruption, Canada's amended Corruption of Foreign Public Officials Act and the U.K. Bribery Act.
Spurred by international cooperation in fighting terrorism and money laundering, improved cross-border investigation and law enforcement are making it harder to hide the fruits of corruption. Civil fines and criminal prison sentences are on the rise, even in countries once presumed to have lax compliance standards. These penalties and severe reputational damage are forcing companies to take a more serious look at managing third-party ethics and compliance risks. As a result, in order to maintain effective third-party relationships while simultaneously mitigating risk, companies must first understand the current landscape.
Recent legislative developments mean that the perimeter for compliance risks no longer ends at a company's own facilities or with its own employees. Regulators expect all companies to have compliance programs that reflect their risk profile, and larger companies with more resources or those active in high-risk regions should have the most robust programs in place. It is therefore important that programs be structured according to a serious assessment of risk and a targeted mitigation plan.
So what can companies do? First, go back to the basics. Before hiring third parties, demand a clear explanation of what service they will perform and value they will deliver. Also confirm that you do not have the capacity or know-how to do it internally-never hire third parties just for expedience.
Conduct an initial risk assessment to determine the level of due diligence that will be necessary for each third party. This sounds harder than it is. By developing a simple questionnaire and process, you can quickly determine whether the prospective third party presents a high, medium or low compliance risk. For example, does the third party operate in a country ranked poorly on corruption indices? Will it interact with government officials? Is it owned by, or closely affiliated with, government entities? Is it requesting unusual commercial terms like payments into foreign bank accounts?
Structure your due diligence based on the results. Low risk may only require basic internet-driven research with some local inquiries into the prospective partner's reputation. But a high-risk third party (such as one located in a notoriously corrupt country or one that will interact with government officials) may require a more intense review, including personal site visits and meetings. With higher-risk third parties, you should secure the right to audit-with or without warning-for ethics and compliance matters. All third-party contracts need to adhere to your code of conduct or a comparable set of ethics and compliance standards.
Be very clear internally about who is responsible for signing the contract with a third party and designate who will be accountable for managing the ongoing relationship. A low-risk third party today-through a merger, management change or any number of factors-can become a high-risk partner next year. Thus, it is critical to periodically update your due diligence.
All departments that interact with third parties (such as legal, audit, quality, sales and purchasing) should help manage the risk. Employees who have doubts or suspicions about a third party's behavior should know whom to contact and feel comfortable enough to do so.
Trust your third parties, but don't be naive. Verify where you have sufficient reason to suspect gaps. Reward business partners who meet your ethical and compliance standards while encouraging improvement among those who don't. Many companies offer assistance to their third parties, including training and on-site coaching, to help them meet and exceed desired standards.
You can have an effective, lean ethics and compliance program if you create a culture that makes everyone-including your business partners-aware of their responsibility to act with integrity. Partners need to understand that adherence to your standards of ethical and legal behavior is not a choice, but a requirement for doing business.