FDR’s Fireside Chat And Risk Ranking Of Third Parties Under The FCPA

by Thomas Fox

FDR Fireside ChatOn this date in 1933, just eight days after he was inaugurated, President Franklin Roosevelt (FDR) gave his first Fireside Chat to the American public. FDR began his chat by stating, “I want to talk for a few minutes with the people of the United States about banking.” He went on to explain his recent decision to close the nation’s banks in order to stop a surge in mass withdrawals by panicked investors worried about possible bank failures. FDR had correctly assessed that the public had lost confidence in the US banking industry and, based on that assessment, he closed them in his famous Bank Holiday. In 1929, over 600 banks folded, the number by 1932 had increased to over 5100. But more than simply these bank failures was the perception that the US banking system was on the verge of collapse. FDR also announced that he was reopening the banks the next day. The US banking system has been secure since that time.

I thought about FDR’s ability to correctly assess the risk to the US banking system. As compliance programs mature, one of the things that companies struggle with is how to better assess third party risks so that the right resources can be delivered to manage these risks. In the most recent issue of Compliance Insider an article, entitled “Building a Risk-Scoring Methodology for Distributors and Resellers”, lays  out a decision making calculus which can assist a company to best utilize its resources to not only quantify a large number of third party risks, but manage those risks more efficiently.

The article notes that there are two main resources that a compliance practitioner will need to rate the risks of third parties. The first is information about the entity. This category of information can come from a number of sources including the third party itself, in the form of a questionnaire through  to various levels of due diligence. The second  resource is the people who use the information to make decisions.  As there is only a finite amount that you, the compliance practitioner, can find out about your third parties use the resources available as there is a substantial need to make the best use of that information. All of this must be balanced between spreading the decision making across a large number of people whilst ensuring that the decisions made are consistent. To assist in answering these issues, the article suggests a methodology “to help focus your controls and resources more efficiently”. 

1.          What is your aim?

The initial step in any risk-scoring exercise is to clearly define what you are trying to achieve. The second part of clarifying the aim is to build an expectation and means of measurement so that you can assess the validity of your calculus. 

2.             Which information is relevant?

Most generally, the main criteria are the location of the partner or where they will deliver the product or services, the type of service or product that the partner is providing and the value of that service. This initial analysis can help you to create a high, medium and low risk model. But other factors should be weighed which can provide a more sophisticated approach. Some of these factors include the following:

  • Are they new or existing partners?
  • Are they touching end-users?
  • Are they selling to government customers?
  • Do you have contracts with them?
  • Do they obtain licenses for selling products in that country on your behalf?
  • Do you provide market development funds to them? 

3.             Where can I find the information?

This speaks to the heart of your due diligence process. Obviously a questionnaire forwarded to your potential third party is a starting point. However such information should be verified and cross-checked. Additional factors should be geographic risk, the value(s) of potential transactions and compensation to the third parties. Lastly is the traditional levels 2 and 3 due diligence.

4.             Consider the questions you will ask the third parties

Here the author believes that an additional analysis of both the criteria required and the possible resources to garner datum to support the criteria should be considered. These considerations include:

  • Which is the most cost-effective source for the information?
  • What is the most accurate way of obtaining information?
  • Do you need to ask the question at all?
  • How should the questions be worded to ensure the greatest efficiency in getting to the required answer?
  • How do you write the questions to ensure the scores are usable?
  • Which questions and responses should be scored? 

5.             Are the responses accurate?

Here is where ‘a second set of eyes’ is critical. The article suggests that “sanity checks to ensure that the answers respond to the question and that the responder seems to have understood the question – this is especially useful when the questions have been translated into other languages.” You should also endeavor to cross-check against other information known about the partner, with reviews by multiple persons in your organization. Finally, on the back you should build into your program audits and spot-checks to assess the accuracy and consistency of approvals.

6.             What does it all mean?

Now you have to start using the information. Recognizing that you may need to tinker with your system, it is important that you “design the overall process to allow changes to be made in the future, as you learn more about the results.”

7.             What happens next?

Now the time has arrived to score the results. After you determine who will make the decision and the path for review and escalation, if required, also you should consider the Tom Fox Mantra, Document, Document, and Document. In other words, how does the scoring and decision making process get documented in your organization?

8.             How will you carry out the review process?

At this point, it is appropriate to consider whether you have met or are moving in the direction that you attempted to establish back in Step 1. You should consider:

  • Does your program accurately reflect the risks that you understood the partners posed?Is the final result of your process consistent?
  • Were decisions on the risk level made by the right people in your organization?
  • Were the necessary issues escalated to the right people?
  • Have the risks changed?
  • Can the process be changed, or has it been built into an inflexible technology or workflow? 

Once the review is complete any necessary changes should be communicated to the staff involved in the process to ensure they know how their role is impacted. The author ends with some reservations that you should expect to run into. These include:

  • don’t expect to use scoring to fully automate a process – the information available is generally not complete enough to provide an accurate model, so scoring is far better when used as a guide;
  • don’t assume you will get it right first time (or second) – it is important to have a clear understanding of what you are aiming at, and to build regular review into the program to recalibrate the scoring;
  • keep the process and scoring as simple as possible – most of the relevant risk-related information can be found in a few key criteria; and
  • your perception of risk will change when new information comes to light, so remember to document the decision-making process so that you can justify the final risk outcome. 

While FDR may have more intuitively known the real problem with the US banking system it was the perception that it was not solvent, you do not have to rely solely on your gut when making informed decisions about the Foreign Corrupt Practices Act (FCPA) risks that a third party may present to your company. For the Department of Justice (DOJ), I think the key is that you assess the risk and document that assessment. If you do so and a third party gets you into FCPA hot water, you have the best chance of coming out on the other side as well as the US banks did after their ‘holiday’ with FDR.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.