4.2 Risky Business: Working with Agents, Contractors and Other Third Parties Long report

Adam Turteltaub, Magalie Pimentel, Katharine Bostick, Rupert de Ruig, Olajobi Makinwa, 14th IACC, Workshop report, Private Sector, Procurement

 

SHORT WORKSHOP REPORT FORM

Number and title of workshop
4.2 Risky Business: Working with Agents, Contractors and Other Third Parties
__________________________________________________________________________
Date and time of workshop
09:00 Thursday, 11th November, 2010
__________________________________________________________________________
Moderator (Name and Institution)
Adam Turteltaub, Society of Corporate Compliance & Ethics
__________________________________________________________________________
Rapporteur (Name and Institution)
Magalie Pimentel, Dow Jones
__________________________________________________________________________
Panellists (Name, institution, title)
Katharine Bostick – Microsoft, Director of Compliance & Litigation, Asia Pacific & Japan
Rupert de Ruig – Managing Director, Dow Jones Risk & Compliance
Olajobi Makinwa - Civil Society Coordinator, United Nations Global Compact
 
Main Issues Covered

• Selecting third parties
o How do you decide when to engage a third party?
o Who makes the decision?
 
• Due Diligence
o What is the starting point for due diligence?
o How do you assess company ownership?
o What happens when a third party is unwilling to provide information?
o Can you use referrals to understand potential risks?
o What are United Nations Global Compact members doing in this area?
 
• Enhanced Due Diligence and Open Source Intelligence (OSINT)
o How to use the media and OSINT to assess corruption risk.
 
• Extending Code of Conduct and other compliance systems to Third Parties
 
• Use of Reporting Hotlines
 
Main Outcomes

Businesses need a better understanding of the various regulatory schemes and how they can create liability.
Third party relationships must not be entered into lightly. Ongoing auditing and monitoring is essential after an initial risk assessment process.
Non-governmental organizations must also be sensitive to third party risk.
 
Main Outputs

When assessing third party risk it is essential to ask the following questions:
• Do you need the business partner?
• Do you truly know them and who they are?
• Have they changed over time and is there a need to re-evaluate?
• Has the risk situation changed?
• Is it time to re-evaluate your third party strategy?
 
Recommendations, Follow-up Actions

Companies should seek to establish working groups to discuss common challenges. Groups may include representation from the both the private and public sectors, NGOs and media. Increase knowledge sharing amongst companies who rely upon third parties. 
 
Useful links:
 
A Compliance & Ethics Program on $1 a Day
http://www.corporatecompliance.org/AM/Template.cfm?Section=Surveys&Template=/surveyform.cfm&survey=DollarCompliance
 
Dow Jones State of Anti-Corruption Compliance Survey:
http://fis.dowjones.com/risk/09survey.html
 
Department of Justice Opinion Procedures Releases:
http://www.justice.gov/criminal/fraud/fcpa/opinion/
 
OECD Good Practice Guidance on Internal Controls, Ethics & Compliance
www.oecd.org/dataoecd/5/51/44884389.pdf
 
Compliance & Ethics News from Paris: Have the “Global Sentencing Guidelines” Arrived?
http://www.corporatecompliance.org/Content/NavigationMenu/Resources/International/OECD/OECD-report.pdf
 
United Nations Global Compact Ten Principles:
http://www.unglobalcompact.org/aboutthegc/thetenprinciples/index.html
 
Workshop Highlights (including interesting quotes)

Selecting Third Parties
 
• Firstly, evaluate the need to engage a third party. What do they need to do, and why can’t this be done by your company?
• Put in place documented procedures for selecting third parties and tailor these according to the results of your risk assessment – market, type of engagement etc.
• While it isn’t possible to develop a common procedure across the board, having minimum requirements is good practice.
• Ensure the business in involved in developing these procedures.
• Selection of a third party will often lie with the business unit, but where risk is high involve the legal and/or compliance team in selection and approval process.
• It is critical to be confident that a third party will carry out business in the same way as your organization does, and that they comply with local regulation.
• Third party risk also applies to NGOs. The challenge they face is that they can often find themselves in a situation where they are asked to pay for a service desperately needed by vulnerable communities – for example food distribution following a natural disaster.
• The Department of Justice FCPA Opinion Procedures provide a means for companies to gain an opinion from the Attorney General on specific FCPA related
matters. 
 
Due Diligence
 
• Questionnaires which must be completed by the third party are a good starting point. 
• Any red flags uncovered should be investigated by the appropriate people/departments – legal, compliance etc.
• Companies need to be confident that the due diligence has been carried out satisfactorily.
• In some countries making use of personal connections is common business practice. Where there is a conflict of interest, it is important that the person who has the conflict does not conduct due diligence. Conflicts of interest don’t mean you can’t engage a particular third party. A Conflict Committee can be valuable to conduct a thorough risk assessment and to provide an independent view of how to move forward with a potential third party.
• UN Global Compact advocates this high-risk industries need a formalized due diligence process.
• SMEs are often concerned about the resource/cost required to conduct due diligence but they can adjust their procedures according to their size and risk profile.
• Due diligence doesn’t stop with the hire. Ongoing auditing and monitoring of the third party is essential.
 
Enhanced Due Diligence and Open Source Intelligence
 
• The media and other open source information, such as public records, can be used to research third parties as part of an enhanced due diligence process.
• Media interest in corruption has increased significantly in the past decade and investigative journalism is instrumental in uncovering unethical business practice.
The resulting articles are of value to companies when evaluating and monitoring third parties.
• Always evaluate the source of information for credibility and accuracy, and take other factors into account.
• If you discover negative media relating to a third-party question them about it to better understand the situation.
• Effective use of the media for ongoing and systematic assessment of third-party risk can demonstrate best practice to regulators.
• The situations of companies and countries are always changing – changes in company ownership, a change in government can signify new risks that need to be
evaluated. Media can be used to track these changes. 
 
Extending Code of Conduct to Third Parties
 
• Companies are increasingly pushing third-parties to sign up to their Code of Conduct.
• At a minimum, companies should have a vendor Code of Conduct that is aligned to their own.
• A Conference Board survey found that Codes of Conduct are not widely extended to third parties, but most companies will have a binding code that relates to an area of business, e.g. sales.
• UN Global Compact members are trying to push the principals further down their supply chain. Companies sometimes resist stating that signing up is unnecessary,
too costly, or not applicable to them. 
 
Use of Reporting Hotlines
 
• Extending reporting hotlines to third parties is wide-spread and good practice, but all too often third parties are unaware that they have access.
• Hotlines are reportedly underused. 
• Siemens distinguish between ‘Ask Us’ and ‘Tell Us’ hotlines. ‘Ask Us’ hotline provides an opportunity for employees to ask compliance-related questions. ‘Tell Us’
hotline is open to any external party to report a potential violation, and is advertised on the Siemens website.
• In the early stages of a hotline the majority of contacts will involve reporting violations. Gradually the balance shifts and most calls will be to seek advice on compliancerelated issues. This is a positive sign as with more people seeking advice the risk of violating regulation reduces.
• The DoJ has had a reporting hotline for many years, and many current FCPA cases are the result of whistle-blowing.
 
Questions/Comments from the Floor

• Analysis of the Siemens case highlighted that confusion around the classification of third parties was an issue. It was hard for employees to understand what processes to follow depending on how a third party was classified. This has now been simplified and all third parties are referred to as ‘business partners’. Key factors such as country and business type are taken into consideration and all business partners are ranked as high, medium or low risk. This risk-ranking dictates the processes that need to be followed, approval processes and any mandatory clauses in contracts. 
 
• Reputational damage is a key risk to consider. If one of your third parties is found to be acting unethically, even if this has nothing to do with your business relationship, you should investigate and possibly re-evaluate the situation. 
 
• Corruption in Africa usually involves multi-nationals. These companies are often actively involved in the global debate on tackling corruption, but their local conduct
may differ from their global commitment. The UN Global Compact advocates the application of international standards across all countries in which a company
operates, even where there are no local laws. 
pdf4.2 Risky Business: Working with Agents, Contractors and Other Third Parties Long report

Brazil 2012

Brazil 2012

IACC Video

IACC Video

FaceBook

FaceBook