Many businesses use third parties as part of their global value chains. While third parties can be necessary and beneficial in a number of circumstances, they carry potentially significant corruption-related risks as well. Under the U.S. Foreign Corrupt Practices Act, the UK Bribery Act, and many other anti-bribery laws, a company can be held responsible for the corrupt acts of third parties acting on its behalf or for its benefit. Because of these risks, corruption-focused, third party due diligence is vital before engaging any business partner including distributors, agents, resellers, consultants, and other service providers.
Of course, for companies that have hundreds if not thousands of business partners, corruption-related, third-party due diligence can be time consuming and expensive unless the process is handled in a thoughtful, risk-based manner. One of the key first steps is making sure the process has an owner and the scope of the process is well defined. In many companies that have successfully managed the due diligence process, a person in the business unit responsible for the working relationship with a particular third party is assigned ownership, with guidance and oversight from the compliance and/or legal departments. Equally important is understanding why the third party is necessary to the company in the first place – i.e. its business purpose. Once these preliminary considerations are understood, the company can then use a risk-ranking approach to assign third parties to categories such as high, medium and low, using any number of preliminary factors such as the geographic location of the third party's business, the industry or sector they operate in, and whether the work involved will involve contact with government officials. Using a risk-based approach will allow a company to use its time and budget wisely to address its most salient risks.
After a company has a risk-ranked list, it can determine what information it needs to gather from any particular third party and how to do so. While there is no 'one size fits all' approach to due diligence, of course, a low-risk third party will require a less intense look. For this group, a company might use a simple questionnaire designed to elicit information about the third party's business structure, ownership, audited financial statements, connections to government officials or state-owned enterprises, key clients and references along with background checks using open source and media searches. Of course, self-supplied responses from third parties within any risk category must be validated to a degree appropriate for that company's risk level.
Depending upon the risk posed, in addition to the steps noted above, a company may want to consider a more detailed questionnaire, including questions and follow-up on whether the third party has been or is currently involved in any corruption related investigation or litigation, whether it appears on any watch lists, or has been the subject of sanctions or debarment. Ultimately, you should be seeking the kind of information that will allow you to make a judgement about the third party's qualifications and reputation.
Companies assigned to the high-risk category will require a more extensive look, including on-site inspections of the premises, review of the third party's code of conduct and other business processes, and interviews of employees and past business partners. At this point, you may want to consider hiring an external consultant to manage the process.
Throughout any due diligence process, if 'red flags' arise, they must be addressed and cleared. However, they do not necessarily mean the end of dealing with the third party. For each risk category, companies should conduct additional due diligence to attain an accurate risk profile to inform a decision of whether to go forward with the proposed business relationship. In some cases, a decision to do business with the third party can be reasonable and justified and the risks mitigated through such means as frequent monitoring and auditing, anti-corruption training, appropriate certifications, etc. In other cases, the red flags may be so serious that they require walking away from the relationship.
By using and properly documenting steps such as those mentioned above, a company can evaluate its potential third party business partners using a simple risk-based approach in a cost effective manner.
Of course, pre-contract due diligence is not the end of the line in terms of ensuring compliance by business partners. It must be complemented by on-going updating, monitoring and formal auditing as part of a larger risk management process.