I thought it would be helpful to run a series this week on the third-party due diligence process. It is one of my favorite topics and one that requires careful and continuing attention. I have put together a four-part series on some significant issues. Today we start with agent and distributor monitoring.
The field of due diligence has quickly filled up. If you look at the industry and company practices ten years ago, you will quickly realize that the world has changed. (Like the R.E.M. song: It’s the end of the world … and I feel fine).
Due diligence has become a cottage industry with plenty of competing firms offering investigative services, certification services, and integrated management systems. The industry has responded to company demand.
Companies have instituted (or in the process of instituting) their own screening and renewal systems for due diligence reviews of third party agents and distributors. These due diligence programs build in risk-ranking to guide the due diligence inquiry.
All of these developments are positive for compliance officers. Not to diminish these accomplishments, companies face a new and even more important challenge. How should companies monitor and respond to third-party risks after an initial screening and before a renewal examination?
A company’s obligation to monitor and audit its third parties is not satisfied by having a system that alerts you if an adverse media report is detected involving one of your third parties. Something more is required to ensure that your company is in the position to detect and prevent potential violations committed by its agents and distributors.
While I have been accused of overly simplifying complex issues (and many other things), the answer here is fairly obvious. A third party monitoring program should start with the risk-ranking process. Whatever formula or system is used to assign relative risk weights to third parties, that same system should be used to allocate resources for monitoring and auditing purposes.
Based on this initial calculation, the risk ranking can be updated as more information is learned and annual performance data is examined. For example, a third party distributor that has a significant increase in revenues (with no apparent explanation) may rise on the relative risk-ranking list (especially if the distributor is in China or any other high-risk country).
Agents and distributors should move up or down on the risk-ranking list as new information is collected. The updating process is an important prerequisite for any monitoring system.
Based on the relative ranking of the third parties, monitoring and audit resources need to be assigned. The precise allocation will depend on the amount of resources available to monitor and audit third parties.
The monitoring and audit tools include a number of potential options, ranging from low-intensity inquiries such as document requests, telephone interviews or desk audits, to high-intensity on-site compliance and financial audits.
To guide this process, the company should adopt a written protocol or policy document that outlines the procedures to be employed, the resources available, and the factors to be considered in monitoring and auditing agents and distributors.
Some of my favorite tools for monitoring and auditing agents and distributors include: (1) transaction testing (dumps) of a set number of transactions for agents and distributors; (2) issue spot checks (e.g. how many distributors trained? How many distributor agreements have anti-corruption compliance?); and (3) desk audits (phone interviews with follow up document requests).
Whatever tools are applied, an effective monitoring and auditing program has to implement a system predicated on these principles. It does not guarantee success but it certainly puts a company in a position to detect and prevent a third party agent or distributor from engaging in bribery.