What is the risk?
Third-party liability for contractors, resellers, agents and supply chain partners is an issue that continues to bedevil corporations who need or choose to use third parties. The headlines and DOJ/SEC websites are regularly publishing news releases about prosecutions or settlements where a third party bribed a government official in violation of the FCPA. These fines and penalties are civil and, in many cases, criminal. (See Alcoa announcement.) Companies and executives alike are targets. These fines are no longer a cost of doing business.
Can the risk be reduced?
So how do companies insulate themselves from the negative operational issues (quality, supply chain fulfillment, etc.) as well as the hits to reputation and bottom line? In November 2012, the DOJ and SEC published A Resource Guide to the U.S. Foreign Corrupt Practices Act. As we’ve discussed previously here, the Guide stresses that risk-based due diligence of third parties is a critical element of assessing the effectiveness of a company’s compliance program. It offers guiding principles for the appropriate amount of due diligence, which are:
- Understand the qualifications and associations of the third party;
- Understand the business rationale for including the third party in the transaction;
- Companies should undertake some form of ongoing monitoring of its third party relationships; and
- Has the company informed its third parties of the company’s compliance program and sought reciprocal commitments?
Going beyond the basics. Is it worth it?
Some larger U.S. based companies have taken these requirements a step (or two) further and required their third parties to not only commit to principles of ethics and compliance, but to also demonstrate that they have completed anti-bribery training and/or certification. This can take the form of existing training, but in some cases, e.g. Microsoft, the company may create and require their third parties to take company designed and provided training.
In the case of Microsoft, the partner will be provided with training by Microsoft if they do not currently have training.
Hurdles to success
While this practice would seem to be only positive, there are some issues associated with this type of requirement which may need to be worked out before it can be universally adopted, particularly by smaller companies without the resources of Microsoft.
- Who’s training? If every company began to impose its own training on third parties, the third parties may become overwhelmed; particularly if they work with 100s or 1,000s of companies. What about localized training for multinational situations where the laws may be slightly different?
- At what cost and who pays? These programs are not cheap, especially for third parties with a large number of employees. Who will pay to provide this training? It will most likely end up in the price of the goods and services.
- Say what? Translations and delivery. Many third parties will require the training to be in a native tongue to be effective. Not everyone employed by these third parties will have a PDA or even access to a Learning Management System. How will these often technologically and geographically remote employees be trained?
- What happens to those who don’t comply? In many instances, <100 percent of the designated employees of the third party will complete the training. What will happen? If the third party is a major supplier, will the executive or compliance staff of the engaging company really be willing to end that relationship? Even if it negatively impacts operational efficiency or hurts the bottom line? What will be the follow up? How does the engaging company ensure that they are being consistent in treatment and follow up? Inconsistency could do more harm than good.
Pandora’s third party risk box has been opened. Now what?
While there are a lot of questions to be asked and answered in the third party risk arena, the discussion and experimentation can only mean improvements in compliance best practices. Now we must wait and see whether the universally accepted solution is Beta or VHS; iOS or Android. Whatever the outcome, no company which uses third parties can afford to risk sitting back and doing nothing. Clearly the question of whether or not there is risk has been answered in the affirmative. So given that, what should a company do?
- Analyze risk. Do something. Start with identifying your third parties and ranking the risks; and
- Look to automate the process. Obviously, the due diligence and the training of a large number of third parties can be time consuming. Companies can reduce this demand on in-house personnel and improve overall efficiency, consistency and cost if they adopt an automated, scalable solution.