Michael Fawlk & Lorena Cobiella Carnicer LL.M
Effective compliance programs must reach beyond those who are actually employed by the organization since third parties can also be a source of compliance risk. Failure to manage these risks properly can be very costly.
Organizations rely heavily on third parties (consultants, agents, contractors, distributors, etc.) for improved profitability, faster time to market, competitive advantage, and cost efficiencies. But third-party relationships may come with certain risks, ranging from strategic to reputational, regulatory, information security, and financial risks. Around 90% of reported corruption and bribery cases involve third parties or intermediaries,
Enforcement has also intensified with significant fines, reaching $3.3 bio. in 2020 for a Foreign Corrupt Practices Act (FCPA) violation (Goldman Sachs). That same year Airbus agreed to pay combined penalties of more than $3.9 bio. for using third-party business partners to bribe government officials in multiple countries around the world, including China.
For all these reasons, companies should manage third party risks carefully. Risk based due diligence on third party suppliers is a must in managing this category of risk. The objective of due diligence is to identify potential red flags such as excessive fees paid to consultants or agents, contracts with vague provisions, third parties operating outside their normal scope or a third party related or closely affiliated with government officials, the third party requests payments in an offshore bank account. It is also crucial to properly document the due diligence.
Mitigate these risks, by applying a risk-based approach to relationships with third parties, meaning that the level of assessment depends on factors such as industry, size, or type of transaction). Companies are expected to conduct appropriate screening, due diligence, and onboarding of third parties, including adequate and regular compliance training followed by regular monitoring of ongoing risks to detect potential red flags and act upon them if detected.
Processes and procedures to address situations when the third party does not meet the minimum compliance standards or when non-compliance arises while the contract, for example, the right to terminate the contract and subsequent measures if there has been a violation of the law.
Organizations should ensure that detailed contracts are in place with third parties describing the services to be performed with proportionate compensation for the services rendered. Also, the organisation must have the proper controls in place to assess proof of performance and approve payments.
The message is clear: pay attention to third parties as a source of risk and as with all risks, ensure that as the scope and complexity of the third party network expands, so must the resources dedicated to risk management grow appropriately.
Comments