Managing Third-Party Risk:
Effective Anti-Corruption Programs and
Due Diligence Done Right
Michael Vermillion
6/28/2012 Managing Third-party Risk 1
6/28/2012 INSERT > Header & Footer 2
Our Expert: Jacki Trevino Prior to joining NewCo, Jacki spent over seven years as the Assistant Director, Global
Ethics & Compliance at Dresser, Inc., a worldwide leader in the design, manufacture, and marketing of highly engineered equipment and services. Jacki was integral to the creation of Dresser’s ethics and compliance program, including the design and implementation of a new Code of Conduct and an ethics and compliance training program. She also developed and implemented global ethics and compliance policies and procedures, established a program to manage third parties, and managed internal investigations of reported business misconduct.
Jacki was one of the first in the industry to obtain the certification of Certified Ethics and Compliance Professional (CCEP). She has long been an active leader in the ethics and compliance community and an active member with the Ethics and Compliance Officer Association (ECOA), the Society for Corporate Compliance and Ethics (SCCE), the Practicing Law Institute (PLI), and The Conference Board. Additionally, Jacki is a frequent speaker on ethics and compliance industry speaking agendas and webinars. Her areas of expertise within global ethics and compliance include program design, development, implementation, and management.
6/28/2012 2 Managing Third-party Risk
What We’ll Cover
Risks Associated with Working
with Third Parties
Current Regulatory Landscape
Elements of An Effective Anti-
Corruption Program
Due Diligence Overview
Best Practice Solutions
Managing Third-party Risk 6/28/2012 3
Third-Party Risk
There have been more FCPA
investigations in the last five years than
in the previous 25.
The UK Bribery Act
Don’t forget local laws
Compliance is about what we must do.
Ethics is about what we should do.
Client Advisory Council 4
6/28/2012 Managing Third-party Risk 4
Risks Associated with Third Parties “It takes 20 years to build a reputation and five minutes to destroy it.”
—W. Buffet
“If you lose dollars for the firm, I will be understanding. If you lose
reputation, I will be ruthless.”
—W. Buffet
“Our assets are our people, capital, and reputation. If any of these are ever
diminished, the last is the most difficult to restore.”
—Goldman Sachs Business Principles
6/28/2012 Managing Third-party Risk 5
Source: Compliance and Ethics Leadership Council
SUPPLIERS IN
EMERGING
MARKETS
TEMPORARY
EMPLOYEES
SUBCONTRACTORS
INT’L
INTERMEDIARIES
DOMESTIC
AGENCIES
OFFSHORE
SERVICE
PROVIDERS
DATA
VENDORS
FOREIGN
DISTRIBUTORS
DEALERS/
RESELLERS
LOBBYISTS
AUDITORS
INT’L JOINT
VENTURES
PARTNERSHIPS
SUPPLIERS’
SUPPLIERS
CONTRACTORS
VENDORS DISTRIBUTORS
CONSULTANTS
JOINT
VENTURES
SUPPLIERS
AGENTS
YOUR
CORPORATION
A High Level of
Complexity
Corporations need to manage divergent
legal relationships across a multitude of
partners, and struggle to gain visibility
into often-hidden risks.
Source: Compliance and Ethics Leadership Council
Reputational Risks
POP QUIZ
True or False? In June 2009, Continental Airlines stranded passengers on a small plane overnight for six hours outside Minneapolis when they could have allowed the passengers to get off the plane and wait in the terminal.
True or False? In 2007, Mattel made products for children that contained unhealthy levels of lead.
True or False? In 1993, Nike employed child labor in Southeast Asia?
USFSG “As appropriate, a large organization should encourage small organizations (especially those that have, or seek to have, a business relationship with the large organization) to implement effective compliance and ethics programs.”
UK Bribery Act Individuals risk up to ten years in prison with unlimited fines. Organizations risk unlimited fines, debarment from EU contracts, and the confiscation of the value of corruptly obtained contracts.
Third-Party Risk: Regulatory and Legal Perspectives Governments worldwide are
expanding their focus on regulating third-party relationships.
o The U.S. Federal Sentencing Guidelines apply to a company’s “business partners.”
o The Organization of Economic Cooperation and Development (OECD) also recently created Good Practice Guidance for Anti-Bribery programs clearly based on the U.S. Federal Sentencing Guidelines.
o The UK Bribery Act introduces the strict liability offence for commercial organizations of failing to prevent bribe paid by any person associated with their business, even if they didn’t know about or authorize the bribe.
6/28/2012 Managing Third-party Risk 9
Anti-Corruption Investigators will focus on:
Are you acting in good faith?
Do you have a healthy, robust compliance program?
What is the likelihood of the offense reoccurring?
Did your compliance program uncover this issue?
o Was there an appropriate response?
o Was the issue widespread?
o Was there prompt remedial action?
o Was there a prompt and forthcoming voluntary disclosure?
How did you respond?
If this issue identified weaknesses in your compliance program, have they been corrected?
Is your compliance program a paper or “check the box” program only?
6/28/2012 Managing Third-party Risk 10
Global Anti-Corruption Case Studies
Risk Assessment Commitment
Policies, Procedures,
Internal Controls
Communication and Training
Compliance Infrastructure
Disciplinary Guidelines
Third Party Accountability
Monitoring and Auditing
Review and Testing
Elements of an Effective Anti-Corruption Compliance Program
6/28/2012 Managing Third-party Risk 12
Geographical and country risk
Interaction with governmental officials
Industry sectors of operation
Extent of third-party usage
Importance of licenses and permits
Degree of governmental oversight and inspection
Volume and importance of goods, and people clearing customs
and immigration Ris
k A
sses
smen
t
6/28/2012 Managing Third-party Risk 13
Elements of an Effective Anti-Corruption Compliance Program
Strong, explicit, and visible support
Appropriate measures to encourage and
support a robust and effective ethics and
compliance program
o Adequate funding
o Adequate resources
o Adequate support
6/28/2012 Managing Third-party Risk 14
Co
mm
itm
en
t Elements of an Effective Anti-Corruption Compliance Program
Dedicated that includes designated responsibility to one or more
senior corporate executives for:
o Implementation and oversight of policies, standards,
and procedures
Compliance Officer must have direct reporting obligations to
independent body such as:
o Internal Audit
o Board of Directors
o Board of Directors Committee
Must have adequate level of autonomy from management,
sufficient resources, and authority
6/28/2012 Managing Third-party Risk 15
Co
mp
lian
ce I
nfr
astr
uct
ure
Elements of an Effective Anti-Corruption Compliance Program
Must be explicit, clearly articulated, and visible
o FCPA and other global anticorruption laws
o Policies and procedures must include directives that “reduce the prospect of violations of anticorruption laws and the company’s own compliance code.”
o Cover policies toward “gifts, hospitality, entertainment, and expenses; customer travel, political contributions; charitable donations and sponsorships; facilitation payments; and solicitation and extortion.”
o Applicable to all officers, directors, employees, and third parties acting on behalf of the organization
Internal controls to avoid and address potential violations of books, records, and accounting provisions
o “Reasonably designed to ensure the maintenance of fair and accurate books, records, and accounts, and ensure they cannot be used for the purpose of bribery or concealing such bribery.”
6/28/2012 Managing Third-party Risk 16
Po
lici
es, P
roce
du
res,
In
tern
al C
on
tro
ls
Elements of an Effective Anti-Corruption Compliance Program
Must carry serious consequences for violations
of anti-corruption laws, compliance code,
policies, and procedures by
o Directors
o Officers
o Employees
o Third parties
Reasonable steps to remedy harm and prevent further misconduct
6/28/2012 Managing Third-party Risk 17
Dis
cip
lin
ary
Gu
idel
ines
Elements of an Effective Anti-Corruption Compliance Program
Effective communication and periodic training on
policies and procedures to
o Directors, officers, employees, third parties
o Know and understand
Annual certification to certify compliance and training requirements
6/28/2012 Managing Third-party Risk 18
Co
mm
un
icat
ion
an
d T
rain
ing
Elements of an Effective Anti-Corruption Compliance Program
Ongoing to ensure effectiveness
Directed to company’s key risk areas
Measure for effectiveness
Regular audits of books and records (including third parties)
6/28/2012 Managing Third-party Risk 19
Mo
nit
ori
ng
and
Au
dit
ing
Elements of an Effective Anti-Corruption Compliance Program
Designed to evaluate and improve effectiveness
At least once a year to assess relevant developments
in international and industry standards
Update and adapt policies, procedures, internal controls, and
compliance program to ensure continued effectiveness
6/28/2012 Managing Third-party Risk 20
Rev
iew
an
d T
esti
ng
Elements of an Effective Anti-Corruption Compliance Program
“Institute appropriate due diligence and compliance requirements
pertaining to the retention and oversight.”
Inform third parties of the company’s commitment to abiding by
laws and ethics and compliance standards.
Obtain “reciprocal commitment” reflecting understanding and
acceptance.
Agreements and contracts (including renewals) have proper anti-
corruption language and that the company may have the right to:
o Audit
o Terminate
6/28/2012 Managing Third-party Risk 21
Th
ird
-Par
ty A
cco
un
tab
ilit
y
Elements of an Effective Anti-Corruption Compliance Program
What Makes a Good Corruption Risk Assessment? Fits within the company’s culture
Sponsored and supported by the right people—You!
Encourages open participation and transparency
Embraced throughout the company as an important and valuable process
Used to monitor or influence factors that put the company at risk
Serves as the foundation for the company’s code of conduct, anti-corruption
controls, and overall prevention program
An ineffective risk assessment will result in deficiencies in the company’s
other initiatives
6/28/2012 Managing Third-party Risk 22
Anti-Corruption Prevention Controls Zero Tolerance—no tolerance for corruption or
other wrongdoing
Audit—actively and aggressively look for corruption
Education—need to know what corruption is and what
warning signs to recognize
Pressure—be a resource for those that may be facing pressure or problems
Code of Conduct—needs strong communication from company leaders
Anti-Corruption Policy—separate, unambiguous, communicated
6/28/2012 Managing Third-party Risk 23
What Is Due Diligence? “A rigorous and robust process of investigation over
and above (KYC) procedures that seeks with
reasonable assurance to verify and validate the
customer’s identity; understand and test the
customer’s profile, business, and account activity;
identify relevant adverse information and risk
assess the potential for money laundering and/or
terrorist financing to support actionable decisions
to mitigate against financial, regulatory, and
reputational risk and ensure regulatory
compliance.”
—Peter Warrack in the July 2006 edition of
ACAMS Today
“Due diligence" is a term used for a number of
concepts involving either an investigation of a
business or person prior to signing a contract,
or an act with a certain standard of care. It can
be a legal obligation, but the term will more
commonly apply to voluntary investigations. A
common example of due diligence in various
industries is the process through which a
potential acquirer evaluates a target company
or its assets for acquisition.[1]
Source: Wikipedia
6/28/2012 Managing Third-party Risk 24
What Is Due Diligence? Effective due diligence
This is the process of evaluating each
third-party relationship and mitigate risk,
as well as audit the third-party
relationship. This process will be
performed indefinitely as long as a
relationship exists, and should evolve
with the relationship. This process should
be performed on all relationships
regardless of location, and is often part
of a wider Integrity Management
initiative.
Traditional due diligence
The necessary step in evaluating what
risk is involved in doing business with a
third party prior to establishing a
relationship and assesses risk at that
point in time.
Source: Wikipedia
6/28/2012 Managing Third-party Risk 25
Effective Due Diligence Best Practice Due Diligence
Building a comprehensive due diligence program can be overwhelming.
Many individuals responsible for this task often ask—Where do I begin? Our
internal experts have identified the following components of a robust
program:
o Embed language in contractual terms and conditions specific to legal, regulatory, financial,
and reputational compliance.
o Develop and disseminate a Third-Party Code of Conduct, or your organization's own
employee Code of Conduct, to all third parties mandating compliance.
o Conduct, at a minimum, global database checks (GDC) on third parties and more detailed
enhanced due diligence (EDD) on those with a higher risk exposure
6/28/2012 Managing Third-party Risk 26
Effective Due Diligence Best Practice Due Diligence (continued)
Building a comprehensive due diligence program can be overwhelming.
Many individuals responsible for this task often ask—Where do I begin? Our
internal experts have identified the following components of a robust
program:
o Require that third parties certify compliance with all laws and regulations that govern
their business, but also, that they will uphold your organization's standards and
commitment to integrity.
o Educate and train your third parties on relevant laws and regulations.
o Provide an anonymous avenue for third parties to report potential violations of laws and
regulations.
6/28/2012 Managing Third-party Risk 27
POLLING QUESTION
In your organization, who owns third-party due diligence?
1.Ethics and Compliance
2.Legal
3.Supply Chain or Procurement
4.Internal Audit
5.Other
Effective Due Diligence
1. Pre-Screen Understand and assess the inherent operational and jurisdictional risk to your organization prior to performing due diligence.
2. Risk Assessment Best-in-class screening process that provides a comprehensive view into complete enterprise risk—financial, regulatory, reputational, and governance.
3. Risk Mitigation and Action Steps
Dictates mitigation activities that must be taken by both the third party and you.
4. Ongoing Monitoring Periodic re-screening process that identifies change in enterprise risk, ensures information is kept current, and continued compliance to client policies.
4. Monitor 3. Mitigate 2. Assess 1. Pre-Screen
6/28/2012 Managing Third-party Risk 29
Global Database and Adverse Media Checks
Global Media:
Media incorporated into the data screening process is derived from ~10,000 individual sources of public-source newspapers,
magazines, television and radio transcripts, trade specialty publications, geographic special interest publications, academic
journals, and gray literature.
Sources are global, and include small, low-circulation local newspapers from the United States and abroad, as well
as widely-known newspapers and magazines.
The database process incorporates human-translated foreign-language material from domestic and overseas U.S.
government bureaus staffed with individuals who monitor timely and pertinent open-source materials.
Media sources cover every region of the world—the Americas, Asia, Africa, Eurasia, Europe, the Middle East, Near
East, South Asia, and Oceania.
Government Lists and Regulatory Authority Actions:
The database contains hundreds of regulatory and disciplinary authority and government lists from around the world,
continuously updated. The dataset includes fugitive lists, exclusions lists, global sanctions lists, fraud warnings, debarment
lists, disciplinary actions, enforcement actions, and more. The sources that feed our Monitored Lists span a broad
spectrum of local, state, and federal lists of risk-relevant individuals and organizations, including federal lists of entities that
are legally sanctioned, have been the subject of more minor disciplinary actions for violations of regulatory rules, or are on
“most wanted,” fugitive, or offender lists worldwide.
Basic Risk Assessment FATF Financial Action Task Force Bank of England Consolidated List HM Treasury Investment Ban List HM Treasury Sanctions Hong Kong Monetary Authority HUD LDP Interpol Most Wanted Exclusions OSFI Consolidated List OSFI Country Offshore Financial Centers Peoples Bank of China (PBC) Primary Money Laundering Concern Primary Money Laundering Concern Jurisdictions Reserve Bank of Australia Terrorist Exclusion List UK FSA UN Consolidated List Unauthorized Banks World Bank Ineligible Firms
Ireland Financial Regulator Unauthorized Firms Japan FSA Japan METI-WMD Proliferators Japan MOF Sanctions Monetary Authority of Singapore Nonproliferation Sanctions OFAC Non-SDN Entities OFAC Sanctions OFAC SDN OIG Australia Dept. of Foreign Affairs and Trade Bureau of Industry and Security Chiefs of State and Foreign Cabinet Members Commodity Futures Trading Commission Sanctions DTC Debarred Parties EU Consolidated List EPLS FBI Hijack Suspects FBI Most Wanted FBI Most Wanted Terrorists FBI Seeking Information FBI Top Ten Most Wanted
We also use a confidential set of 350 other global watch lists in our
screening process.
6/28/2012 Managing Third-party Risk 31
Enhanced Risk Assessment
6/28/2012 Managing Third-party Risk 32
GDC Plus
Financial Review
o Including payment performance and financial stability
Physical Records Check
o Capture physical public records in country for each business entity
On-Site Business Verification
o Photos taken both external and internal
o Validate key business executives
o Reference Checks
Litigation and Criminal Document Review
o Entity and Officers and Directors
Policy and Procedure Review (including Code of Conduct)
o Adequate procedures to prevent wrongdoing going forward
Case Study: CFO Barred by SEC
Our client requested that we screen a new potential partner. We found that the company’s chief
financial officer had been barred by the SEC due to securities laws violations.
Case Study: Murder and Manslaughter
In screening existing vendors for our client in the energy industry, we found several alerts that required
further investigation Including:
Code Alert
MUR–Murder, Manslaughter The company’s CEO, Domenic Gatto, charged with the murder and has past convictions for burglary, assaulting police, racketeering, possessing firearms, and obtaining financial advantage by deception.
MUR–Murder, Manslaughter KEPPEL Shipyard has pleaded guilty to a charge arising from a fire on board the oil tanker Almudaina at its Benoi yard in May 2004 that killed seven workers.
MUR–Murder, Manslaughter
Jacobs EngineerinInc. of Pasadena, California, was accused by the state of Minnesota over the deadly Interstate 35W bridge collapse that killed 13 people and injured 145.
MUR–Murder, Manslaughter WorleyParsons Sefaces a charge for the death of two workers during a cyclone.
Effective Third-Party Compliance Programs Are Necessary
What to do?
Conduct due diligence before you enter into a professional relationship.
Create a phased project plan to identify, prioritize, and address
greatest risks first.
Customize due diligence based on risk assessment.
Build a program using a platform or partner that enables initial
transparency, long-term scalability, and tracking of mitigation steps.
Audit and monitor.
Think and implement globally; regulators are converging.
6/28/2012 Managing Third-party Risk 35
Questions…
6/28/2012 36 INSERT > Header & Footer
“Association of Certified Fraud Examiners,”
“Certified Fraud Examiner,” “CFE,” “ACFE,” and
the ACFE Logo are trademarks owned by the
Association of Certified Fraud Examiners, Inc.
The contents of this paper may not be
transmitted, re-published, modified, reproduced,
distributed, copied, or sold without the prior
consent of the author.