Managing Third-Party Corruption Risks in Decentralized Companies

Earlier this month, tech giant Hewlett-Packard announced a $108 million agreement with the Department of Justice to settle charges that it violated the Foreign Corrupt Practices Act.

The charges centered on the conduct of H-P affiliates in Russia, Poland, and Mexico, and they highlight a trend at the center of many recent FCPA cases: The bribes are often orchestrated by third-party organizations, including vendors, suppliers, and even shadow companies created to keep the bribes off the books of foreign subsidiaries.

H-P's Russian subsidiary, for example, admitted to bribing government officials to secure a large technology contract, and it used intermediaries to pay the bribes. H-P Russia executives created a slush fund, from which the bribes would come, via a “buy-back deal structure,” the Justice Department said. The scheme worked like this: H-P sold computer and technology products to a Russian channel partner, then bought the same products back from an intermediary company at a markup, while also paying the intermediary additional money for purported services. H-P then sold the same products to an agency of the Russian government at the increased price. The payments that had been made to the intermediary then were transferred to government officials via a number of shell companies.

The H-P judgment is just the latest of many FCPA enforcement actions that involve companies' subsidiaries and use of third parties. According to EY's recent 12th Global Fraud Survey, some 90 percent of reported FCPA cases have involved third-party intermediaries.

Companies often rely on third parties to expand into new markets, says Traci Coughlan, principal of advisory services at compliance consulting firm the Red Flag Group. Indeed, more than three quarters of the companies participating in the 2012 FCPA Benchmarking Report by Kroll Advisory Services indicated that they partner with foreign entities in order to conduct business abroad.

At the same time, many companies appear unprepared to handle the risk posed by using third parties. Just 40 percent of respondents to a recent survey by Deloitte say they have a program to prevent and detect supply chain waste, fraud, or abuse. More than one-third of respondents say they monitor their third parties once a year, or less.

“Companies in general tend to underestimate the risk that third parties present,” says Kelvin Dickenson, managing director at D&B Global Compliance Services.

The use of third parties creates a dilemma for many compliance professionals. “Compliance officers juggle two realities,” says Donna Boehme, principal at compliance advisory firm Compliance Strategists. On the one hand, the business units create the risks need to own them, she says, as they are in the best position to understand and mitigate them. “The business is responsible for making the case to engage a third-party intermediary and perform necessary due diligence and ongoing monitoring of the agent relationship,” Boehme says.

On the other, compliance has the expertise and the tools to conduct the necessary monitoring and may come with a more independent view. At the same time, compliance needs to create the framework and tools the business units use to manage third-party risk. It then needs to be able to guide the business units and monitor just how they're managing their risks.

As Boehme notes, balancing these goals can be difficult. Time and resources are always limited. It's often difficult for corporate executives to fully grasp the culture and business norms of all the countries in which their organizations are operating. And their efforts to work with the local business units may not always be warmly received.

In many organizations, “the local country manager or regional vice president is the most powerful face of the company,” Coughlan says. Their backing is critical to gaining support from employees and third parties.

Overcoming these challenges often requires a “bifocal” approach,” Coughlan says. That is, compliance needs resources in place within the operating companies in various locations, as well as visibility into activities across the enterprise. “It's think globally, act locally,” she explains.

“Companies in general tend to underestimate the risk that third parties present.”

—Kelvin Dickenson,

Managing Director,

D&B Global Compliance Services

Bunge, a $61 billion food and agriculture company operating in 40 countries, is implementing a third-party risk management system that will “bring further standardization to the way it manages third-party risk,” says Paul Zikmund, director of global ethics and compliance. He adds that the system will formalize many of the processes already in place.

The operating companies, for example, will follow a standard process for conducting due diligence and requesting background information on specified types of third parties. In addition, a database of third-party representatives' names, as well as third-party due diligence materials, will be centralized, Zikmund says.

Gaining Buy-In

Communication, say third-party risk-management advisers, is the critical factor to securing support from operating companies for third-party compliance initiatives. Corporate compliance can help the local operating units understand the risks of non-compliance, as well as the benefits of undertaking initiatives that might initially appear to be simply more bureaucratic processes. Compliance can help local management appreciate the ways in which visibility into the supply chain can help not only compliance, but also lead to efficiencies, Coughlan says.

Compliance also can work with the operating units to meld compliance actions within the procedures already in place, Dickenson says. The local finance group, for example, probably has an on-boarding process for new suppliers that could be modified—perhaps rather easily—to incorporate the questions that compliance also needs answered. “You want to weave in compliance requirements to become part of the process,” he says.

Weeding out shell companies, which often are used in bribery schemes, requires compliance to obtain the entities' true legal names, principals, headquarters, and other information, Dickenson says. The processes for obtaining this can be similar to that used by banks to comply with “know your customer” requirements.

Ongoing Risk Management

Managing third-party risk on an ongoing basis is just as important as the initial due diligence—even though that's where the communication with third parties tends to be concentrated, Coughlan notes. While no magic formula exists, organizations should make multiple attempts to reach out to third parties and ensure that employees there are trained on anti-bribery and anti-corruption practices.

MANAGING THIRD PARTIES

The graph below from EY's 12th Global Fraud Survey shows what approaches survey respondents use in managing third-party relationships.

Source: EY.

Some companies use electronic training modules. While these can help, compliance still needs some way to ensure that it's not just a small segment of third parties that are working with them, Coughlan says. Another tactic: dedicating a session at annual gatherings of third parties to compliance topics.

Healthy skepticism can also help. If a reseller's recent sales figures are well above historical numbers, it may mean the company is doing a better job, but it might indicate that the company's policies or rules are being bent or broken. “It may be cause for celebration, but you also want to look at sales practices,” Dickenson says.

Technology's Role

Of course, automating many of the internal and external monitoring needed for an effective third-party risk management program can save valuable time for operating units and corporate compliance professionals. “At Bunge, for instance, the compliance area is developing a portal through which the on-boarding process and forms will be automated,” Zikmund says.

Another example: A company bringing on a low-risk supplier may determine that confining its due diligence to a database search of the company will suffice, Dickenson says. With a higher-risk third party—perhaps one that will be working in a riskier region or that accounts for a greater portion of business—it may make sense to supplement the electronic research with more extensive investigation, such as a site visit.

Technology can also help companies systematically monitor news reports and sanction lists for mention of their third parties, such as a report by a local publication in the supplier's home country that a supplier's CFO was arrested on bribery charges. Using technology to uncover such reports can accelerate the process, provide an audit trail, and allow those within the company who should have the information an easy way to access it, Dickenson says.