Third parties, whether distributors, consultants, suppliers, vendors, or other organizations, form an integral part of a company’s functioning, operations, growth, and success. While essential, these third parties bring new supply chain, financial, legal, compliance, and intellectual risks that could damage companies’ reputations and operations. As part of the internal controls, companies should design and maintain a standardized and robust due diligence process before contracting with any third party to mitigate and manage risks aligned with the contracting entity’s risk appetite.
Subcontracting and outsourcing within the supply chain become inevitable to maintain a competitive edge within the marketplace by driving efficiency and keeping costs low, which further exposes the contracting entity. A White Paper titled, Due Diligence in Vetting and Monitoring Suppliers, states that “The risks of doing business with suppliers that fail to perform appropriately include potential supply chain disruption, reputational damage and even government investigations that may arise when regulatory compliance issues are involved.” While a contracting entity hopes that transparency, trust, and ethical values form part of the third-party’s organization culture, business conducted with external parties is not without risks.
The risk of contracting with a third party becomes especially apparent as a company expands tointernational markets. For example, the risk of an American company with a subsidiary in an offshorecountry now becomes multi-fold since the subsidiary and the third party will have to comply with bothAmerican and local laws and regulations. When dealing with third parties abroad, there could be a higher perceived risk of fraud within the third party’s jurisdiction, further exposing the contracting company. While most third parties act appropriately and help facilitate transactions in international markets, some third parties exist to make illicit gifts or payments to secure business on behalf of the contracting entity, violating fundamental Acts and Regulations, such as the Foreign Corrupt Practices Act, among others. These actions generate risks that may produce civil liability and crime to the contracting company.
The Securities and Exchange Commission (SEC) charged Ericsson for violations of the Foreign Corrupt Practices Act (FCPA), costing the company $520 million in fines and irreparable reputational damage. A press release issued by the SEC noted the following: “The Securities and Exchange Commission today announced that Sweden-based Telefonaktiebolaget LM Ericsson was charged with engaging in a large-scale bribery scheme involving the use of sham consultants to secretly funnel money to government officials in multiple countries.” The press release further explained that “from 2011 through 2017, Ericsson subsidiaries obtained business valued at approximately $427 million by using third parties to bribe officials in Saudi Arabia, China, and Djibouti.” A robust due diligence process should uncover red flags surrounding sham consultants. While collusion could be a risk factor, the due diligence process must attempt to mitigate collusion risk through multiple-level approval channels and personnel accountability.
There are fundamental elements to an effective due diligence process. To obtain accurate and relevant information regarding the third party and any new red flags that may arise, it becomes essential to collect accurate corporate information periodically. Critical information is collected through integrity-based screening (i.e., survey responses and attestations), transactional and reputational monitoring through background checks, reference checks, independent research, and so forth. Periodic employee training and knowledge testing are equally essential to ensure a clear understanding of the due diligence procedures and accountability for any deviations. It is important to note that work papers supporting the due diligence process steps undertaken must be stored away and easily accessed for each third party. Further, Board oversight of the process must occur consistently.
High-risk third parties that break the law will expose your company to infractions merely through your association with them. You need to protect your company. For this reason, it is crucial to ensure that a seamless due diligence process is implemented and maintained without deviation to sustain a lower risk level aligned with the company’s risk appetite. “The ramifications of a scandal related to a third-party partner can easily take down an organization, resulting in such risks as a damaged reputation and brand devaluation, regulatory violations, legal proceedings, and possible fines and jail terms for directors…the only way to fully protect the corporation’s assets is through a solid and viable third-party risk management program. To ensure that the contracting entity’s due diligence process is working correctly and in line with best practices, an external consultant’s periodic review of the process becomes invaluable.