How to approach third party due diligence requirements of the UK Bribery Act
Iain Mcleod is responsible for SAI Global’s compliance business throughout Europe, the Middle East and Africa and has 20 years’ experience of working with major global corporations to implement effective ethics, risk and compliance programmes.
What are the UKBA’s requirements on 3rd party due diligence? How does this requirement impact companies’ day to day business?
The UKBA is unique in its scope and has frequently been described as the toughest anti-bribery legislation in the world. It makes a business responsible not only for the actions of its employees, but also for those of all ‘associated persons’. It is therefore essential for any organisation to understand exactly who they are doing business with and evaluate potential partners not just in terms of their business potential, but also in terms of their risk potential. The only mitigation against the corporate offence of failure to prevent bribery is the ability to demonstrate that adequate procedures are in place to prevent bribery and that a company has taken proportionate steps to ensure that business partners and agents acting on their behalf do not commit bribery in order to obtain or retain business. This underlines the need for thorough due diligence – and the ability to evidence a systematic and robust process for carrying this out. Because of the extra-territorial scope of the Act, this applies to any company that carries on business in the UK. So if you sell products and services in the UK, you need to take heed regardless of whether or not you have a physical presence there.
To what extent are companies liable for their 3rd parties? Are they liable for corruption committed by their 3rd parties’ partners, subcontractors or agents as well?
Under the UKBA, a company is liable for the actions of any associated persons performing services on its behalf. This means that an organisation could be subject to prosecution for acts of bribery committed by business partners or third parties unless it can evidence adequate procedures for preventing bribery. If you outsource services or appoint third parties to act on your behalf, you can’t simply turn a blind eye to their activities and assume the risks lie with them. Under the UKBA, you are responsible and third parties therefore pose as much risk to your business as your employees.
What questions should companies ask themselves before addressing the UKBA 3rd party due diligence requirements? Where should they start?
Firstly, businesses need to ask themselves if they know exactly who is representing them, where they are representing them and how they are representing them. Depending on the length and complexity of the supply chain, this can be a significant challenge. The only way to answer this question is to conduct an inventory of associated partners so you have complete oversight of who is operating on your behalf and understand the nature of their relationship with your business. Businesses then need to ask themselves what level of risk these associated partners could pose. This will be determined by a number of factors such as the territory and industry in which they operate, the kind of services they are performing on your behalf as well as the individuals themselves. You should develop a due diligence questionnaire to help you identify the type and scope of the relationship you have with each third party. You should also screen your third parties against sanctions databases to enable you to take a view as to whether they are appropriate partners for your business. This information will enable you to assign each third party a risk profile, identifying those which merit further investigation before you enter into or continue a relationship with them. Finally, businesses need to ask themselves what action they will take to mitigate the risks identified as part of their due diligence process. Simply identifying that a risk exists is not sufficient – failing to take appropriate, proportionate mitigating action based on your findings is in itself inherently risky and could imply negligence. Home-grown solutions and disparate spreadsheets may expose you if you are unable to bring all relevant data together and take the appropriate action.
What 3rd parties should companies focus on in their due diligence?
Do your due diligence as part of a broader ABAC [anti-bribery, anti-corruption] risk assessment so that you focus your efforts on the associated parties that pose the biggest risk. This will enable you to prioritise your mitigating actions accordingly and will make for a more effective and cost-efficient due diligence process.
How often should companies conduct due diligence on their 3rd parties?
There really is no universal, definitive answer to this question, however what is clear is that the risks associated with third parties can and do change over time. This means that your due diligence efforts need to be an on-going commitment that give you the confidence and protection that you are effectively mitigating third party risks not just at the beginning of a business relationship but throughout the whole lifetime of that relationship. How frequently you carry out due diligence will depend on the perceived risk posed by your third parties. Some companies carry out annual certification; however as a minimum we recommend that you conduct third party due diligence as part of your contract renewal process. You could also consider an automated system that will allow for automated database checks throughout the year and immediately alert you to any changes in the risk profile of your business partners so that you can take prompt action to review the relationship.
What are the main difficulties encountered by companies in addressing this due diligence requirement? What are ways to overcome these difficulties?
There’s no doubt that many businesses are still getting to grips with what a ‘proportionate approach’ to third party due diligence means for them – and one that will stand up to prosecutorial scrutiny should they ever be the subject of an investigation. What’s essential is to ensure that your policies and procedures for third party management are robust and proportionate to the bribery risks to which your business is exposed. Ensure that policies for engaging with third parties are embedded throughout your organisation including all stakeholders and regional business units who will be responsible for putting the processes into action in their day-to-day job roles. One of the biggest challenges is the sheer volume of data that can be involved, particularly for those businesses with long and complex supply chains who may have thousands of third party relationships to evaluate. To make sense of all the data and ensure effective and efficient consequence management, you really need to implement a system that will automate tasks and connect all the stakeholders. If you don’t do this, there is the very real danger of being overwhelmed by the information that has to be processed and that something could fall through the cracks and lead to a breach.
Visit Sai Global’s website http://www.saiglobal.com/
22 March 2012
Tags : UK Bribery Act requirements, due diligence on third parties, Iain McLeod, SAI Global
Is your anti-corruption compliance program up to international best practices standards ?
Strengthen, benchmark and communicate positively on your program through certification.
Reach international standards. Get results.
Anti-corruption compliance questions ? comments ?Contact us!
Learning Technologies for Compliance Training 2013read more
What risks do Third Parties represent in a company's compliance program?read more
Anti-corruption: a Driving Force in Foreign Direct Investment?
Denis Simonneau, Member of the Executive Committee in charge of European and International Relations, ENGIEread more
Individual Liability for Compliance Officers in the UK - more than just a need to "show backbone"
Judy Krieg, Partner, Shepherd and Wedderburnread more
Who's inside your tent? Identifying and mitigating 3rd party risksread more
Conducting Third Party Due Diligence
Vincent Bégle, Of Counsel, Norton Rose LLPread more
Is E-learning an effective alternative to face-to-face training?
Iain McLeod, Director of Compliance EMEA, SAI Globalread more
Keep abreast of anti-corruption compliance news
Sign up to receive our monthly newsletter