Compliance Risk Assessment and 3 rd Party Due Diligence & Monitoring

Transcription

1 Advisory Services May, 2011 Compliance Risk Assessment and 3 rd Party Due Diligence & Monitoring

2 Compliance Risk Strategy 3 rd Party Due Diligence 3rd Party Auditing The differing ways in which a company approaches overall compliance risk will have impact on the implementation of an effective program Third Party/Business Partner program. Compliance Risk Management Third Party Due Diligence Third Party Auditing Risk Tolerance Third Party Population When to exercise? Go to market strategy Levels of due diligence Scope? Steps before and after contracting Frequency? 6

3 Many companies are engaged in a complex web of 3 rd party relationships and face challenges in developing and implementing scalable, efficient processes to address the risks associated with such 3 rd Parties: Example risk factors: Manufacturers Joint Venture Partners Logistics / Supply Chain Resellers Distributors Contractors Value Added Resellers Lobbyists Consultants Sales Agents Regulatory Fraud risk Licensing / Contract Compliance Anti-corruption Export controls Anti-money laundering Recovery of revenues / costs Compliance with key terms Grey market / piracy Conflicts of interest Intellectual property The current regulatory environment expects, and regulators are increasingly demanding that companies know who is conducting business on their behalf and the risks associated with doing business with them. Companies use 3rd party business partners to assist them in various activities including, but not exclusive to sales, marketing, consulting and procurement. The pure number and complexity of such relationships and their role are sometimes unknown and not part of a Company s global risk assessment. A methodology designed to identify, assess, accept, and monitor relationships with 3rd party business partners is a key component of a strong compliance program. 2

4 Compliance Risk Strategy 3 rd Party Due Diligence 3rd Party Auditing The differing ways in which a company approaches overall compliance risk will have impact on the implementation of an effective program Third Party/Business Partner program. Compliance Risk Management Third Party Due Diligence Third Party Auditing Risk Tolerance Third Party Population When to exercise? Go to market strategy Levels of due diligence Scope? Steps before and after contracting Frequency? 6

5 Business partner compliance framework The following framework is designed to address the key risks related to 3 rd party relationships and sets out the potential elements of an effective, robust Business Partner Compliance program. Each activity builds on the last step to ensure an efficient risk based approach: Business Partner Data ERP systems Vendor master CRM systems Standardize or systematize using third party databases, industry specific factors, questionnaires, etc. Identify, Consolidate, and De-Duplicate Business Partners Risk Assessment Risk Analysis & Rating Business Partner Risk Classification Segmented into Low, Medium & High Risk Perform Due Diligence Approvals & Contracting / Contract amendments Reporting / Monitoring Continuous Reassessment Auditing Incident response and remediation Control environment and tone at the top Governance, executive sponsorship, compliance enforcement Training, polices and change management Technology, tools and information management 3

6 Partner approval, contracting and continuous reassessment The extent of approval required will depend on the level of risk. Final decisions can include conditions for approval that require enhanced internal controls or monitoring. Approval team reviews evaluations: Approval Level of effort High Medium Low + Head of Compliance + Central or Regional Compliance Officer Local Management Conditional Approval: Enhanced internal controls Additional monitoring Enhanced contractual terms Schedule Internal Audit Further Investigation Rejection Contracting / Contract Renewal / Amendments to T&Cs (e.g. FCPA language, payment terms) Business partner on boarding should be periodically revisited to ensure there have been no significant changes to the partner profile. This can include: annual re-certifications; updating questionnaire responses every one to three years; or revisiting due diligence procedures as appropriate. 6

7 Due diligence considerations Depending on a the results of the partner risk assessment, appropriate levels of due diligence should be conducted. The level of due diligence undertaken should be commensurate to the risk exposure: Example Low Risk Procedures Additional Medium Risk Procedures For all business partners, obtain certification from new Business Partner and/or employee requesting partner onboarding Consider conducting minimal checks of entity against an industry leading compliance database (e.g. WorldCompliance) or restricted entity listing to identify informative indicators via watch lists, sanctions lists, or PEP designation Consider comprehensive surveys (tiered based on level of risk) addressing compliance risk factors, such as ownership structure, compliance history, internal controls programs, etc. Amend standard contractual language to reflect appropriate provisions (e.g. FCPA, right to audit clause) Consider 3 rd party due diligence reports that may include analysis of: Compliance databases and regional-specific business/company/regulatory information databases; Additional High Risk Procedures English-language and relevant foreign-language media database; Litigation databases across relevant jurisdiction(s); and Commercial open source search engine for any readily-apparent adverse information. Consider enhanced 3rd party due diligence reports that, depending on the location of the entity and availability of information, may include: on-site public record searches at government offices, ministries and court houses; reputational and business information interviews with source contacts (diplomatic, commercial, intelligence, etc.); source information assessments of noteworthy relationships to political, military or government officials; and discreet inquiries with commerce officials, local embassies, etc. Consider requiring relevant training (e.g anti-bribery, compliance with Code of Conduct) prior to onboarding 5

8 Compliance Risk Strategy 3 rd Party Due Diligence 3rd Party Auditing The differing ways in which a company approaches overall compliance risk will have impact on the implementation of an effective program Third Party/Business Partner program. Compliance Risk Management Third Party Due Diligence Third Party Auditing Risk Tolerance Third Party Population When to exercise? Go to market strategy Levels of due diligence Scope? Steps before and after contracting Frequency? 6

9 Reporting and continuous monitoring After a business partner is on-boarded, the business will need to consider ongoing transactional risk. This could include procedures such as: Evaluating partner data sources (e.g. CRM, POS, ERP) and developing dashboards for monitoring key partner metrics Periodic reviews of transaction detail to ensure transactions are limited to compliant partners Monitoring training records for compliance with training requests Periodic reviews of accounting records, marketing funds / partner incentives and time & expense records Monitoring Whistleblower/helpline activity for business partner involvement Monitoring status of onboarding process activities and reviewing outstanding requests Channel Audits Investigation into unusual business practices Changes to T&Cs Prevent deals with high risk partners Escalate performance issues to Sales 7

10 Compliance audits with business partner contractual terms Companies seek to improve their competitive advantage, grow revenues, and reduce development time and costs through their relationships with 3rd parties. Periodic independent inspections of activities under these contracts can improve the value received. Companies can get more performance from these agreements and maintain their good relationships through effective and sensitive contract enforcement. Benefits of a robust licensing or contract compliance program includes: Compliance with key terms Identification of potential revenue leakage / incremental revenue Enhanced 3 rd party relationships / trust and increased communication Improved predictability of future payments / enhanced reporting controls Improvements to the drafting of future contracts Partners / Channel understands you take contractual terms seriously Flushes out contract language misinterpretations, side letters, etc. Provides better understanding of the customer base usage and compliance Analyze data Identify key contracts & terms Counterparty site inspection Validate reporting and present findings 8

11 Contacts Patricia Etzold Partner - Forensic Services New York Tel: Cell: patricia.etzold@us.pwc.com Ryan Murphy Director - Forensic Services Chicago Tel: Cell: ryan.d.murphy@us.pwc.com 14