- March 31, 2016
Managing third parties for bribery and corruption risk requires a consistent approach to assessing risk, conducting due diligence and analysis, delivering training, invoking controls, ongoing monitoring, and periodic re-evaluation. In this Illustration, we define the key steps of the ABAC process and identify the top 10 benefits of a technology-driven approach.
- Overview of the third party Anti-Bribery Anti-Corruption (ABAC) management process
- Close these common loopholes
- Remember oversight and organization
- Top ten benefits
On OCEG Roundable With Compliance Week, Opus and Jay Martin, VP, Chief Compliance Officer and Senior Deputy Counsel, Baker Hughes
Compliance Week: Let’s start by making the point that not every third party you work with presents a risk of bribery or corruption. So how do you suggest going about determining which third parties are going to need some level of anti-corruption controls?
Opus: Our customers have three initial areas of concern: First, how do I initially determine, at onboarding if possible, whether a third party could subject me to the risk of bribery and corruption? Second, how will I know if something about that third party has changed that now subjects me to risk? Third, how do I ensure that this process is being applied consistently throughout my organization? To address these, they leverage our technology solution to automatically, consistently, and objectively determine which third parties are in or out of scope for bribery and corruption risk and the level of risk involved. They can also proactively identify changes that mean the third party is now in scope, or that the level of risk has changed.
The net benefit of this approach is to represent to auditors and regulators that all third parties have been or are being continuously, consistently, and systemically assessed for bribery and corruption risk in a closed-loop system which no third party can escape. The problem, for most companies, is not how to automate the performance of due diligence on third parties they already know carry risk—that is relatively easy. The real problem is knowing, with confidence, which third parties have elevated risks. For a company with tens of thousands of third parties—with whom they have very dynamic relationships—it can seem like finding the proverbial needle in the haystack! However, taking the approach of only managing presumed high risk third parties is akin to locking all of the doors at the end of the day but leaving the windows open and the key under the mat.
Martin: Each company must define which third parties are subjected to their FCPA due diligence vetting system. In my experience, the third-party entities that are most often subjected to due diligence by companies are commercial sales agents, customs brokers, immigration consultants, environmental consultants, joint venture partners, sponsors, and distributors who have dealings with government-owned commercial enterprises. At Baker Hughes, the key factor that we apply to identify third parties who must be certified through our FCPA due diligence system is whether those parties provide “representative services” to government-owned enterprises.
Compliance Week: What sorts of training, policies, and procedures should you put in place to ensure ongoing oversight of third-party relationships that present corruption risk? Are these ranked in any way in terms of importance or risk level, or does every third-party relationship with some risk of corruption deserve the same level of control? And how do you keep track of who gets what?
Martin: It’s important to establish controls over those in your own organization who have the third-party relationships, so we conduct a risk assessment of all aspects of our businesses to identify any job functions within the company that could potentially create an FCPA violation. We make sure those people get the right training and that they use our established policies, procedures, and processes for the identification, hiring, and ongoing management of third parties who potentially can present corruption risk in the course of carrying out their normal activities. We conduct periodic FCPA training for our people, which is both electronic and in-person in nature and which is specialized for each job category. The scope and frequency of the training in each of the aforementioned categories is proportionate to the risk presented.
While we do have numerous procedures that apply to all types of third parties, we also augment these baseline procedures with additional safeguards in situations involving what we consider to be extraordinary risks. In this regard, we would look closely at both the nature of the job category as well as the geographical location where the job is being performed. As you might expect, those countries which have a history of a greater number of corruption offenses get more focus and attention than those which have been historically less problematic. For example, we require all of our third parties to sign our standard form agreements, which contain FCPA protective language as well as having to execute annual FCPA compliance certifications. In addition, we require the third parties to provide information to us regarding their FCPA compliance programs and we conduct spot FCPA audits of some of our third parties on a periodic basis. In certain instances in the highest risk locations, we may also require that some of the key subcontractors of the third party to which we are contracting have to also be certified through our FCPA due diligence system. Finally, we also internally assign a business sponsor to each third party with the responsibility of carefully managing the ongoing relationship with that third party.
Opus: We find that ongoing monitoring of third parties and remediation of risk changes are the biggest challenges for most organizations. Our customers use our technology to help automatically and pro-actively monitor the third party—and the level of activity is directly driven by the risk associated with them. The reason that works across thousands of third parties is that the system automatically creates the due diligence roster for each third-party relationship and then continuously updates that roster as the relationship changes … all without human intervention. There are not enough people in the company to look at each relationship and decide what sort of training is aligned to the risk of that relationship. Hence, for want of an effective technology system, companies blindly apply potentially inappropriate training to large segments of their third parties because that is the only way that they can get the needed coverage. Or conversely, they limit training to a small number of “high risk” relationships.
Compliance Week: A third party may work with many different parts of your organization that don’t communicate with each other on a regular basis. How do you keep a clear record of the relationships or issues that might arise, and changes in risk level so that everyone is on the same page?
Opus: It’s usually pretty difficult for companies that do business with hundreds or thousands of different third parties to be able to keep track of the different contracts they have in place with them and understand the risk of each contract as well as the overall risk of the third party. The only way that companies can effectively achieve this is by having a single “Book of Record” where every interaction with and about a third party is maintained. This includes integrating with the company’s existing enterprise systems such as accounting and ERP, as well as external data sources. Technology, when implemented correctly, eliminates the usual siloed approach that challenges most companies, enables you to communicate across your company and different departments and stakeholders, and provides intelligent analytics and dashboards where you can pro-actively monitor and manage changes and look at a third party across different elements of risk. While it’s hard, maybe impossible, for risk and compliance teams to fix organizational dysfunction, they can use technology to fix what today is dysfunctional communication by having one golden record—one source of truth —that keeps everyone on track.