Five key concerns your board needs to know about third-party risk
A strong third-party supply chain is critical to most businesses today. However, a bad vendor or intermediary can have a devastating impact on your company’s reputation and commercial viability.
While a critical consideration at any time, third-party risks have recently increased due to the current rapidly changing business environment where organisations are onboarding new vendors and suppliers quickly without undertaking the appropriate due diligence.
Here are the five crucial factors your board needs to know about third-party risk.
1. Senior management can be personally at risk
A third-party infringement can mean more than a corporate fine. Under the US Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, Sapin II in France and similar legislation in other jurisdictions, employees including senior management can be held personally liable for corrupt behaviour enabled by their third-parties.
The publication of the ‘Yates Memo’, and its amendment in 2018, signaled a new focus from regulators to identify all individuals substantially involved with incidents of corruption occurring within a business.
Your board needs to fully understand the risks that third-parties expose your organisation to and provide oversight to safeguard their employees, and themselves, by establishing appropriate third-party risk controls across the business.
2. Legislation has become increasingly prevalent
Staying up to date on third-party risk is not easy. A supply chain can extend across many businesses and jurisdictions, each of which has its own legislation. Your board must be made aware that virtually every geographical region, industry sector and type of transaction are subject to anti-corruption legislation.
While the regulations implemented by the US, UK and French governments may be best known, a growing number of countries are implementing and updating their own anti-bribery laws.
For example, since 2018, the United Arab Emirates has strengthened its bribery regulations to explicitly include indirect bribery as an offence; India has expanded its Prevention of Corruption Act to include bribes involving public servants, while Italy passed the spazzacorrotti or bribe-destroyer act in 2019, increasing the penalties for individuals and companies engaged in bribery. Similar provisions have also been passed into law by numerous other countries, including Australia, Peru and Russia.
For most organisations, the chances of a violation, despite the best of intentions, are unacceptably high. As business footprints grow globally, the need for better oversight of third-party risks is key to ensure adherence to country-specific legislation.
3. Enforcement has surged globally
Your board needs to be aware that in addition to stricter laws, third-party risk is also now subject to more vigorous enforcement. Light-touch policing is a thing of the past.
For example, while the FCPA was passed into law by the United States in 1977, neither of its enforcement agencies, the Securities and Exchange Commission nor the Department of Justice, managed to enforce more than ten cases a year between 1977 and 2000.
But then a new ethos took hold. Since 2008, enforcement has been on another level and in 2019 these two agencies made 49 enforcement actions with an average sanction of more than $200 million. The reach is broader too. In both 2017 and 2018, enforcement actions against foreign corporations under the FCPA outnumbered those against domestic US companies. Clearly, the days of ignoring these regulations are over.
We are also seeing enhanced cross-border co-operation, increasing both the likelihood of prosecution and the size of the penalties imposed, particularly on non-US firms. Such instances have led to a growing number of prosecutors regarding action in one state as a green light for their own investigation.
Recent bribery inquiries into a Dutch offshore services company offer a prime example of an initial bribery settlement prompting multiple follow-on prosecutions from different government agencies. In 2014, the company paid $240 million to settle a Dutch investigation into improper payments made to officials in Angola, Brazil and Equatorial Guinea. In 2017, the company then paid an additional $238 million to settle US FCPA violations, while in 2018 it paid a further $189 million to Brazilian authorities to settle the same corruption charges.
As legislation is implemented more widely, boards need to know that both enforcement policies and cross-border co-operation greatly multiply the chances of an infraction ending up in the courts.
4. Action taken now can be a powerful mitgator
Leniency is a growing trend that boards need greater awareness of, as prudent and proactive actions can lead to forgiveness from law-enforcement agencies and in turn mitigate the heavy financial impacts of an investigation, including fines, legal costs and reputational damage.
In one instance, a US-based IT company avoided prosecution entirely by the SEC, despite an employee paying $1 million in bribes to Chinese health officials to win contracts for a newly acquired Chinese subsidiary. There was no doubt about the crime as bribes were fraudulently recorded as “entertainment” and “office supplies”. The SEC stated it declined to prosecute on the grounds of thorough due diligence, a commitment to training Chinese staff and prompt self-reporting.
“Making third-party due diligence the centre point of an effective compliance programme is an important statement about intent to come into compliance,” says Michael Olver, an expert in complex multi-jurisdictional corporate investigations and chief executive of Pacific Strategies and Assessments. “This can have a significant and overwhelmingly positive impact on the resolution to prosecution, fines or any monitoring requirements.”
Sweeping changes are being made to corruption regulations globally to encourage penalty reductions, namely through the introduction of deferred prosecution agreements (DPAs). DPA clauses have been added to regulations by the UK, France, United States, Italy, Singapore, Australia, Argentina and others as regulators recognise that, despite the best of intentions, instances of corruption can still occur.
Undertaking appropriate levels of third-party due diligence sits at the heart of the DPA concept. Fines can be cut by up to 50 per cent if an organisation can demonstrate it has a robust compliance programme in place, it undertakes appropriate levels of due diligence, it self reports any possible corrupt activity and co-operates with the resulting investigation.
The message to your board is clear. Companies that invest in effective compliance controls will be treated favourably.
5. Due diligence must be risk based
How much due diligence is required on a third-party is critical for your board to understand. The truth is each case is different.
“It’s not one size fits all,” says Verity Blair, risk management expert at NAVEX Global. “In truth, regulators expect organisations to undertake the appropriate level of due diligence on each third party, the extent of which will vary according to factors such as industry, country, size of contract and nature of the transaction.”
This requires a risk-based approach to due diligence. As potential flags are raised, the duty to increase due diligence grows.
Take, for example, an office stationery supplier. Unless this third party is based in a high-risk country, or the transaction size is significant, it may be sufficient to carry out automated checks against international sanction lists, but not much more.
However, for a key raw materials partner that is dealing with foreign intermediaries or government entities, enhanced due diligence is a necessary consideration. In addition, freedom of the press, the internet and publicly available data will not be as accessible or reliable in certain countries, requiring more in-depth research.
Such a process requires the ability to access both automated data and manual research on individual third parties. This process also needs to be continuous. Ultimately, due diligence is not a one-time event, as vendor profiles constantly change.
Latest research by NAVEX Global shows just 31 per cent of organisations carry out such ongoing due diligence, which suggests far too many companies are operating without adequate risk management controls in place, leaving themselves open to the full force of the regulators.
Your board must, therefore, insist risks are tracked on a continuing basis, not just pre-agreement but post-onboarding also. This requires organisations to leverage the power of automation, artificial intelligence and have access to a centralised source of risk data to manage complex third-party risks efficiently and build a much stronger legal defence if wrongdoing occurs.
Your board must ensure your organisation is taking a risk-based approach to due diligence, tailored to each situation and conducted on an ongoing basis. Anything less is inadequate.
NAVEX Global is the worldwide leader in integrated risk and compliance management solutions and services. Click here to learn more about how your organisation can implement a risk-based approach to managing your third parties