Simplify the Complexity of Managing 3rd Party Anti-Bribery / FCPA Compliance

Transcription

1 Simplify the Complexity of Managing 3rd Party Anti-Bribery / FCPA Compliance Arm Stakeholders with Critical Information to Assess 3rd Party Relationships and Comply with the Foreign Corrupt Practices Act (FCPA) Whitepaper Version 3.0

2 Contents 3rd Party Management... 3 Introduction...3 Balancing the Risk and the Rewards of 3rd Parties... 3 Complexities of 3rd Party Management... 3 FCPA Compliance... 4 Many Players Get Involved in Compliance...4 Taking a Proactive Approach...5 Step 1: Segmentation...6 Step 2: Initial Due Diligence...7 Step 3: Due Diligence Analysis/ Extended Due Diligence...8 Step 4: Contract monitoring/management...9 Step 5: Ongoing FCPA Monitoring and Management Training Your 3rd Parties Mergers and Acquisitions under the FCPA The Hiperos 3rd Party Management Solution About Hiperos Hiperos 2 P a g e

3 3rd Party Management Introduction Balancing the Risk and the Rewards of 3rd Parties The business landscape continues to evolve; companies are increasingly dependent upon 3rd parties. 3rd parties can include suppliers, contractors/consultants, distribution partners, resellers, agents, intermediaries, joint venture partners, trading partners and others acting on behalf of your company or providing indirect or direct materials and services to your value chain. 3rd parties can be critical to a company s success. However, in order to realize those benefits, companies must also understand and manage the inherent risks associated with these business relationships; beyond the financial and operational risks, 3rd party risk also includes regulatory compliance as well as brand and reputational impact. Complexities of 3rd Party Management Most companies consider management of their 3rd parties to be a business priority 1. However, implementing consistent, reliable and scalable programs to identify and minimize potential business uncertainties and legal liabilities continues to elude many organizations. Your company may have tens or even hundreds of thousands of existing 3rd party relationships and identify hundreds of potential new 3rd parties every week or month. In addition to the initial and ongoing communication with individual suppliers, distributors or It is virtually impossible to successfully manage 3rd party risk and regulatory compliance using spreadsheets. resellers, 3rd party management also requires cooperation and collaboration with individuals in your separate lines of business, country managers, executive management, board of directors, regulators and other agencies. As a result of heightened oversight and enforcement by regulatory bodies, boards of directors are now increasingly concerned about the risks associated their 3rd parties and mandating additional oversight, controls and reporting. Given this complex and collaborative environment, companies are re-considering how they assess and manage initial and on-going 3rd party risk; traditional approaches that rely on external data providers and spreadsheets do not deliver the scalability, objectivity or consistency that are required to address today s issues Hiperos 3 P a g e

4 FCPA Compliance One key piece of legislation affecting 3rd party management in all US publically-traded multi-national companies is the Foreign Corrupt Practices Act (FCPA). Audits and enforcement of the FCPA by the Securities Exchange Commission (SEC) and the Department of Justice (DOJ) are on the rise. A consistent, objective and auditable approach to FCPA compliance is required to mitigate the risk of non-compliance. The DOJ has been known to look more favorably upon companies who can demonstrate proactive, rigorous and thorough processes of risk assessment and oversight. i While employees play a key role in FCPA compliance, most FCPA violation risk involves a company s 3rd parties. ii Per Sidley Austin, a law firm with expertise in the FCPA, Corrupt payments by third-party representatives, such as agents, distributors or consultants are one of the largest and most uncertain risks to U.S. companies under the FCPA. iii Compliance, therefore, requires due diligence and monitoring of employees and 3rd parties alike. Corrupt payments by thirdparty representatives, such as agents, distributors or consultants are one of the largest and most uncertain risks to U.S. companies under the FCPA. Effective FCPA compliance should be pro-active and on-going, versus a one-time event. Like other facets of 3rd party management, effective FCPA compliance enables you to identify and manage those 3rd parties that represent a risk to your organization, provide auditable reporting, prevent compliance issues, protect you from legal action, and enable remediation. Many Players Get Involved in Compliance Many internal and external resources are involved in the 3rd Party FCPA compliance process: 3rd party relationship managers, internal lines of business leaders, risk committee members, compliance professionals, data providers (providing high level due diligence), investigative firms (providing deeper due diligence), FCPA Compliance Training Content providers, the 3rd party team members, etc. Managing all of these resources can be daunting. Using a collaborative technology platform enables you to solicit information from the various resources and to manage the information, feedback, attestations, due diligence reports consistently and objectively and in one secure location for review Hiperos 4 P a g e

5 Taking a Proactive Approach Auditors require comprehensive and appropriate evidence of due diligence and relationship management efforts regarding your 3rd parties. This process should apply: When you are considering a new 3rd party relationship during the qualification process If the status of the relationship changes Periodically to review existing relationships When an event occurs that raises the level of non-compliance risk Producing this type of objective reporting and evidence requires ongoing management. A well-defined and technology-enabled process enables you to appropriately manage compliance across your enterprise. You can accomplish it in five steps: 1. Segmentation 2. Initial due diligence 3. Due diligence analysis 4. Contract monitoring/management 5. Ongoing management Figure 1 - The Anti-Bribery FCPA - Process 2013 Hiperos 5 P a g e

6 Step 1: Segmentation Segmenting 3rd parties by the key indicators of FCPA compliance risk enables organizations to quickly and cost-effectively identify which 3rd parties should be considered to be in scope. Hiperos FCPA provides dynamic segmentation which automatically scores your 3rd parties, based on your preferences, to identify whether or not they represent a potential risk to FCPA compliance for your organization, reducing the time and cost of due diligence, the number of expensive investigations in the future, and focusing resources where they are needed most. This is achieved using company-specific key indicators such as: Category of 3rd party what services is the 3rd party providing Spend how much are you spending with this 3rd party Country where are goods and services being acquired or delivered Corruptions Perception Index (CPI) rating Segmenting your 3rd parties allows you to concentrate your resources on the relationships that pose a risk to FCPA compliance Figure 2 Hiperos FCPA - Segmentation 2013 Hiperos 6 P a g e

7 Step 2: Initial Due Diligence Initial due diligence provides additional granularity by identifying which 3rd parties potentially represent a high risk to FCPA compliance. Again, the objective is to considerably reduce the time and cost of due diligence, and only focus resources where they are needed. However, it also ensures that you are approaching due diligence in a consistent and objective manner across your organization. Viral Contact Finder addresses the problem that up to 75% of 3rd party contacts are incorrect or not available. Initial due diligence requires the input of several constituents, including the 3rd party to complete details your internal relationship manager may not know. Hiperos FCPA provides intelligent assessment capabilities which enable you to collaborate with your 3rd party and, again, ensure that the information being requested, the manner in which it is requested and recorded and the way in which it is reviewed is handled consistently and objectively. Responses are automatically scored (again, based on your company s preferences and requirements) to definitively identify those 3rd parties that potentially represent a high risk to FCPA compliance. Hiperos leverages its Viral Contact Finder technology to address the issue that the majority of companies have of lacking sufficient or accurate contact details for the majority of their 3rd parties in most cases up to 75% of 3rd party contacts are not available. The Viral Contact Finder is an automated mechanism for discovering the contact details required to communicate with and manage 3rd parties. Figure 3 Hiperos FCPA Intelligent Assessment 2013 Hiperos 7 P a g e

8 Step 3: Due Diligence Analysis/ Extended Due Diligence Having methodically highlighted the potential FCPA compliance risk of 3rd parties, companies can cost and time-effectively focus their extended due diligence resources. Many organizations automate the extended due diligence of any in scope 3rd party that is not considered to be a high risk. This includes automated feeds from government published denied party lists (DPLs) as well as rosters of politically-exposed-persons (PEPs) as well as out of the box integration with data providers such as LexisNexis, D&B, etc. Figure 4 Hiperos FCPA Due Diligence Report In order to further enrich the information available on a specific 3rd party, companies may also choose to engage local investigation companies. In most cases, this produces a significant number of large, status reports that require considerable time and effort to review and analyze. Hiperos enables content from those reports to be recorded and placed in context, turning previously static information into actionable intelligence Hiperos 8 P a g e

9 Hiperos automatically summarizes all FCPA due diligence into a concise audit report which can be reviewed by appropriate stakeholders and, as required, provided to auditors or regulators. Online reports have drill down capabilities, allowing users to review specific fields in more detail. Step 4: Contract monitoring/management The above steps allow appropriate individuals (i.e. an FCPA Counsel or a Global Compliance Leadership Team) to objectively review the FCPA risk of a specific 3rd party and make an informed decision on how to proceed. For most organizations, deciding to continue to do business with a high risk 3rd party requires some specific controls to be put in place. These can include requirements and contractual obligations such as training, verification of books and records, onsite assessment, etc. However, without appropriate technology, it is onerous for organizations to process, monitor and report on the progress and completion of these activities. Hiperos automates the management and monitoring of those controls, and their associated alerts can be routed directly to key internal stakeholders. This automation ensures that alerts get sent to the right people and predetermined action plans and requirements to maintain FCPA compliance are kept on track. Figure 5 Hiperos FCPA Automating 3rd Party Contractual Controls 2013 Hiperos 9 P a g e

10 Example Controls: FCPA-mandated attestations can be tracked to confirm that 3rd parties understand FCPA policies, have conducted employee training, and have pledged to avoid corrupt practices. A flag might indicate a 3rd party needs additional training, which can be delivered costeffectively on demand. Defined events such negative news stories or incidents from a whistleblower line may trigger additional due diligence activities such as onsite investigations. And follow-up reports can be tracked across the platform, providing a valuable audit trail. Applying the right set of automated and manual controls to each 3rd party relationship based on several inputs, ensures a proactive approach FCPA Compliance. Step 5: Ongoing FCPA Monitoring and Management Anti-bribery 3rd party risk management should not be considered as a one-time event, executed when a new 3rd party is on-boarded or when a company implements or extends is anti-bribery/fcpa program. Hiperos automates ongoing monitoring and assessments so a company can pro-actively identify changes in any particular aspect of a 3rd party relationship that might expose them to FCPA violations. Specific individuals, such as the engagement owner or contract manager can be automatically alerted to changes and the required action and/or reminded to review specific contractual obligations. Training Your 3rd Parties The November 2012 Resource Guide to the U.S. Foreign Corrupt Practices Act issued by the Criminal Division of the U.S. Department of Justice and the Enforcement Division of the U.S. Securities and Exchange Commission specifically calls out training as what it considers to be one of the hallmarks of an effective FCPA compliance program. This includes providing appropriate training to 3 rd parties and ensuring that 3 rd parties understand your ethics and compliance programs. Hiperos Training enables an organization to integrate training into its 3rd party anti-bribery initiatives as well as into overall 3 rd party risk management objectives. Training can be delivered, scored and audited to your specific anti-bribery/fcpa requirements. Targeted training can be delivered to specific learners within target organizations and delivered on a one time or continuous basis. Attestations can be fully managed and audited. The results of the training can be used to support initial or on-going due diligence requirements as well as provide auditable reports for management, board members and regulators Hiperos 10 P a g e

11 Mergers and Acquisitions under the FCPA The recently released Foreign Corrupt Practices Act Guidance makes clear that one of the ten hallmarks of an effective compliance program is around mergers and acquisitions (M&A), in both the pre and postacquisition context. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps, most commonly, inadequate due diligence can allow a course of bribery to continue - with all the attendant harms to a business s profitability and reputation, as well as potential civil and criminal liability. In contrast, companies that conduct effective FCPA due diligence on their acquisition targets are able to evaluate more accurately each target s value and negotiate for the costs of the bribery to be borne by the target. But equally important is that if a company engages in the suggested actions, they will go a long way towards insulating, or at least lessening, the risk of FCPA liability going forward. Hiperos FCPA enables an organization to include the acquired company s 3 rd parties, their resellers as well as their supply chain in the due diligence which may be a critical factor for organizations that are heavily dependent on 3 rd parties. An automated, streamlined approach during the pre-acquisition phase quickly identifies which 3 rd parties present a high probably of FCPA risk, significantly reducing the time and costs of post-acquisition due diligence Hiperos 11 P a g e

12 The Hiperos 3rd Party Management Solution Hiperos simplifies the complexity of 3rd party management (3PM) with a proven, turn-key FCPA compliance solution that minimizes exposure to fines and penalties by automatically and continuously assuring 3rd party compliance. By identifying the 3rd parties that pose the greater risk, Hiperos helps companies avoid spending millions in unnecessary investigations that produce static reports that are almost immediately out of date. Once segmentation occurs, Hiperos provides a simple, yet detailed process to automatically assess each relationship and managing compliance. A turn-key solution that provides out of the box, customizable templates, the Hiperos FCPA compliance component can be implemented in less than a month. The Hiperos FCPA solution includes: A screening program to identify and assess the factors subjecting 3rd parties to FCPA regulations A complete evaluation of 3rd party business practices and relationships A review and sign-off process to confirm due diligence and compliance A flexible framework based on dynamic segmentation that delivers actionable intelligence The Hiperos solution is currently deployed in more than 137 countries and in 39 languages and provides out-of-the-box functionality for companies across all industries -- from financial services and insurance to high-tech, oil and gas, manufacturing and pharmaceutical. accommodates unique, complex and dynamic processes for each 3rd party, and provides best practice templates that can be adapted without the need for IT support. collects data from multiple sources and transforms this into intelligence that automatically triggers actions and workflows. proactively segments 3rd parties an ongoing basis so companies can invest time and resources where they will have the greatest impact Hiperos 12 P a g e

13 About Hiperos The Hiperos 3PM solution simplifies the complexity of 3rd party management across many major industries. 3rd party relationships include providers, sub-contractors, channel partners, suppliers, contract manufacturers, distributors, resellers, agents, or brokers who deliver a complex business function or service for a company. Hiperos helps companies avoid a value shortfall against expectations and realize the full benefits of 3rd party relationships by providing an SaaS (Software-as-a-Service) solution for managing the process complexities around 3rd party performance, compliance and risk. Because U.S-based companies are responsible for their 3rd parties actions regardless of the situation, our Hiperos 3PM solution helps businesses minimize reputational risk, regulatory penalties and negative customer impact. Our technology has been designed from the ground up to support processes and controls that ensure activities taking place outside a company s four walls can be managed just as effectively as those being performed internally. For more information about FCPA compliance or to get started protecting your organization, contact Hiperos today: +(1) solutions@hiperos.com i Cassin, Richard L., On CNBC, Peterson Knocks DOJ, Morgan Stanley, August 20, ii Cassin, Richard L., Fearing Third Parties, November 9, iii Sidley Austin LLP, Contracting with Third-Party Representatives, Anti-Corruption Quarterly, 2Q Hiperos 13 P a g e