June 2016 - By Michael Heller
- 1. Third Party Risk Management— WHAT TO CONSIDER
- 2. 1 The generally accepted U.S. and international guidelines for conducting anti-corruption reviews on third parties have not changed significantly since the U.S. Department of Justice and the Securities and Exchange Commission released its Resource Guide to the U.S. Foreign Corrupt Practices Act in November 2012. Nonetheless, recent trends indicate stricter scrutiny of supplier and customer relationships thus requiring some level of due diligence. Figure 1 below highlights a significant increase after 2014 in the requirement of due diligence reviews of suppliers, customers/ clients and third party agents or consultants. In addition to anti- corruption compliance, potential drivers of this trend could be due to an increased recognition of the value of due diligence in managing sanctions, supply chain and reputational risk. Third Party Risk Management —What to Consider M I C H A E L H E L L E R D I R E C T O R , R I S K A N D C O M P L I A N C E Figure 1. Source: 2016 Dow Jones Risk and Compliance Global Anti-Corruption Survey More than 65% of respondents claim that M&A targets “always” require due diligence, followed by senior level executives, sales agents and customers/ clients. 66% 60% 59% 58% 56% 50% 63% 57% 60% 63% 62% 51% 70% 52% 47% 43% 43% 28% M&A targets Senior level executives/ board members Sales agents Customers/clients Third party agents or consultants Suppliers % Mentioning Each as Always Requiring Due Diligence 2016 2015 2014 T A R G E T S R E Q U I R I N G D U E D I L I G E N C E
- 3. As additional stakeholders adopt due diligence procedures to manage third party risk, it is worth revisiting how to properly identify and weigh different factors to achieve a tailored and efficient approach. R I S K R A N K I N G There is no expectation that every due diligence review requires the same depth of effort— not all third parties are created equal. As noted in the Resource Guide, “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.” While there is of course no ‘one size fits all’ model for companies to follow, the factors below could influence the allocation of time, budget, and resources to the process. 1 . S I Z E O F O P P O R T U N I T Y How much is the company willing to spend on the opportunity and how much revenue will it generate? For example, is the contract for $5,000 or $5,000,000? The business endeavor would not make sense if the cost of due diligence outweighs the opportunity or revenue gain (this includes intangible advantages). The amount at stake can impact how thorough the investigation should be and how much to invest in the review. 2 . P R O X I M I T Y T O T H E G O V E R N M E N T Identify whether the relationship involves a government agency or determine how much ownership, influence or control, if any, can be attributed to the government. Independently identifying this type of information can be challenging, though fortunately, there are databases that contain lists of state-owned enterprises, which are typically defined by percentage of government ownership or other measures of influence such as control of the board of directors. Strategic and heavily regulated industries tend to be the subject of greater influence by the state. The Resource Guide notes factors to consider include “level of involvement with governments, amount of government regulation and oversight and exposure to customs and immigration in conducting business affairs.” 3 . C O U N T R Y R I S K The corruption risk in the country or countries of the transaction or relationship should also play a significant role in the calculation. Seen in the 2016 Annual Anti- Corruption Survey conducted by Dow Jones, 83% of respondents risk-rank the countries of their third parties as part of their review process—a 10% increase from 2015. The survey found that 72% of corporate compliance staffers use Transparency International’s Corruption Perception Index, and 56% use a compilation of internal data. 4. A COMBIN AT ION T HEREOF Government regulators are pretty clear that the risk rating for all three of the aforementioned factors (size of opportunity, proximity to the government, and country risk) should have a significant bearing on the requisite due diligence. According to the Resource Guide, “a $50 million contract with a government agency in a high-risk country warrants greater scrutiny than modest and routine gifts and entertainment.” 5. T Y P E S OF T HIR D PA R T IE S The nature of the third party relationship should also factor into the risk ranking equation. For instance, corruption and other risk exposure can be different when dealing with customers, vendors, agents, channel partners, acquisitions, joint ventures or other business relationships. Bear in mind that the FCPA “was enacted for the purpose of making it unlawful for certain classes of persons and entities to make payments to foreign government officials to assist in obtaining or retaining business.” Accordingly, it is important to ask what types of relationships play the most direct role in achieving this result. Seen in the 2016 Annual Anti-Corruption Survey conducted by Dow Jones, 83% of respondents risk-rank the countries of their third parties as part of their review process— a 10% increase from 2015. 2
- 4. I N D U S T R Y Certain industries, for a variety of different factors, can require additional due diligence measures to manage third party risk. Recent enforcement trends in a particular sector as well as high risk industries such as defense and oil and gas can indicate the need for stricter scrutiny of third party relationships. O T H E R C O N S I D E R AT I O N S Any legal, regulatory, or reputational information already known about the third party or uncovered during the relationship and the questionnaire process should also be taken into account. Another risk factor includes payment requests in countries not related to the jurisdiction where the transaction takes place or where the third party is based, which is especially an issue when that country has lax anti-money laundering controls in the banking sector or is a tax haven. T H E “ R I G H T ” L E V E L O F D U E D I L I G E N C E Risk ranking driven by the variables outlined above, as well as the organization’s risk tolerance, will dictate the time, budget and resources allocated to investigative due diligence. As seen in the 2016 Annual Anti- Corruption Survey, investigative due diligence typically can uncover information including beneficial ownership, negative news, financial stability and performance, reputation, regulatory issues, and information on senior executives (including political affiliation) to name a few (for details, see Figure 3.) 3 72% 73% 83% 0% 20% 40% 60% 80% 100% Currently Risk-Rank Countries 72% 56% 33% 10% 67% 61% 40% 8% 75% 49% 30% 9% Transparency International CPI Country risk data compiled internally Subscription to country risk data Other Information Sources Used To Risk-Rank Countries (among companies that risk-rank countries) 2016 2015 20142014 2015 2016 72% 73% 83% 0% 20% 40% 60% 80% 100% Currently Risk-Rank Countries 72% 56% 33% 10% 67% 61% 40% 8% 75 49% 30% 9% Transparency International CPI Country risk data compiled internally Subscription to country risk data Other Information Sources Used To Risk-Rank Countries (among companies that risk-rank countries) 2016 2015 20142014 2015 2016 86% 79% 76% 70% 64% 62% 59% 42% 81% 73% 76% 71% 63% 65% 64% 43% 85% 79% 76% 79% 71% 59% 58% 44% Company ownership Financial stability/performance Media search for negative news Reputation Senior executives Government connections Involvement in regulatory issues Use of third parties 2016 2015 2014 The proportion of respondents from companies that risk-rank countries increases to more than 80%. Transparency International’s Index continues to be the most-used information source for risk-ranking countries, followed by internally compiled risk data. Research on company ownership, financial performance, negative news and reputation continue to be the types of preliminary due diligence conducted most often. C O U N T R Y R I S K R A N K I N G R E S E A R C H T Y P I C A L LY C O N D U C T E D I N P R E L I M I N A R Y D U E D I L I G E N C E Figure 2. Source: 2016 Dow Jones Risk and Compliance Global Anti-Corruption Survey Figure 3. Source: 2016 Dow Jones Risk and Compliance Global Anti-Corruption Survey
- 5. Information is often obtained from the third party via a questionnaire process before being independently verified or developed during the subsequent diligence process. There are multiple ways to identify this information through simple screening against structured risk data to conducting desktop research in-house or outsourcing that research. In certain high-risk scenarios, it might be necessary to conduct an in-depth active investigation in-country. R I S K M O N I T O R I N G A N D U P D AT I N G Risk ranking also drives the type and frequency of monitoring and updating of due diligence on third parties. The graphic above provides insight to the different approaches. C O N C L U S I O N Risk ranking, at the very least, shows the regulators that time and thought went into a third party diligence program and, as stated in the Resource Guide, meaningful credit will be given for a good faith, comprehensive effort. B I O G R A P H Y Michael Heller Director, Risk and Compliance Michael has held multiple consulting roles focused on risk management and enhanced due diligence over his career. He worked as a consultant with the Business Intelligence Group, the Anti-Money Laundering Group at Goldman Sachs & Co in New York City, and served as CCO and Internal Counsel at Abacus Wealth Partners. Michael holds a Juris Doctor from the University of San Diego School of Law and is a member of the State Bar of California. 4% 4% 6% 35% 36% 37% 15% 9% 10% 6% 4% 5% 9% 9% 7% 28% 38% 34% Annually Every two years Every three years Event-driven Varies by target risk Other Never 2014 2015 2016 Nearly 35% of respondents report their companies conduct annual due diligence updates; a similar proportion bases the frequency of updates on target risk levels. F R E Q U E N C Y O F D U E D I L I G E N C E U P D A T I N G Figure 4. Source: 2016 Dow Jones Risk and Compliance Global Anti-Corruption Survey
- 6. Dow Jones Risk and Compliance Dow Jones Risk and Compliance is a global provider of risk management and regulatory compliance information, delivering targeted content to organizations around the world. Our market-leading data helps financial institutions and businesses have greater control managing Anti-Money Laundering, Anti-Bribery and Corruption, Economic Sanctions, Third Party Due Diligence and Commercial Risk operations. With a global team of expert researchers covering more than 60 languages, our risk and compliance data is information rich, accurate and timely, enabling our clients to make better quality decisions faster and with greater confidence. For more information, visit www.dowjones.com/risk RISK AND COMPLIANCE