The rise in the number of third-party relationships has fueled worries for risk and compliance professionals, but organizations are increasingly well-prepared, with heightened involvement at the board and C-suite levels and greater recognition of reputation-related risks, according to a survey by Kroll.
The 2016 Anti-Bribery and Corruption Benchmarking Report also found that 60% of respondents were as concerned about bribery and corruption risks as last year while 30% are more concerned now.
Kroll found that executive-level engagement had a concrete impact on the perception of corruption risk. About 47% of companies had leaders engaged on this issue and, among those companies, employees were twice as likely to believe that their anti-bribery and corruption risks would either stay flat or decline.
When asked about the biggest issues or threats to the business—ranging from books and records violations to global expansion—respondents most often cited third parties. This was not surprising, as almost half said they work with 1,000 third parties and 17% with more than 25,000.
Lee Kirschbaum, president of Kroll’s compliance practice, was concerned by the high level of apprehension about third party risks. “When we look at the enforcement actions, it turns out that about 75% are related to payments through third parties—meaning agents and distributors, network partners and supply chain,” he said. “But one-quarter of those interviewed said they were not confident they could identify those risks at all.”
Other issues tie into this as well. For example, few conduct ongoing monitoring of their third parties. In fact, less than half were doing third-party audits and only about a third were training their third parties.
Respondents admitted many third-party issues were preventable. “The largest response said that due diligence and assessment of the third party were not comprehensive enough; 42% said the issues brought up in due diligence were not adequately addressed and almost half said that, when an issue occurred, due diligence was not comprehensive enough,” Kirschbaum said. Another 43% said “other,” which many identified as the “speed to complete a deal.” This is a problem, he said, “because you can’t really complete red-level diligence if you are being pushed to get a deal done and no one is willing to slow that down.”
To avoid these pitfalls, Kirschbaum recommended that, as companies assess and evaluate their third parties, they take a risk-based approach. “The idea is not to treat all vendor risks equally. If issues could have or should have been caught, most likely you weren’t taking that approach,” he said. He also advised risk professionals to recognize that things change and that just performing due diligence or getting in front of your risks is not enough. Having an automated way to stay on top of risks as they change is important.
“You’ve seen it in the vendor management/supply chain space, where you are managing supply chain risks on an ongoing basis, but here, almost half are not conducting ongoing monitoring of third parties,” he said. “It’s really important to continually stay on top of the risks.”
Corruption and M&A
Mergers and acquisitions also demand more care: A quarter of respondents said they do not have anti-corruption measures in place for their transaction targets. “What you find is more comprehensive due diligence conducted on their third-party partners but less on transaction targets,” Kirschbaum said. “Only about 72% said they had any anti-bribery and corruption programs in place for their transaction targets.” As a result, the idea of assessing the anti-bribery and corruption programs of the acquired company often takes a backseat.
The situation harkens back to several years ago and involvement of the chief technology officer and the chief information security officer. “When companies were looking to complete a deal, the first call was the legal team, the bankers, the finance team and auditors and accountants,” he said. “If you were going to call in the CTO or the CISO, it was because you were going to run a test and make sure the network was secure.” Now, as companies complete more transactions where information security is relevant, the CTO or CISO are being brought into the process earlier. That is not yet the case with the chief compliance officer.
As a result, the chief compliance officer is not able to help their company understand whether a proper anti-bribery and corruption program is in place, or conduct due diligence on the third parties of the companies being acquired. “So, in essence, when you make that acquisition, you are potentially buying a risk,” Kirschbaum said.
He noted that organizations need to realize that anti-bribery and corruption is no longer just a matter of Foreign Corrupt Practices Act compliance, but a global issue. “There are quite a few global regulations where you are finding more enforcement actions, so it is important that companies place in the forefront the fact that bribery and corruption risks are substantial and that there are global laws that could impact their business,” he said.
When contemplating an acquisition, “having the chief compliance officer come in towards the tail-end of a deal, or not at all, should not be an option,” Kirschbaum added. “This is even more important for companies moving into new or unfamiliar jurisdictions.”