Third party risk management is easily one of the most challenging risks for compliance officers. With all the attention and hype surrounding third party risk, companies have marshaled attention and resources to mitigate the risk created by third party intermediaries.
In the last five years, companies have embraced new technologies to automate their third party screening and monitoring programs. Companies are slowly but steadily replacing older paper systems with new cloud based systems that provide accessible portals and maintain auditable records relating to each specific third party.
Companies operate separate procurement functions to screen and onboard vendors and suppliers. The vendor onboarding process typically involves a financial review to establish a credit rating and basic screening.
Both of these functions – third-party due diligence and vendor/supplier onboarding — need to be coordinated. In doing so, companies have to avoid a significant trap promoted by due diligence and supply chain risk management companies. Lawyers in this space have failed as well to distinguish between the types of risks created by third parties and by vendors/suppliers.
Under the FCPA, third party risks are created when a third party (e.g. agent, distributor) represents the company in its interactions with foreign government officials. Vendors and suppliers rarely act in a representational capacity.
For example, a supplier who provides a company with vending machine supplies for its employees (e.g. candies and drinks) and pays bribes to customs officials to secure transport of its products does not act in a representational capacity for a customer-company. The supplier may pay bribes but none of its customers will suffer FCPA liability for its payment of bribes to customs officials.
In contrast, a vendor who transports a specialty shipment of steel for a specific customer acts as a representative of the customer-company when it pays bribes to customs officials to transport its specialty shipment across country borders.
In reality, few vendors or suppliers create FCPA liability for its customer companies. However, that does not mean that vendors or suppliers do not create risks. Vendors and suppliers are used on occasion to funnel money from a company to fund bribery schemes, especially in China. In addition, vendors and suppliers can create real and significant reputational risks. Companies do not want to hire vendors or suppliers that rely on child labor or engage in human trafficking.
Even though the FCPA risks may differ between third parties and vendors/suppliers, companies should still bring together the screening, pre-engagement investigation functions to gain efficiencies and ensure consistency. Whatever screening functions are conducted, using the same system for third parties and vendors/suppliers is a fundamental requirement for third party and procurement systems.
If your third party and vendor onboarding process is not coordinated, companies could be suffering real inefficiencies and increased costs for screening. Additionally, there is no guarantee that vendor/supplier risk is being adequately mitigated.
Companies that fail to bring together these two significant functions are suffering from operational silos. A compliance program built in silos is bound to suffer deficient risk analysis and mitigation strategies. A failure to share information and coordinate operations across functions can undermine a company’s ethics and compliance program and create significant risks.
