managing third-party risk€¦ · payments. up to 10 years prison for individuals unlimited...
TRANSCRIPT
10/17/2012 1
Managing Third-Party Risk
Managing Third-Party Risk:
Effective Anti-Corruption Programs and
Due Diligence Done Right
Michael Vermillion
10/17/2012 Managing Third-party Risk 2
What We’ll Cover
Corruption & Bribery
Current Regulatory Landscape
Risks Associated with Working with Third Parties
Elements of an Effective Anti-Corruption Program
Due Diligence Overview
Best Practices
Managing Third-party Risk 10/17/2012 3
10/17/2012 INSERT > Header & Footer 4
Corruption & Bribery, a closer look…
10/17/2012 Managing Third-party Risk 4
Regional Overview: Unique contexts, common problems 15% of all companies in industrialized countries pay bribes
o Asia this figure is at 30%
o former Soviet Union: 60%
Laws are only as good as the extent to which they are enforced
o Africa, Latin America, Eastern Europe & Asia
• Some anti-corruption laws in place…
• enforcement not happening
German Companies Call for Tougher Bribery Law
10/17/2012 NAVEX Global: The Ethics and Compliance Experts 5
What We’ll Cover
What Is Corruption
Current Regulatory Landscape
Risks Associated with Working with Third Parties
Elements of an Effective Anti-Corruption Program
Due Diligence Overview
Best Practices
Managing Third-party Risk 10/17/2012 6
What’s at stake.
Pfizer Inc. agreed to pay $60.2 million to settle a U.S. government probe
Johnson & Johnson agreed to pay $70 million to settle U.S. charges that it paid bribes
Niko Resources Ltd., “fine is $8,260,000 plus a victim surcharge of 15% for a total $9.5 million fine.
NAVEX Global: The Ethics and Compliance Experts 10/17/2012 7
10/17/2012 NAVEX Global: The Ethics and Compliance Experts 8
There have been more FCPA
investigations in the last five
years than in the previous 25!
The UK Bribery Act
Don’t forget local laws
Compliance is about what we must do.
Ethics is about what we should do.
Client Advisory Council 9
10/17/2012 Managing Third-party Risk 9
U.S. Federal Sentencing Guide “… a large organization should encourage small organizations (especially those that have a relationship with large organization) to implement effective compliance and ethics programs.”
UK Bribery Act
Individuals risk up to ten years in prison with unlimited fines. Organizations risk unlimited fines, debarment from EU contracts, and the confiscation of the value of corruptly obtained contracts.
Worldwide third-party relationships under scrutiny.
10/17/2012 Managing Third-party Risk 10
Not all laws are created equal.
UKBA
UKBA covers bribes made, offered, or
received in the public & private sector
UKBA creates an offense for the receipt
of a bribe
Violations include “facilitation”
payments.
Up to 10 years prison for individuals
Unlimited monetary fines
Provides a defense for companies with
“adequate procedures”
10/17/2012 NAVEX Global: The Ethics and Compliance Experts 11
FCPA/CFPOA
FCPA prohibits only bribes paid to
“foreign public officials”
While the FCPA penalizes only
the making of a bribe
“Facilitation” okay when lawful
Up to 5 years prison for individuals
Unlimited (CFPOA) & 2M Limit
(FCPA)
What We’ll Cover
What Is Corruption
Current Regulatory Landscape
Risks Associated with Working with Third Parties
Elements of an Effective Anti-Corruption Program
Due Diligence Overview
Best Practices
Managing Third-party Risk 10/17/2012 12
POP QUIZ True or False? In June 2009, Continental Airlines stranded passengers on a small plane overnight for six hours outside Minneapolis when they could have allowed the passengers to get off the plane and wait in the terminal. True or False? In 2007, Mattel made products for children that contained unhealthy levels of lead. True or False? In 1993, Nike employed child labor in Southeast Asia? Answer to all… False
Your reputation is at stake!
“It takes 20 years to build a reputation and five
minutes to destroy it.”
—W. Buffet
“It takes many good deeds to build
a good reputation, and only one bad one
to lose it”
- Ben Franklin
“Our assets are our people, capital, and
reputation. If any of these are ever diminished,
the last is the most difficult to restore.”
—Goldman Sachs Business Principles
10/17/2012
Managin
g Third-
party
Risk
14
Source: Compliance and Ethics Leadership Council
Abundant Reputational Risk
Global Anti-Corruption Case Studies
10/17/2012 NAVEX Global: The Ethics and Compliance Experts 17
Enforcement: Not just for Government
Source: Compliance and Ethics Leadership Council
SUPPLIERS IN
EMERGING
MARKETS
TEMPORARY
EMPLOYEES
SUBCONTRACTORS
INT’L
INTERMEDIARIES
DOMESTIC
AGENCIES
OFFSHORE
SERVICE
PROVIDERS
DATA
VENDORS
FOREIGN
DISTRIBUTORS
DEALERS/
RESELLERS
LOBBYISTS
AUDITORS
INT’L JOINT
VENTURES
PARTNERSHIPS
SUPPLIERS’
SUPPLIERS
CONTRACTORS
VENDORS DISTRIBUTORS
CONSULTANTS
JOINT
VENTURES
SUPPLIERS
AGENTS
YOUR
CORPORATION
A High Level of
Complexity
Corporations need to manage divergent
legal relationships across a multitude of
partners, and struggle to gain visibility
into often-hidden risks.
Your Supply Chain… bigger than you thought
Anti-Corruption – What will investigators focus on?
Are you acting in good faith?
Do you have a healthy, robust compliance program?
What is the likelihood of the offense reoccurring?
Did your compliance program uncover this issue?
How did you respond?
If this issue identified weaknesses in your compliance program,
have they been corrected?
10/17/2012
Managin
g Third-
party
Risk
19
What We’ll Cover
What Is Corruption
Current Regulatory Landscape
Risks Associated with Working with Third Parties
Elements of an Effective Anti-Corruption Program
Due Diligence Overview
Best Practices
Managing Third-party Risk 10/17/2012 20
Risk Assessment Commitment
Policies, Procedures,
Internal Controls
Communication and Training
Compliance Infrastructure
Disciplinary Guidelines
Third Party Accountability
Monitoring and Auditing
Review and Testing
Elements of an Effective Anti-Corruption Program
10/17/2012 Managing Third-party Risk 21
Geographical and country risk
Interaction with governmental
officials
Industry of operation
Extent of third-party usage
Importance of licenses and permits
Degree of governmental oversight
and inspection
Volume and importance of goods,
and people clearing customs &
immigration
10/17/2012
Managin
g Third-
party
Risk
22
1. Risk Assessment
What Makes a Good Corruption Risk Assessment?
Fits within the company’s culture
Sponsored and supported by the right people—You!
Encourages open participation and transparency
Embraced throughout the company as an important and valuable process
Used to monitor or influence factors that put the company at risk
Serves as the foundation for the company’s code of conduct, anti-
corruption controls, and overall prevention program
An ineffective risk assessment will result in deficiencies in the company’s
other initiatives
10/17/2012
Managin
g Third-
party
Risk
23
Strong, explicit, and visible
support
Appropriate measures to
encourage and support a
robust and effective ethics
and compliance program
oAdequate funding
oAdequate resources
oAdequate support
10/17/2012
Managin
g Third-
party
Risk
24
2. Commitment
Designated responsibility to one or more senior corporate
executives for:
o Implementation and oversight of policies, standards, and procedures
Compliance Officer must report to independent body such as:
o Internal Audit
o Board of Directors
o Board of Directors Committee
Adequate level of autonomy from management, sufficient
resources, and authority
10/17/2012
Managin
g Third-
party
Risk
25
3. Compliance Infrastructure
Must be explicit, clearly articulated, and visible
o FCPA and other global anticorruption laws
o Policies and procedures must include directives
o Cover policies toward “gifts & entertainment, and expenses; customer travel, political contributions; charitable donations; facilitation payments; and solicitation
and extortion.”
o Applicable to all officers, directors, employees, and third parties acting on behalf of the organization
Internal controls to avoid and address potential violations of books, records, and accounting provisions
o “Reasonably designed to ensure the maintenance of fair and accurate books, records, and accounts, and ensure they cannot be used for the purpose of bribery or
concealing such bribery.”
10/17/2012
Managin
g Third-
party
Risk
26
4. Policies, Procedures, Internal Controls
Must carry serious consequences for violations of anti-
corruption laws, compliance code, policies, and procedures:
oDirectors
oOfficers
o Employees
o Third parties
Reasonable steps to remedy harm and prevent further
misconduct
10/17/2012
Managin
g Third-
party
Risk
27
5. Disciplinary Guidelines
Effective communication and periodic training on
policies and procedures to
o Directors, officers, employees, third parties
o Know and understand the Policies
Annual certification to certify compliance and training
requirements
10/17/2012
Managin
g Third-
party
Risk
28
6. Communication and Training
Ongoing to ensure effectiveness
Directed to company’s key risk
areas
Measure for effectiveness
Regular audits of books and records
(including third parties)
10/17/2012
Managin
g Third-
party
Risk
29
7. Monitoring and Auditing
Designed to evaluate and improve effectiveness
At least once a year to assess relevant
developments in international and industry
standards
Update and adapt policies, procedures, internal
controls, and compliance program to ensure
continued effectiveness
10/17/2012
Managin
g Third-
party
Risk
30
8. Review and Testing
“Institute appropriate due diligence and compliance requirements
pertaining to the retention and oversight.”
Inform third parties of the company’s commitment to abiding by laws
and ethics and compliance standards.
Obtain “reciprocal commitment” reflecting understanding and
acceptance.
Agreements and contracts (including renewals) have proper anti-
corruption language and that the company may have the right to:
o Audit
o Terminate
10/17/2012
Managin
g Third-
party
Risk
31
9. Third-Party Accountability
Anti-Corruption Prevention Controls
Zero Tolerance—no tolerance for corruption
Audit—actively and aggressively look for corruption
Education—what is corruption is and warning signs
Pressure—be a resource for those that may be facing pressure
Code of Conduct—needs strong communication from company
leaders
Anti-Corruption Policy—separate, unambiguous,
communicated
10/17/2012
Managin
g Third-
party
Risk
32
What We’ll Cover
What Is Corruption
Current Regulatory Landscape
Risks Associated with Working
with Third Parties
Elements of an Effective Anti-
Corruption Program
Due Diligence Overview
Best Practices
Managing Third-party Risk 10/17/2012 33
POLLING QUESTION
In your organization, who owns third-party due
diligence?
1. Ethics and Compliance
2. Legal
3. Supply Chain or Procurement
4. Internal Audit
5. Other
What Is Due Diligence?
specifically…
verify and validate the customer’s
identity
identify relevant adverse
information
risk assess the potential for money
laundering & terrorist financing…
—Peter Warrack in the July 2006
edition of ACAMS Today
An investigation of a
business or person prior to
signing a contract
An act with a certain
standard of care
The process through which a
potential acquirer evaluates
a target company or its
assets for acquisition [1] Source: Wikipedia
10/17/2012 Managing Third-party Risk 35
What Is Effective Due Diligence
o Embed language in contractual terms specific to legal,
regulatory, financial, and reputational compliance
o Implement Third-Party Code of Conduct
o Conduct global database checks (GDC) on third parties
consistently
• Business information declines at a rate of 20% a year
• Data becomes less accurate over time
oRun enhanced due diligence (EDD) on those with a higher risk
10/17/2012
Managin
g Third-
party
Risk
36
What Is Effective Due Diligence
oRequire that third parties certify compliance with all laws
and regulations that govern their business.
o Educate and train your third parties on relevant laws and
regulations.
o Provide an anonymous avenue for third parties to report
potential violations of laws and regulations.
10/17/2012
Managin
g Third-
party
Risk
37
What We’ll Cover
What Is Corruption
Current Regulatory Landscape
Risks Associated with Working
with Third Parties
Elements of an Effective Anti-
Corruption Program
Due Diligence Overview
Best Practices
Managing Third-party Risk 10/17/2012 38
Effective Due Diligence
1. Pre-Screen Understand and assess the inherent operational and jurisdictional risk to your organization prior to performing due diligence.
2. Risk Assessment Best-in-class screening process that provides a comprehensive view into complete enterprise risk—financial, regulatory, reputational, and governance.
3. Risk Mitigation and Action Steps
Dictates mitigation activities that must be taken by both the third party and you.
4. Ongoing Monitoring Periodic re-screening process that identifies change in enterprise risk, ensures information is kept current, and continued compliance to client policies.
4. Monitor 3. Mitigate 2. Assess 1. Pre-Screen
10/17/2012 Managing Third-party Risk 39
Global Database and Adverse Media Checks
Global Media:
10,000 individual sources of public-source newspapers, magazines, television and
radio transcripts, trade publications, geographic publications, academic journals,
and gray literature.
The database process incorporates human-translated foreign-language
material
Media sources cover every region of the world
Government Lists and Regulatory Authority Actions:
• The dataset includes fugitive lists, exclusions lists, global sanctions lists, fraud
warnings, debarment lists, disciplinary actions, enforcement actions, etc.
• The sources span a broad spectrum of local, state, and federal lists of risk-
relevant individuals and organizations
Basic Risk Assessment FATF Financial Action Task Force Bank of England Consolidated List HM Treasury Investment Ban List HM Treasury Sanctions Hong Kong Monetary Authority HUD LDP Interpol Most Wanted Exclusions OSFI Consolidated List OSFI Country Offshore Financial Centers Peoples Bank of China (PBC) Primary Money Laundering Concern Primary Money Laundering Concern Jurisdictions Reserve Bank of Australia Terrorist Exclusion List UK FSA UN Consolidated List Unauthorized Banks World Bank Ineligible Firms
Ireland Financial Regulator Unauthorized Firms Japan FSA Japan METI-WMD Proliferators Japan MOF Sanctions Monetary Authority of Singapore Nonproliferation Sanctions OFAC Non-SDN Entities OFAC Sanctions OFAC SDN OIG Australia Dept. of Foreign Affairs and Trade Bureau of Industry and Security Chiefs of State and Foreign Cabinet Members Commodity Futures Trading Commission Sanctions DTC Debarred Parties EU Consolidated List EPLS FBI Hijack Suspects FBI Most Wanted FBI Most Wanted Terrorists FBI Seeking Information FBI Top Ten Most Wanted
We also use a confidential set of 350 other global watch lists in our
screening process.
10/17/2012 Managing Third-party Risk 41
Enhanced Risk Assessment
10/17/2012 Managing Third-party Risk 42
GDC Plus
Financial Review
o Including payment performance and financial stability
Physical Records Check
oCapture physical public records in country for each business
Litigation and Criminal Document Review
oEntity and Officers and Directors
On-Site Business Verification
oPhotos taken both external and internal
oValidate key business executives
oReference Checks
Policy and Procedure Review (including Code of
Conduct)
oAdequate procedures to prevent wrongdoing going
forward
Enhanced Risk Assessment … continued
Case Study: CFO Barred by SEC Our client requested that we screen a new potential partner. We found that the company’s chief
financial officer had been barred by the SEC due to securities laws violations.
Case Study: Murder and Manslaughter
In screening existing vendors for our client in, we found several alerts
that required further investigation Including:
Code Alert
MUR–Murder, Manslaughter
The company’s CEO, Domenic Gatto, charged with the murder and has past convictions for burglary, assaulting police, racketeering, possessing firearms, and obtaining financial advantage by deception.
MUR–Murder, Manslaughter
KEPPEL Shipyard has pleaded guilty to a charge arising from a fire on board the oil tanker Almudaina at its Benoi yard in May 2004 that killed seven workers.
MUR–Murder, Manslaughter
Jacobs EngineerinInc. of Pasadena, California, was accused by the state of Minnesota over the deadly Interstate 35W bridge collapse that killed 13 people and injured 145.
MUR–Murder, Manslaughter
WorleyParsons Sefaces a charge for the death of two workers during a cyclone.
Effective Third-Party Compliance Programs
What to do?
Conduct due diligence before you enter into a relationship.
Create a phased project plan to identify, prioritize, and address
greatest risks first.
Customize due diligence based on risk assessment.
Build a program using a platform or partner that enables initial
transparency, long-term scalability, and tracking of mitigation.
Audit and monitor.
Think and implement globally.
10/17/2012
Managin
g Third-
party
Risk
46
Questions…
10/17/2012 47 INSERT > Header & Footer
10/17/2012 48 NAVEX Global: The Ethics and Compliance Experts
Thank You