For most companies these days, working with third parties is critical to doing business. But at a time when anti-corruption enforcement has never been more stringent, those third parties can also pose huge risks.
The biggest third-party risk of all is violation of the Foreign Corrupt Practices Act—and for U.S. companies working with hundreds or thousands of third parties around the globe, making sure all those partners comply with the FCPA is no small task. What’s more, Britain recently adopted its own sweeping anti-bribery law, raising the stakes still more for global businesses striving to ensure that their third parties do nothing to get them into trouble.
At Compliance Week 2010, compliance and legal executives from four companies shared their tales of how their companies manage third-party relationships and impose ethical business across their chain of operations.
For some, simply identifying all their third-party relationships can be daunting. It took Tyco, which has operations in more than 60 countries, roughly four months to catalog the thousands of third parties it works with around the world. That effort began after a U.S. regulator asked during a conversation whether the company had a list of all its third parties.
Tanzer
“We didn’t,” Matt Tanzer, Tyco’s chief compliance counsel, said during a panel discussion on third-party relationships. “We realized we needed to get a handle on all of the third parties we work with.”
Tyco eventually identified more than 20 different types of third-party relationships it has (suppliers, distributors, agents, and so forth), Tanzer said. It now conducts due diligence and some level of review on accounting and law firms, customs agents, environmental consultants, real estate agents, and brokers. On the customer side, any distributors who paid Tyco more than $50,000 in the past two years are subject to due diligence.
A key challenge in those cataloging efforts is to get everyone across a global organization to use the same language or “taxonomy” to describe third parties, said Scott Moritz, managing director of Navigant Consulting, who worked with Tyco on the effort. Navigant scored Tyco’s universe of third parties based on more than 100 factors, such as relationship type, geography, industry, and payment terms. It then conducted additional due diligence on high-risk where necessary, with the cost paid by the business unit.
“They could keep anyone they wanted to keep,” Tanzer said. “If they had a [high risk], high revenue agent bringing in tons of money, they would spend the money to do the due diligence.”
Forcing business units to justify why they wanted to retain a third party, however, also made those business units take a hard look at whether such a large number of outsiders was really necessary. The result: a 50 percent drop in the number of high-risk parties on Tyco’s list. While the effort took a lot of work and money (Tanzer ballparked the cost as “millions”), he said the exercise has reaped benefits.
“It’s been painful to get there, but our business unit leaders are thrilled with this process,” Tanzer said. “It has provided huge transparency for our business leaders to see what’s happening around the globe.” In addition, visibility into the commission rates Tyco pays—which is one of the risk factors to rate a third party—helped the company to cut those rates in some cases, reducing its costs.
For some, simply identifying all their third-party relationships can be daunting. It took Tyco, which has operations in more than 60 countries, roughly four months to catalog the thousands of third parties it works with around the world.
At GE Sensing and Inspection, a $1 billion global business, roughly 30 percent of the orders come through outsiders such as distributors, dealers, sales reps, catalogue sellers, resellers, equipment manufacturers, and engineering procurement corporations. “There are different risks with each,” said Richard Bruenig, global compliance leader for the business.
The parent GE corporation does have a policy for improper payments, with guidelines for third parties. But each business unit within GE must still identify its own high- and low-risk third parties, and establish a due diligence process, ethics training, and written agreements for them.
GE Sensing and Inspection has about 480 third parties, Bruenig said; it conducts due diligence on any that are involved in 10 transactions or sales of more than $75,000, as well as any involving sales to governments or government entities. Any below those thresholds are vetted through a different process. Due diligence for new third parties—which includes negative news checks, watch-list checks, and field visits—takes about 90 days.
Constant Attention
In addition to conducting background checks and ensuring that they meet all manner of regulatory requirements, educating third parties on what does and does not pass ethical muster is another major issue for multinationals.
“My biggest concern is making sure our developers, franchisees and our own sales people understand what the risks and limitations are,” said Chris Nowak, group vice president for international law at Wyndham Worldwide, which works with more than 100,000 resort owners and developers. For instance, Nowak conducted anti-corruption training with hotel developers in Thailand so they know “what we would and wouldn’t tolerate.”
Breunig
Another issue: confirming that a third party that passes inspection the first time around remains clean in the future. On that point, all the Compliance Week 2010 panelists emphasized that ongoing monitoring is crucial. “It’s how you know that they’re doing what they’re telling you they’re doing,” Breunig said.
All the speakers also insisted that right-to-audit clauses are essential in contracts with third parties. “In most instances, if someone accepts the right to audit and obligation to certify, we find they’re more compliant than not with their obligations,” Nowak said. “If someone hasn’t followed rules, they’re less likely to cooperate [with an audit].”
GOOD RISK ASSESSMENTS
Tyco outlines its steps for a good risk assessment:
Hold a Business Sponsor Accountable
Collect Third-Party Data
Develop a Risk Assessment Score
Obtain Business Justification
Review Business Justification
Perform Further Investigative Diligence
Obtain Compliance Certifications
Evaluate Written Documentation
Provide Training
Source
Tyco, Daylight Advisory Slides on Third-Party Risk (May 25, 2010)
Pride International, an oil services firm in Houston, even does books-and-records audits of its third parties. “We’ve found things where we determined misrepresentations were made in the due diligence process, or where people haven’t cooperated in audit, and we’ve terminated those companies,” said Brian Moffatt, Pride’s chief compliance officer.
Pride’s review process includes experts on import-export controls, as well as on immigration. It also requires its intermediaries to be re-certified and retrained annually.
To help it find potential intermediaries for work in new markets, Moffatt said the company also sought input from TRACE International, the anti-corruption group, to get the names of vetted third parties. “We view that as a starting point and conduct our own due diligence,” Moffatt said.
Pride previously required third parties to abide by and certify Pride’s own Code of Conduct, but it recently changed course and now asks ask intermediaries to join TRACE, which requires all members to certify to TRACE’s own code of conduct to join.
Tyco requires all third parties to have a business sponsor within Tyco who “owns” the relationship, periodically reconfirms the information Tyco has on file, and certifies that the information is accurate. It also has financial controls on the back end that include specific instructions for controllers on when to make payments and to check that payments are going to the location listed in Tyco’s database of third parties.
In addition to requiring third parties to certify annually on its code and to retake ethics and code training when up for renewal, GE Sensing & Inspections requires its business leaders to review all third parties against nearly 20 criteria on a quarterly basis, and to justify whether those outsiders are still needed.
Breunig also sends out periodic customer satisfaction surveys to its third parties that ask about whether and how they entertain customers, whether any of their customers are government officials, and so forth. Doing it that way “helps us identify red flags, but avoids making it sound too legal-ese,” he said.
He also has one-on-one calls with sales reps in remote locations to talk about how they go to market, as well as who their competitors and customers are. “It also gives them an opportunity to ask any questions they want me to follow up on,” he said.
No comments yet