Carrying out due diligence on third parties which is not based on a risk assessment is counterproductive for the following reasons:
- Due diligence on a third party which represents no risk is a waste of time and money
- Due diligence which is not adapted to risk can result in superficial diligence on high-risk third parties which could consequently put the company at risk.
- Not having a risk-based approach gives staff the impression that the compliance department is disconnected from the reality of the business which damages its credibility
What method should be used when evaluating third party risk?
ETHIC Intelligence, basing its analysis on the best practices of the US FCPA Resource Guide, UK Bribery Act Guidance, the French recommendations of the Sapin II law, and on the ISO 37001 guidelines, distinguishes three categories representing high, medium and low levels of risk.
Business partners are third parties who it is relatively easy to overbill and who could have an interest in paying a bribe to successfully conclude a business negotiation it is executing for the company.
In the sub-category are three types of business partners who represent different kinds of risk all of which require thorough due diligence.
Exposure to corruption risk associated with representatives is the risk imparted by an agent tasked with representing the company. Representatives include: sales agents, intermediaries, lobbyists, consultants for claims and receivables, logistics experts, customs brokers… In these situations, the company is responsible for the actions these agents undertake even if the representative is paying bribes unbeknownst to the company.
The corruption risk associated with representatives should be evaluated through a qualitative analysis of the business model. The evaluation should consider both the number of representative agents and the importance of their missions in the company’s business.
Distributors sell a company’s goods and services. The corruption risk is linked to the fact that when the product or service is sold either legitimately or through the payment of a bribe by the distributor, the ultimate beneficiary is the company. There are many distribution contracts and distributors can be exclusive or non-exclusive.
The risk of corruption associated with distributors should be assessed by a qualitative analysis of the business model that links the company to the distributor. The stronger the link, the higher the risk. The assessment must consider both the number of distributors as well as their level of dependence on the company.
In this instance corruption risk is transmitted by a partnering company within a consortium or JV (joint-venture) operation. In these situations, the company not only faces its own risk, but also shares the risks of the partnering companies when conducting business together. This shared corruption risk is determined through the importance of consortia or JVs in the business as well as the corruption risk exposure of the partnering organization.
Shared corruption risk is evaluated through a qualitative analysis of the business model. The evaluation should consider both the number of joint-ventures, their role in the business model and the risk they present intrinsically: activity, country…
The primary risk associated with business partners is that they might pay a bribe behind the back of the company believing that it will increase their chances of commercial success. The partner is putting the company at legal risk which can only be mitigated if the company has carried out thorough due diligence as a proof of their genuine intention to do business with this partner. This diligence must be adapted to the specific risks of representatives, distributors and/or business partners.
Why are third parties used to pay a bribe: quite simply because the set-up is relatively straightforward, and it is challenging to discover. It is enough to ask a third party, consultant, supplier or other individual to overbill the company for his service or product and then the extra amount can be used to pay a bribe or provide a service of value.
Overbilling is easiest to use for immaterial services whose value fluctuates more than the value of material goods whose worth can be determined using market prices.
Communications agencies, architectural offices, law firms and accountants fall under this category.
Unlike business partners, consultancies have nothing to gain by paying a bribe unless the company employing them asks them to. The risk of corruption begins with the company. The only risk represented by the consultancy is that it will accept and participate in the company’s request – which it will often do in order not to offend the client.
Consequently, due diligence on consulting firms should concentrate on their financial stability – its capacity to reject any request to overbill – and on its reputation – its intrinsic ability to refuse such a request.
Suppliers and sub-contractors
Suppliers and sub-contractors, like consultants, have no interest in or benefit to gain from paying a bribe unless it is at the request of the client. And if the company requests that one of its suppliers or sub-contractors pay a bribe, the amount will be relatively limited because the purchasing department will have various ways to compare prices for the product in the market place and thus be able to identify inflated prices.
If, despite the low risk, a company really wants to carry out due diligence, the operation should be light.
For the same reason, sub-contractors represent only a low risk of corruption and require a minimal level of due diligence. There is an important exception and that is when a sub-contractor’s use is imposed by the final client either in the context of a call for tender, direct sale or off-sets arrangement. In these instances, the risk is high. Although it is possible that the final client has a legitimate reason for imposing a certain sub-contractor, it is also possible that he is recommending the sub-contractor to gain some kind of undue advantage, as a shareholder for example. In this instance due diligence must be thorough, as thorough as it is for business partners.
Note: The ISO 37001 Standard on Anti-Bribery Management Systems as well as the UK Bribery Act Guidance and the Sapin II law in France all consider clients as third parties. These third parties require a risk assessment and due diligence radically different than that which is carried out on other third parties like business partners, consultants, suppliers or sub-contractors.