Earlier this week, GlaxoSmithKline PLC (GSK) said that some executives may have breached Chinese law. Chinese officials had previously released details of their bribery allegations against GSK and detained four of the company’s executives.
The Chinese officials said they had uncovered a conspiracy involving tens of millions of dollars and that, for years, high ranking executives at the company’s China operations used travel agencies as money laundering shops to funnel bribes to doctors, hospitals, medical associations, foundations and government officials.
What are the chances that what allegedly happened at GSK is also going on elsewhere? Pretty high. Is money laundering taking place inside your company? Would you know?
A robust third party risk management program would have gone a long way in detecting – or even preventing – the GSK situation by flagging potential issues as they related to third parties like the travel agencies in question. Based on emerging details of the GSK investigation, here are some early lessons and questions to take back to your compliance team:
1. Do we establish ownership of third party relationships?
An important cornerstone of third party risk management is accountability for relationships. An executive in the business needs to own and manage the risk that comes with working with business partners. The news reports are not clear on GSK practices, but in many companies – once a vendor or sales agent gets established – accountability for the relationship and the risk that comes with it become less clear over time.
2. Do we have continuity of ownership?
If the relationship owner takes a new role or leaves the company, who takes over the third party relationship and manages the associated risk?
3. Do third party relationships have a business justification?
In the GSK case, there were apparently many travel agencies involved. If you have many vendors in the same category in the same region, that's a red flag – both from a risk management and a business perspective. In a good third party risk management program, the justification for each business relationship should be documented and approved. If the need for the business partnership ends, then so should the relationship.
4. Do we prioritize due diligence and ongoing monitoring based on type of product or service?
The Chinese officials said that GSK executives used travel agencies as money laundering shops – that isn't a surprise. Travel agencies are a well-established method of cross-border payments and have been at the center of many high profile money laundering cases. The U.S. Patriot Act even includes travel agencies in its definition of financial institutions. Categorizing business partners based on the potential risk for corruption, bribery and money-laundering will help deploy limited risk management resources to where they are needed most.
5. Once a relationship is established, do we monitor or audit payments?
The estimated size and timing of payments should be part of the third party approval process. Once that is established, then employees can monitor or audit the actual payments and compare the sums to what was approved.
6. Does our third party risk management program talk to our whistleblower hotline program?
Separate from the ongoing investigation by Chinese officials, news sources report that an anonymous whistleblower at GSK alleged that Glaxo's China-based sales staff was involved in widespread bribery of doctors to prescribe drugs for years. According to the The Guardian, GSK said earlier this month that an internal investigation of its China operations found no evidence of bribery or corrupt activities.
Clearly the whistleblower investigation was conducted without the benefit of the red flags that an effective third party risk program would have raised – unusual payments, high risk business partners, too many vendors in one category. To the company's credit, GSK is now reviewing all third party agency relationships and has put an immediate stop on the use of travel agencies that have been identified so far in this investigation. However, the opportunity to connect the dots between the whistleblower allegations and third party risk was missed.
China is already investigating at least four multinational drugmakers as it widens its probe of GSK. In the last two days Chinese police visited another pharmaceutical company’s main sales office in central Shanghai and detained one employee, a Chinese national, for questioning. As GSK’s story continues to unfold, more lessons are likely to emerge and will apply to most implicated parties.
In the meantime, work to protect your organization. Ask these questions and take steps to implement some or all of these recommendations to strengthen both your third party risk management and overall compliance programs.
