3/19/2013 1
Managing Third-Party Risk:
Effective Anti-Corruption Programs &
Due Diligence Done Right
Daniel Kline, Managing Director, EMEA
What We’ll Cover
Corruption & Bribery
Current Regulatory Landscape
Risks Associated with Working with Third Parties
Elements of an Effective Anti-Corruption Program
Due Diligence Overview
Best Practices
3/19/2013 2
Regional Overview: Unique Contexts, Common Problems
15% of all companies in industrialized countries pay bribes
o In Asia, this figure is at 30%
o former Soviet Union: 60%
Laws are only as good as the extent to which they are enforced
o Africa, Latin America, Eastern Europe & Asia
• Some anti-corruption laws in place… but
• Enforcement not happening
German Companies Call for Tougher Bribery Law, WSJ, August 2012
3/19/2013 NAVEX Global: The Ethics and Compliance Experts 3
A palpable threat
What We’ll Cover
What is Corruption
Current Regulatory Landscape
Risks Associated with Working with Third Parties
Elements of An Effective Anti-Corruption Program
Due Diligence Overview
Best Practices
Managing Third-party Risk 3/19/2013 5
What’s at stake?
• Pfizer Inc. agreed to pay $60.2 million
to settle a U.S. government probe
• Johnson & Johnson agreed to pay $70
million to settle U.S. charges that it
paid bribes
• Niko Resources Ltd. fined $8,260,000
plus a victim surcharge of 15% for a
total $9.5 million fine.
NAVEX Global: The Ethics and Compliance Experts 3/19/2013 6
3/19/2013 NAVEX Global: The Ethics and Compliance Experts 7
SFO has stated there are numerous UK Bribery Act cases under investigation
More US FCPA investigations in the last five years than in the previous 25!
Don’t forget local laws
3/19/2013 Managing Third-party Risk 8
Compliance is about what we must do.
Ethics is about what we should do.
Client Advisory Council 8
US Federal Sentencing Guidelines “… a large organization should encourage small organizations (especially those that have a relationship with large organization) to implement effective compliance and ethics programs.”
UK Bribery Act
Individuals risk up to ten years in prison with unlimited fines. Organizations risk unlimited fines, debarment from EU contracts, and the confiscation of the value of corruptly obtained contracts.
Third-party Relationships Are Under Scrutiny Globally
3/19/2013 Managing Third-party Risk 9
Not all laws are created equal.
UKBA
UKBA covers bribes made, offered or
received in the public & private sector.
UKBA creates an offense for the receipt
of a bribe
Violations include "facilitation"
payments.
Up to 10 years prison for individuals
Unlimited monetary fines
Provides a defense for companies with
"adequate procedures."
3/19/2013 NAVEX Global: The Ethics and Compliance Experts 10
FCPA/CFPOA
FCPA prohibits only bribes paid to
"foreign public officials“
While the FCPA penalizes only
the making of a bribe
"facilitation" ok when lawful
Up to 5 years prison for individuals
Unlimited (CFPOA) & 2M Limit
(FCPA)
What We’ll Cover
What is Corruption
Current Regulatory Landscape
Risks Associated with Working with Third Parties
Elements of An Effective Anti-Corruption Program
Due Diligence Overview
Best Practices
Managing Third-party Risk 3/19/2013 11
Survey Question:
True or False? In June 2009, Continental Airlines stranded passengers on a small plane overnight for six hours outside
Minneapolis when they could have allowed the passengers to get off the plane and wait in the terminal.
True or False? In 2007, Mattel made products for children that contained unhealthy levels of lead.
True or False? In 1993, Nike employed child labor in Southeast Asia?
A. Answer to all… False
Your reputation is at stake!
“It takes 20 years to build a reputation and five
minutes to destroy it.”
—W. Buffet
“It takes many good deeds to build
a good reputation, and only one bad one
to lose it”
- Ben Franklin
“Our assets are our people, capital, and
reputation. If any of these are ever diminished,
the last is the most difficult to restore.”
—Goldman Sachs Business Principles
3/19/2013 Managing Third-party Risk 13
Source: Compliance and Ethics Leadership Council
Abundant Reputational Risk
Global Anti-Corruption Case Studies
Source: Compliance and Ethics Leadership Council
SUPPLIERS IN
EMERGING
MARKETS
TEMPORARY
EMPLOYEES
SUBCONTRACTORS
INT’L
INTERMEDIARIES
DOMESTIC
AGENCIES
OFFSHORE
SERVICE
PROVIDERS
DATA
VENDORS
FOREIGN
DISTRIBUTORS
DEALERS/
RESELLERS
LOBBYISTS
AUDITORS
INT’L JOINT
VENTURES
PARTNERSHIPS
SUPPLIERS’
SUPPLIERS
CONTRACTORS
VENDORS DISTRIBUTORS
CONSULTANTS
JOINT
VENTURES
SUPPLIERS
AGENTS
YOUR
CORPORATION
A High Level of
Complexity
Corporations need to manage divergent
legal relationships across a multitude of
partners, and struggle to gain visibility
into often-hidden risks.
Your Supply Chain… bigger than you thought
Meeting the challenge
3/19/2013 NAVEX Global: The Ethics and Compliance Experts 17
When things are this messy, where do you start? (Most just shut the garage door.)
UN Resolution 1952 (2010) – The DRC Guidelines
Due diligence guidelines set by the UN (conflict
minerals)
Calls upon all states to raise awareness and
implement guidelines
Strengthen company management systems
Identifying and assessing risk
Design and implement response to risks
Ensure independent third party audits
Public disclosure on supply chain due diligence
findings
Increasing focus and trends
OECD has created its own “suggested measures for risk mitigation and
indicators for measuring improvement” (conflict minerals)
Intel has made a pledge to ensure microprocessor’s are completely conflict-
free for gold, tantalum, tin and tungsten
California implements the Transparency in Supply Chains Act (TSCA) in
January 2012 aimed at eradicating slavery and human trafficking (retailers
and manufacturers conducting business in California with annual revenue
over 100 million USD). This goes far beyond red flag countries and conflict
zones.
Anyone for horse meat?!
Anti-Corruption – What will investigators focus on?
Are you acting in good faith?
Do you have a healthy, robust compliance program?
What is the likelihood of the offense reoccurring?
Did your compliance program uncover this issue?
How did you respond?
If this issue identified weaknesses in your compliance program,
have they been corrected?
3/19/2013 Managing Third-party Risk 20
What We’ll Cover
What is Corruption
Current Regulatory Landscape
Risks Associated with Working with Third Parties
Elements of An Effective Anti-Corruption Program
Due Diligence Overview
Best Practices
Managing Third-party Risk 3/19/2013 21
Risk Assessment Commitment
Policies, Procedures,
Internal Controls
Communication and Training
Compliance Infrastructure
Disciplinary Guidelines
Third Party Accountability
Monitoring and Auditing
Review and Testing
Elements of an Effective Anti-Corruption Program
Managing Third-party Risk 3/19/2013 22
Geographical and country risk
Interaction with governmental
officials
Industry of operation
Extent of third-party usage
Importance of licenses and permits
Degree of governmental oversight
and inspection
Volume and importance of goods,
and people clearing customs &
immigration
3/19/2013 Managing Third-party Risk 23
1. Risk Assessment
What Makes a Good Corruption Risk Assessment?
Fits within the company’s culture
Sponsored and supported by the right people—You!
Encourages open participation and transparency
Embraced throughout the company as an important and valuable process
Used to monitor or influence factors that put the company at risk
Serves as the foundation for the company’s code of conduct, anti-
corruption controls, and overall prevention program
An ineffective risk assessment will result in deficiencies in the company’s
other initiatives
3/19/2013 Managing Third-party Risk 24
Strong, explicit, and visible
support
Appropriate measures to
encourage and support a
robust and effective ethics
and compliance program
oAdequate funding
oAdequate resources
oAdequate support
3/19/2013 Managing Third-party Risk 25
2. Commitment
Designated responsibility to one or more senior corporate
executives for:
o Implementation and oversight of policies, standards, and procedures
Compliance Officer must report to independent body such as:
o Internal Audit
o Board of Directors
o Board of Directors Committee
Adequate level of autonomy from management, sufficient
resources, and authority
3/19/2013 Managing Third-party Risk 26
3. Compliance Infrastructure
Must be explicit, clearly articulated, and visible
o FCPA and other global anticorruption laws
o Policies and procedures must include directives
o Cover policies toward “gifts & entertainment, and expenses; customer travel, political contributions; charitable donations; facilitation payments; and solicitation
and extortion.”
o Applicable to all officers, directors, employees, and third parties acting on behalf of the organization
Internal controls to avoid and address potential violations of books, records, and accounting provisions
o “Reasonably designed to ensure the maintenance of fair and accurate books, records, and accounts, and ensure they cannot be used for the purpose of bribery or
concealing such bribery.”
3/19/2013 Managing Third-party Risk 27
4. Policies, Procedures, Internal Controls
Must carry serious consequences for violations of anti-
corruption laws, compliance code, policies, and procedures:
oDirectors
oOfficers
o Employees
o Third parties
Reasonable steps to remedy harm and prevent further
misconduct
3/19/2013 Managing Third-party Risk 28
5. Disciplinary Guidelines
Effective communication and periodic training on
policies and procedures to
o Directors, officers, employees, third parties
o Know and understand the Policies
Annual certification to certify compliance and training
requirements
3/19/2013 Managing Third-party Risk 29
6. Communication and Training
Ongoing to ensure effectiveness
Directed to company’s key risk
areas
Measure for effectiveness
Regular audits of books and records
(including third parties)
3/19/2013 Managing Third-party Risk 30
7. Monitoring and Auditing
Designed to evaluate and improve effectiveness
At least once a year to assess relevant
developments
in international and industry standards
Update and adapt policies, procedures, internal
controls, and compliance program to ensure
continued effectiveness
3/19/2013 Managing Third-party Risk 31
8. Review and Testing
“Institute appropriate due diligence and compliance requirements
pertaining to the retention and oversight.”
Inform third parties of the company’s commitment to abiding by laws
and ethics and compliance standards.
Obtain “reciprocal commitment” reflecting understanding and
acceptance.
Agreements and contracts (including renewals) have proper anti-
corruption language and that the company may have the right to:
o Audit
o Terminate
3/19/2013 Managing Third-party Risk 32
9. Third-Party Accountability
Anti-Corruption Prevention Controls
Zero Tolerance—no tolerance for corruption
Audit—actively and aggressively look for corruption
Education—what is corruption is and warning signs
Pressure—be a resource for those that may be facing pressure
Code of Conduct—needs strong communication from company
leaders
Anti-Corruption Policy—separate, unambiguous,
communicated
3/19/2013 Managing Third-party Risk 33
What We’ll Cover
What is Corruption
Current Regulatory Landscape
Risks Associated with Working
with Third Parties
Elements of An Effective Anti-
Corruption Program
Due Diligence Overview
Best Practices
Managing Third-party Risk 3/19/2013 34
Survey Question:
In your organization, who owns third-party due
diligence?
1. Ethics and Compliance
2. Legal
3. Supply Chain or Procurement
4. Internal Audit
5. Other
What Is Due Diligence?
specifically…
verify and validate the customer’s
identity;
identify relevant adverse
information
risk assess the potential for money
laundering & terrorist financing…
—Peter Warrack in the July 2006
edition of ACAMS Today
3/19/2013 Managing Third-party Risk 36
An investigation of a
business or person prior to
signing a contract
An act with a certain
standard of care.
The process through which a
potential acquirer evaluates
a target company or its
assets for acquisition.[1] Source: Wikipedia
What is Effective Due Diligence?
oEmbed language in contractual terms specific to legal,
regulatory, financial, and reputational compliance.
o Implement Third-Party Code of Conduct
oConduct global database checks (GDC) on third parties
consistently
• Business information declines at a rate of 20% a year
• Data becomes less accurate over time.
oRun enhanced due diligence (EDD) on those with a higher
risk
3/19/2013 Managing Third-party Risk 37
What is Effective Due Diligence?
oRequire that third parties certify compliance with all laws
and regulations that govern their business.
o Educate and train your third parties on relevant laws and
regulations.
o Provide an anonymous avenue for third parties to report
potential violations of laws and regulations.
3/19/2013 Managing Third-party Risk 38
What We’ll Cover
What is Corruption
Current Regulatory Landscape
Risks Associated with Working
with Third Parties
Elements of An Effective Anti-
Corruption Program
Due Diligence Overview
Best Practices
Managing Third-party Risk 3/19/2013 39
Effective Due Diligence
Managing Third-party Risk 3/19/2013 40
1. Pre-Screen Understand and assess the inherent operational and jurisdictional risk to your organization prior to performing due diligence.
2. Risk Assessment Best-in-class screening process that provides a comprehensive view into complete enterprise risk—financial, regulatory, reputational, and governance.
3. Risk Mitigation and Action Steps
Dictates mitigation activities that must be taken by both the third party and you.
4. Ongoing Monitoring Periodic re-screening process that identifies change in enterprise risk, ensures information is kept current, and continued compliance to client policies.
4. Monitor 3. Mitigate 2. Assess 1. Pre-Screen
Global Database and Adverse Media Checks
Global Media:
10,000 individual sources of public-source newspapers, magazines, television and radio transcripts, trade publications, geographic publications, academic journals, and gray literature.
The database process incorporates human-translated foreign-language material
Media sources cover every region of the world
Government Lists and Regulatory Authority Actions:
• The dataset includes fugitive lists, exclusions lists, global sanctions lists, fraud warnings, debarment lists, disciplinary actions, enforcement actions, etc.
• The sources span a broad spectrum of local, state, and federal lists of risk-relevant individuals and organizations
Basic Risk Assessment FATF Financial Action Task Force Bank of England Consolidated List HM Treasury Investment Ban List HM Treasury Sanctions Hong Kong Monetary Authority HUD LDP Interpol Most Wanted Exclusions OSFI Consolidated List OSFI Country Offshore Financial Centers Peoples Bank of China (PBC) Primary Money Laundering Concern Primary Money Laundering Concern Jurisdictions Reserve Bank of Australia Terrorist Exclusion List UK FSA UN Consolidated List Unauthorized Banks World Bank Ineligible Firms
3/19/2013 Managing Third-party Risk 42
Ireland Financial Regulator Unauthorized Firms Japan FSA Japan METI-WMD Proliferators Japan MOF Sanctions Monetary Authority of Singapore Nonproliferation Sanctions OFAC Non-SDN Entities OFAC Sanctions OFAC SDN OIG Australia Dept. of Foreign Affairs and Trade Bureau of Industry and Security Chiefs of State and Foreign Cabinet Members Commodity Futures Trading Commission Sanctions DTC Debarred Parties EU Consolidated List EPLS FBI Hijack Suspects FBI Most Wanted FBI Most Wanted Terrorists FBI Seeking Information FBI Top Ten Most Wanted
We also use a confidential set of 350 other global watch lists in our
screening process.
Enhanced Risk Assessment
3/19/2013 Managing Third-party Risk 43
GDC Plus
Financial Review
o Including payment performance and financial stability
Physical Records Check
oCapture physical public records in country for each business
Litigation and Criminal Document Review
oEntity and Officers and Directors
On-Site Business Verification
oPhotos taken both external and internal
oValidate key business executives
oReference Checks
Policy and Procedure Review (including Code of
Conduct)
oAdequate procedures to prevent wrongdoing going
forward
Enhanced Risk Assessment … continued
Case Study: CFO Barred by SEC Our client requested that we screen a new potential partner. We found that the company’s chief
financial officer had been barred by the SEC due to securities laws violations.
Case Study: Murder and Manslaughter
In screening existing vendors for our client in, we found several alerts
that required further investigation Including:
Code Alert
MUR–Murder, Manslaughter The company’s CEO, Domenic Gatto, charged with the murder and has past convictions for burglary, assaulting police, racketeering, possessing firearms, and obtaining financial advantage by deception.
MUR–Murder, Manslaughter KEPPEL Shipyard has pleaded guilty to a charge arising from a fire on board the oil tanker Almudaina at its Benoi yard in May 2004 that killed seven workers.
MUR–Murder, Manslaughter
Jacobs EngineerinInc. of Pasadena, California, was accused by the state of Minnesota over the deadly Interstate 35W bridge collapse that killed 13 people and injured 145.
MUR–Murder, Manslaughter WorleyParsons Sefaces a charge for the death of two workers during a cyclone.
Effective Third-Party Compliance Programs
What to do?
Conduct due diligence before you enter into a relationship.
Create a phased project plan to identify, prioritize, and address
greatest risks first.
Customize due diligence based on risk assessment.
Build a program using a platform or partner that enables initial
transparency, long-term scalability, and tracking of mitigation.
Audit and monitor.
Think and implement globally
3/19/2013 Managing Third-party Risk 47
Questions…
3/19/2013 48 INSERT > Header & Footer
3/19/2013 49 NAVEX Global: The Ethics and Compliance Experts
Thank You