While third parties can be essential to many businesses, these companies and individuals also represent the single greatest concern for compliance officers when it comes to corruption risks. Since third parties comprise the vast majority of cases and enforcement actions involving the Foreign Corrupt Practices Act (FCPA), it stands to reason that compliance departments need to focus on stringent third-party due diligence programs.
It is important to thoroughly investigate third parties before beginning a relationship, but monitoring them after initiating such a relationship requires equal effort and resources. A comprehensive monitoring program that includes annual certifications, adverse media reports, new background checks or even full audits could impact decisions to work with third parties in the first place or allow companies to take on more high-risk partners. Meanwhile, third-party compliance training programs can help mitigate some of the attendant risks and alter the risky behaviors of those working for or on behalf of the company.
Third-party compliance training programs must explain in detail your company’s policies and all relevant laws concerning bribery, gifts, hospitality and the expected code of conduct, and provide detailed instructions on how to submit exception requests, file expense reports and complete other paperwork. In addition, there are four key questions companies need to consider as they develop their training program:
- What kind of third party is it? Categorize the third parties your company works with in order to accurately develop a compliance training program. Just as not all in-house employees are subject to the same training program, not all types of third parties need the exact same training.
- What do your third parties need? The curriculum of your compliance training must be tailored to the needs of your third parties. Generic, pre-packaged programs will likely not meet your specific requirements. Content should not only take into consideration the local language, but also the environment. Do employees have access to computers to take the training? Should training be customized to be accessible from a specific type of device? Would on-site training make more sense?
- Where are your third parties located? Your third party’s location determines what you should include in the training. FCPA training and U.K. Bribery Act training should be delivered to most of your third parties since these laws have global jurisdiction. Local anti-bribery and corruption laws may differ from one place to another, however, requiring a special focus for certain firms. Likewise, the thresholds set for gifts and hospitality are not the same across geographies. Even cultural business practices diverge. Thus, awareness of the applicable laws and customs in local jurisdictions is essential when building out your third-party training program.
- Is the training relatable? The more your third party can identify with the training, the more likely it is to stick. Including real-life scenarios with which the third party’s workers can identify and that reflect employees’ day-to-day tasks will resonate more. Again, consider the third party’s location and environment when coming up with personalized scenarios.
Once you have designed your training program, these three steps will help you implement it to greatest effect:
- Educate about the company’s ethics. Creating a culture of compliance requires the participation of all employees working on your behalf, even third parties that are geographically removed from company headquarters. Many companies that were assumed to have—and may truly have had—a high level of transparency have become embroiled in corruption investigations or hit with large FCPA fines because some third party offered or took a bribe on the company’s behalf. Employees who engage with third parties in high-risk countries should emphasize this is not how the company does business. If corrupt practices are common in your third party’s area, pressure to meet performance targets might push them in an unethical direction. Insist your third parties adopt the values and business ethics of your company regardless of location.
- Put technology to work. Combining your due diligence program and your compliance training can be a challenge. Putting technology to good use could help, however. Centralizing all third party-related data will provide your organization with the overview needed to customize training to different third-party groups and a clear visualization of high-, medium- and low-risk third-party groups can facilitate decisions on the frequency with which you should deliver training.
- Use automated messaging. As much as training is considered the primary means of bringing policies and procedures to life, some argue nudging is more effective in steering people toward the right behavior. Regular automated reminders of policies and codes of conduct will help reinforce compliance expectations and policies.