Companies use business partners all over the world, each of which poses different risks to other business partners. When assessing the risk posed by a prospective partner, many compliance officers rely on the country of origin to determine the degree of due diligence required. This can lead to approaching compliance as a check-the-box endeavor, when it requires thought, skill, experience and business knowledge to generate maximum benefit.
There is no doubt that there are places in the world that might present higher risks of, say, corruption than others—for example, those countries where government is closely linked to business, where state-owned entities are at the heart of every deal, or where there has been a history of revolving doors involving government officials entering into business fields.
Similarly, there are places in the world that might give rise to a higher risk of sanctions, particularly given that most sanctions are on countries and around the export of certain products. It is not difficult to work out the countries (Sudan, North Korea and, to a decreasing degree, Iran and Cuba) and the sorts of products that are subject to export and import restrictions (weapons, explosives, chemicals).
What is interesting, however, is the growing focus on the part of compliance and business teams to regard the country of registration of the proposed third party as their initial cull mechanism to determine whether to proceed with due diligence or dispense with it entirely. Country risk assessment occasionally extends to countries where the company actually does business, and not just its place of registration, but many companies simply focus on the place of registration. They then use a perceived list of corruption-ridden countries as the basis for making that risk determination.
If the country appears to be a lower risk on Transparency International’s Corruption Perceptions Index, for example, then many companies give a prospective company in that location a pass and proceed with minimal or no due diligence. But using the country as the sole factor for sorting through a list of subjects for due diligence presents some serious challenges:
- Classifying a country as high risk is too simplistic. The Red Flag Group has worked on more than 100,000 due diligence cases over the past 10 years and has found that the country with the greatest risk for fraud is actually—by far—the United States. There is greater risk of collusion, price fixing, theft, fraudulent invoicing, intellectual property infringements, commercial corruption and conflicts of interest in the United States than in almost any other country, and yet most companies would not even dream of doing due diligence on their U.S.-based partners.
But just because a country is high risk in one area does not mean that a third party in that country should be rated as high risk overall. It is only high risk if the risks that are inherent in that country and what the third party is doing for you actually overlap.
It is too simplistic to rate a country as high risk and then apply that label across the board. If your company is engaging a company in India (a high-risk country for corruption) to provide domestic delivery services, then it is probably a low risk for corruption despite being in India. If the company is providing cross-border transport and importation through customs, however, then it would naturally be high risk in India because of the high corruption risk.
Similarly, if the third party is in India but you are using it to develop software, why would that third party be declared high risk just because India has been declared high risk for corruption? There are many factors that might make this company a high risk, but corruption is probably not one of them.
- Most indexes assess only one risk. While corruption is important, it is nowhere near the only risk that should be considered. Testing a third party’s integrity should be done against more risk areas. Applying a list of corrupt countries to a company’s place of registration might give it a passing grade, even though it may by very high risk in those other areas.
Businesses should always be asking, “What can that third party do to hurt us?” Take the previous example: If you are having an Indian service provider build software for you, you should be more worried about code quality, incorrect use of open source licenses, embedded intellectual property rights from third parties, and general sloppiness of design and user interface than about whether the company bribed someone to get power connected to its building.
- Country risk assessment should be based on your company, not an NGO guidepost. The most important factor in assessing third-party risk is what that partner is actually doing for your business. While applying a country risk score may be a key part of the compliance officer’s process, this should be based on both negative and positive factors that are ultimately relative to your specific company. If, for example, there are countries in which your company is investing heavily, then you might want to make sure that your business partners in those countries are above board, rather than focus on the countries that represent a smaller percentage of revenue.
If you are going to use country as a risk factor, then it should be one of many risk factors examined. The actual “risk” of a country should be determined based on characteristics like economic growth, foreign investment, the legal and ethical risks of doing business in that country and in that industry and, most importantly, the type of work being done by the third party. If you are a retailer that only sells to consumers and has minimal connections with government, then why should you rate a country ranked poorly on the Corruption Perceptions Index as a high risk for you?
- Country risk should be about priority-setting. If the argument is that you use country risk as more of a guide as to where to prioritize due diligence initiatives, that is fair enough. Rolling out a program based on certain countries is natural, practical and makes sense, provided that the countries have been chosen intelligently, based on business objectives.