10/17/2012 1

Managing Third-Party Risk

Managing Third-Party Risk:

Effective Anti-Corruption Programs and

Due Diligence Done Right

Michael Vermillion

10/17/2012 Managing Third-party Risk 2

What We’ll Cover

Corruption & Bribery

Current Regulatory Landscape

Risks Associated with Working with Third Parties

Elements of an Effective Anti-Corruption Program

Due Diligence Overview

Best Practices

Managing Third-party Risk 10/17/2012 3

10/17/2012 INSERT > Header & Footer 4

Corruption & Bribery, a closer look…

10/17/2012 Managing Third-party Risk 4

Regional Overview: Unique contexts, common problems 15% of all companies in industrialized countries pay bribes

o Asia this figure is at 30%

o former Soviet Union: 60%

Laws are only as good as the extent to which they are enforced

o Africa, Latin America, Eastern Europe & Asia

• Some anti-corruption laws in place…

• enforcement not happening

German Companies Call for Tougher Bribery Law

10/17/2012 NAVEX Global: The Ethics and Compliance Experts 5

What We’ll Cover

What Is Corruption

Current Regulatory Landscape

Risks Associated with Working with Third Parties

Elements of an Effective Anti-Corruption Program

Due Diligence Overview

Best Practices

Managing Third-party Risk 10/17/2012 6

What’s at stake.

Pfizer Inc. agreed to pay $60.2 million to settle a U.S. government probe

Johnson & Johnson agreed to pay $70 million to settle U.S. charges that it paid bribes

Niko Resources Ltd., “fine is $8,260,000 plus a victim surcharge of 15% for a total $9.5 million fine.

NAVEX Global: The Ethics and Compliance Experts 10/17/2012 7

10/17/2012 NAVEX Global: The Ethics and Compliance Experts 8

There have been more FCPA

investigations in the last five

years than in the previous 25!

The UK Bribery Act

Don’t forget local laws

Compliance is about what we must do.

Ethics is about what we should do.

Client Advisory Council 9

10/17/2012 Managing Third-party Risk 9

U.S. Federal Sentencing Guide “… a large organization should encourage small organizations (especially those that have a relationship with large organization) to implement effective compliance and ethics programs.”

UK Bribery Act

Individuals risk up to ten years in prison with unlimited fines. Organizations risk unlimited fines, debarment from EU contracts, and the confiscation of the value of corruptly obtained contracts.

Worldwide third-party relationships under scrutiny.

10/17/2012 Managing Third-party Risk 10

Not all laws are created equal.

UKBA

UKBA covers bribes made, offered, or

received in the public & private sector

UKBA creates an offense for the receipt

of a bribe

Violations include “facilitation”

payments.

Up to 10 years prison for individuals

Unlimited monetary fines

Provides a defense for companies with

“adequate procedures”

10/17/2012 NAVEX Global: The Ethics and Compliance Experts 11

FCPA/CFPOA

FCPA prohibits only bribes paid to

“foreign public officials”

While the FCPA penalizes only

the making of a bribe

“Facilitation” okay when lawful

Up to 5 years prison for individuals

Unlimited (CFPOA) & 2M Limit

(FCPA)

What We’ll Cover

What Is Corruption

Current Regulatory Landscape

Risks Associated with Working with Third Parties

Elements of an Effective Anti-Corruption Program

Due Diligence Overview

Best Practices

Managing Third-party Risk 10/17/2012 12

POP QUIZ True or False? In June 2009, Continental Airlines stranded passengers on a small plane overnight for six hours outside Minneapolis when they could have allowed the passengers to get off the plane and wait in the terminal. True or False? In 2007, Mattel made products for children that contained unhealthy levels of lead. True or False? In 1993, Nike employed child labor in Southeast Asia? Answer to all… False

Your reputation is at stake!

“It takes 20 years to build a reputation and five

minutes to destroy it.”

—W. Buffet

“It takes many good deeds to build

a good reputation, and only one bad one

to lose it”

- Ben Franklin

“Our assets are our people, capital, and

reputation. If any of these are ever diminished,

the last is the most difficult to restore.”

—Goldman Sachs Business Principles

10/17/2012

Managin

g Third-

party

Risk

14

Source: Compliance and Ethics Leadership Council

Abundant Reputational Risk

Global Anti-Corruption Case Studies

10/17/2012 NAVEX Global: The Ethics and Compliance Experts 17

Enforcement: Not just for Government

Source: Compliance and Ethics Leadership Council

SUPPLIERS IN

EMERGING

MARKETS

TEMPORARY

EMPLOYEES

SUBCONTRACTORS

INT’L

INTERMEDIARIES

DOMESTIC

AGENCIES

OFFSHORE

SERVICE

PROVIDERS

DATA

VENDORS

FOREIGN

DISTRIBUTORS

DEALERS/

RESELLERS

LOBBYISTS

AUDITORS

INT’L JOINT

VENTURES

PARTNERSHIPS

SUPPLIERS’

SUPPLIERS

CONTRACTORS

VENDORS DISTRIBUTORS

CONSULTANTS

JOINT

VENTURES

SUPPLIERS

AGENTS

YOUR

CORPORATION

A High Level of

Complexity

Corporations need to manage divergent

legal relationships across a multitude of

partners, and struggle to gain visibility

into often-hidden risks.

Your Supply Chain… bigger than you thought

Anti-Corruption – What will investigators focus on?

Are you acting in good faith?

Do you have a healthy, robust compliance program?

What is the likelihood of the offense reoccurring?

Did your compliance program uncover this issue?

How did you respond?

If this issue identified weaknesses in your compliance program,

have they been corrected?

10/17/2012

Managin

g Third-

party

Risk

19

What We’ll Cover

What Is Corruption

Current Regulatory Landscape

Risks Associated with Working with Third Parties

Elements of an Effective Anti-Corruption Program

Due Diligence Overview

Best Practices

Managing Third-party Risk 10/17/2012 20

Risk Assessment Commitment

Policies, Procedures,

Internal Controls

Communication and Training

Compliance Infrastructure

Disciplinary Guidelines

Third Party Accountability

Monitoring and Auditing

Review and Testing

Elements of an Effective Anti-Corruption Program

10/17/2012 Managing Third-party Risk 21

Geographical and country risk

Interaction with governmental

officials

Industry of operation

Extent of third-party usage

Importance of licenses and permits

Degree of governmental oversight

and inspection

Volume and importance of goods,

and people clearing customs &

immigration

10/17/2012

Managin

g Third-

party

Risk

22

1. Risk Assessment

What Makes a Good Corruption Risk Assessment?

Fits within the company’s culture

Sponsored and supported by the right people—You!

Encourages open participation and transparency

Embraced throughout the company as an important and valuable process

Used to monitor or influence factors that put the company at risk

Serves as the foundation for the company’s code of conduct, anti-

corruption controls, and overall prevention program

An ineffective risk assessment will result in deficiencies in the company’s

other initiatives

10/17/2012

Managin

g Third-

party

Risk

23

Strong, explicit, and visible

support

Appropriate measures to

encourage and support a

robust and effective ethics

and compliance program

oAdequate funding

oAdequate resources

oAdequate support

10/17/2012

Managin

g Third-

party

Risk

24

2. Commitment

Designated responsibility to one or more senior corporate

executives for:

o Implementation and oversight of policies, standards, and procedures

Compliance Officer must report to independent body such as:

o Internal Audit

o Board of Directors

o Board of Directors Committee

Adequate level of autonomy from management, sufficient

resources, and authority

10/17/2012

Managin

g Third-

party

Risk

25

3. Compliance Infrastructure

Must be explicit, clearly articulated, and visible

o FCPA and other global anticorruption laws

o Policies and procedures must include directives

o Cover policies toward “gifts & entertainment, and expenses; customer travel, political contributions; charitable donations; facilitation payments; and solicitation

and extortion.”

o Applicable to all officers, directors, employees, and third parties acting on behalf of the organization

Internal controls to avoid and address potential violations of books, records, and accounting provisions

o “Reasonably designed to ensure the maintenance of fair and accurate books, records, and accounts, and ensure they cannot be used for the purpose of bribery or

concealing such bribery.”

10/17/2012

Managin

g Third-

party

Risk

26

4. Policies, Procedures, Internal Controls

Must carry serious consequences for violations of anti-

corruption laws, compliance code, policies, and procedures:

oDirectors

oOfficers

o Employees

o Third parties

Reasonable steps to remedy harm and prevent further

misconduct

10/17/2012

Managin

g Third-

party

Risk

27

5. Disciplinary Guidelines

Effective communication and periodic training on

policies and procedures to

o Directors, officers, employees, third parties

o Know and understand the Policies

Annual certification to certify compliance and training

requirements

10/17/2012

Managin

g Third-

party

Risk

28

6. Communication and Training

Ongoing to ensure effectiveness

Directed to company’s key risk

areas

Measure for effectiveness

Regular audits of books and records

(including third parties)

10/17/2012

Managin

g Third-

party

Risk

29

7. Monitoring and Auditing

Designed to evaluate and improve effectiveness

At least once a year to assess relevant

developments in international and industry

standards

Update and adapt policies, procedures, internal

controls, and compliance program to ensure

continued effectiveness

10/17/2012

Managin

g Third-

party

Risk

30

8. Review and Testing

“Institute appropriate due diligence and compliance requirements

pertaining to the retention and oversight.”

Inform third parties of the company’s commitment to abiding by laws

and ethics and compliance standards.

Obtain “reciprocal commitment” reflecting understanding and

acceptance.

Agreements and contracts (including renewals) have proper anti-

corruption language and that the company may have the right to:

o Audit

o Terminate

10/17/2012

Managin

g Third-

party

Risk

31

9. Third-Party Accountability

Anti-Corruption Prevention Controls

Zero Tolerance—no tolerance for corruption

Audit—actively and aggressively look for corruption

Education—what is corruption is and warning signs

Pressure—be a resource for those that may be facing pressure

Code of Conduct—needs strong communication from company

leaders

Anti-Corruption Policy—separate, unambiguous,

communicated

10/17/2012

Managin

g Third-

party

Risk

32

What We’ll Cover

What Is Corruption

Current Regulatory Landscape

Risks Associated with Working

with Third Parties

Elements of an Effective Anti-

Corruption Program

Due Diligence Overview

Best Practices

Managing Third-party Risk 10/17/2012 33

POLLING QUESTION

In your organization, who owns third-party due

diligence?

1. Ethics and Compliance

2. Legal

3. Supply Chain or Procurement

4. Internal Audit

5. Other

What Is Due Diligence?

specifically…

verify and validate the customer’s

identity

identify relevant adverse

information

risk assess the potential for money

laundering & terrorist financing…

—Peter Warrack in the July 2006

edition of ACAMS Today

An investigation of a

business or person prior to

signing a contract

An act with a certain

standard of care

The process through which a

potential acquirer evaluates

a target company or its

assets for acquisition [1] Source: Wikipedia

10/17/2012 Managing Third-party Risk 35

What Is Effective Due Diligence

o Embed language in contractual terms specific to legal,

regulatory, financial, and reputational compliance

o Implement Third-Party Code of Conduct

o Conduct global database checks (GDC) on third parties

consistently

• Business information declines at a rate of 20% a year

• Data becomes less accurate over time

oRun enhanced due diligence (EDD) on those with a higher risk

10/17/2012

Managin

g Third-

party

Risk

36

What Is Effective Due Diligence

oRequire that third parties certify compliance with all laws

and regulations that govern their business.

o Educate and train your third parties on relevant laws and

regulations.

o Provide an anonymous avenue for third parties to report

potential violations of laws and regulations.

10/17/2012

Managin

g Third-

party

Risk

37

What We’ll Cover

What Is Corruption

Current Regulatory Landscape

Risks Associated with Working

with Third Parties

Elements of an Effective Anti-

Corruption Program

Due Diligence Overview

Best Practices

Managing Third-party Risk 10/17/2012 38

Effective Due Diligence

1. Pre-Screen Understand and assess the inherent operational and jurisdictional risk to your organization prior to performing due diligence.

2. Risk Assessment Best-in-class screening process that provides a comprehensive view into complete enterprise risk—financial, regulatory, reputational, and governance.

3. Risk Mitigation and Action Steps

Dictates mitigation activities that must be taken by both the third party and you.

4. Ongoing Monitoring Periodic re-screening process that identifies change in enterprise risk, ensures information is kept current, and continued compliance to client policies.

4. Monitor 3. Mitigate 2. Assess 1. Pre-Screen

10/17/2012 Managing Third-party Risk 39

Global Database and Adverse Media Checks

Global Media:

10,000 individual sources of public-source newspapers, magazines, television and

radio transcripts, trade publications, geographic publications, academic journals,

and gray literature.

The database process incorporates human-translated foreign-language

material

Media sources cover every region of the world

Government Lists and Regulatory Authority Actions:

• The dataset includes fugitive lists, exclusions lists, global sanctions lists, fraud

warnings, debarment lists, disciplinary actions, enforcement actions, etc.

• The sources span a broad spectrum of local, state, and federal lists of risk-

relevant individuals and organizations

Basic Risk Assessment FATF Financial Action Task Force Bank of England Consolidated List HM Treasury Investment Ban List HM Treasury Sanctions Hong Kong Monetary Authority HUD LDP Interpol Most Wanted Exclusions OSFI Consolidated List OSFI Country Offshore Financial Centers Peoples Bank of China (PBC) Primary Money Laundering Concern Primary Money Laundering Concern Jurisdictions Reserve Bank of Australia Terrorist Exclusion List UK FSA UN Consolidated List Unauthorized Banks World Bank Ineligible Firms

Ireland Financial Regulator Unauthorized Firms Japan FSA Japan METI-WMD Proliferators Japan MOF Sanctions Monetary Authority of Singapore Nonproliferation Sanctions OFAC Non-SDN Entities OFAC Sanctions OFAC SDN OIG Australia Dept. of Foreign Affairs and Trade Bureau of Industry and Security Chiefs of State and Foreign Cabinet Members Commodity Futures Trading Commission Sanctions DTC Debarred Parties EU Consolidated List EPLS FBI Hijack Suspects FBI Most Wanted FBI Most Wanted Terrorists FBI Seeking Information FBI Top Ten Most Wanted

We also use a confidential set of 350 other global watch lists in our

screening process.

10/17/2012 Managing Third-party Risk 41

Enhanced Risk Assessment

10/17/2012 Managing Third-party Risk 42

GDC Plus

Financial Review

o Including payment performance and financial stability

Physical Records Check

oCapture physical public records in country for each business

Litigation and Criminal Document Review

oEntity and Officers and Directors

On-Site Business Verification

oPhotos taken both external and internal

oValidate key business executives

oReference Checks

Policy and Procedure Review (including Code of

Conduct)

oAdequate procedures to prevent wrongdoing going

forward

Enhanced Risk Assessment … continued

Case Study: CFO Barred by SEC Our client requested that we screen a new potential partner. We found that the company’s chief

financial officer had been barred by the SEC due to securities laws violations.

Case Study: Murder and Manslaughter

In screening existing vendors for our client in, we found several alerts

that required further investigation Including:

Code Alert

MUR–Murder, Manslaughter

The company’s CEO, Domenic Gatto, charged with the murder and has past convictions for burglary, assaulting police, racketeering, possessing firearms, and obtaining financial advantage by deception.

MUR–Murder, Manslaughter

KEPPEL Shipyard has pleaded guilty to a charge arising from a fire on board the oil tanker Almudaina at its Benoi yard in May 2004 that killed seven workers.

MUR–Murder, Manslaughter

Jacobs EngineerinInc. of Pasadena, California, was accused by the state of Minnesota over the deadly Interstate 35W bridge collapse that killed 13 people and injured 145.

MUR–Murder, Manslaughter

WorleyParsons Sefaces a charge for the death of two workers during a cyclone.

Effective Third-Party Compliance Programs

What to do?

Conduct due diligence before you enter into a relationship.

Create a phased project plan to identify, prioritize, and address

greatest risks first.

Customize due diligence based on risk assessment.

Build a program using a platform or partner that enables initial

transparency, long-term scalability, and tracking of mitigation.

Audit and monitor.

Think and implement globally.

10/17/2012

Managin

g Third-

party

Risk

46

Questions…

10/17/2012 47 INSERT > Header & Footer

10/17/2012 48 NAVEX Global: The Ethics and Compliance Experts

Thank You