Let’s start with a few basic assumptions – we all know that third parties are often the most significant risk for corruption. Of course, a company’s own sales staff can be a significant risk, just as much as a third-party. However, most companies recognize that they have a greater ability to control the actions of their sales staff than their third parties.
Knowing that your third parties are your greatest risk (assuming you use third parties), the question becomes how to manage and minimize your third-party risks. The solution is not “rocket science.” In fact, the solution requires one major factor – a commitment by the company to the issue. Once someone in a senior position is committed to the task, it gets done and usually in a very effective manner.
The process requires a two-stage commitment – preliminary due diligence prior to retaining a third-party, and monitoring third-party conduct. At each stage, the company has to employ some measure of ranking the risk of its third parties.
Companies can use a variety of factors in any formula to weigh relative risks for third parties. In the preliminary due diligence stage, relative risk ranking can help to guide the due diligence review process. For third parties with higher risk rankings, a company can require heightened scrutiny, additional written contract protections or an enhanced monitoring strategy.
In the post-retention environment, companies can craft a monitoring strategy based on a relative risk ranking formula. Depending on the relative ranking, companies can use various tools for monitoring purposes, including: (1) updated due diligence (e.g. on an annual basis); (2) compliance surveys; (3) transaction testing; (4) desk audits; (5) issue spot checks; (6) enhanced training; (7) compliance reminders; (8) additional compliance certifications; or (9) full compliance and financial audits.
The question then becomes what factors should be used and what weight to assign to each factor. The design and implementation of a weighted factor analysis will depend on the specific characteristics of the business. Some common factors include:
- Length of business relationship: In general, a third-party which has had a long business relationship with a company without committing any bribery is more reliable than a new company with which there is no record of compliance.
- Country Risk: Transparency International’s Corruption Perception Index provides a straightforward way to measure the risk of corruption in a third-party’s country of operation.
- Written contract: A third-party which has a written contract with a company which includes anti-corruption compliance requirements is less risky than a third-party with no contract.
- Extent of business conducted with foreign government: A third-party which conducts all of its business with foreign governments is more risky than one that earns a small percentage of its business from foreign governments. In applying this standard, some percentage threshold or multi-tiered definition has to be applied based on relevant revenue figures (e.g. less than 33 percent, between 33 and 50 percent, and greater than 50 percent).
- Former government official ownership: A third-party owned by former government officials is a greater risk of bribery based on past affiliations with the foreign government. To the extent the former government official was responsible for contracting in the government with client companies, the risk clearly increases.
- Total revenue: The greater the total revenue of a third-party the greater the risk of bribery – the more money the third-party earns, the more money the third-party ash to engage in bribery.
- Annual increase in total revenue: if a third-party has a significant jump in its total revenue in a year, such an increase may reflect increased risk of bribery, especially if there is no legitimate explanation for such an increase in revenues.
- Existence of anti-corruption compliance program and training: A third-party which does not have an anti-corruption program and does not participate in the company’s anti-corruption compliance program is a riskier their party than one that either has a compliance program or participates in the company’s compliance program.