managing third-party risk - fraud conference...speaker on ethics and compliance industry speaking...

Managing Third-Party Risk:

Effective Anti-Corruption Programs and

Due Diligence Done Right

Michael Vermillion

6/28/2012 Managing Third-party Risk 1

6/28/2012 INSERT > Header & Footer 2

Our Expert: Jacki Trevino Prior to joining NewCo, Jacki spent over seven years as the Assistant Director, Global

Ethics & Compliance at Dresser, Inc., a worldwide leader in the design, manufacture, and marketing of highly engineered equipment and services. Jacki was integral to the creation of Dresser’s ethics and compliance program, including the design and implementation of a new Code of Conduct and an ethics and compliance training program. She also developed and implemented global ethics and compliance policies and procedures, established a program to manage third parties, and managed internal investigations of reported business misconduct.

Jacki was one of the first in the industry to obtain the certification of Certified Ethics and Compliance Professional (CCEP). She has long been an active leader in the ethics and compliance community and an active member with the Ethics and Compliance Officer Association (ECOA), the Society for Corporate Compliance and Ethics (SCCE), the Practicing Law Institute (PLI), and The Conference Board. Additionally, Jacki is a frequent speaker on ethics and compliance industry speaking agendas and webinars. Her areas of expertise within global ethics and compliance include program design, development, implementation, and management.

6/28/2012 2 Managing Third-party Risk

What We’ll Cover

Risks Associated with Working

with Third Parties

Current Regulatory Landscape

Elements of An Effective Anti-

Corruption Program

Due Diligence Overview

Best Practice Solutions

Managing Third-party Risk 6/28/2012 3

Third-Party Risk

There have been more FCPA

investigations in the last five years than

in the previous 25.

The UK Bribery Act

Don’t forget local laws

Compliance is about what we must do.

Ethics is about what we should do.

Client Advisory Council 4


Risks Associated with Third Parties “It takes 20 years to build a reputation and five minutes to destroy it.”

—W. Buffet

“If you lose dollars for the firm, I will be understanding. If you lose

reputation, I will be ruthless.”

—W. Buffet

“Our assets are our people, capital, and reputation. If any of these are ever

diminished, the last is the most difficult to restore.”

—Goldman Sachs Business Principles


Source: Compliance and Ethics Leadership Council

SUPPLIERS IN

EMERGING

MARKETS

TEMPORARY

EMPLOYEES

SUBCONTRACTORS

INT’L

INTERMEDIARIES

DOMESTIC

AGENCIES

OFFSHORE

SERVICE

PROVIDERS

DATA

VENDORS

FOREIGN

DISTRIBUTORS

DEALERS/

RESELLERS

LOBBYISTS

AUDITORS

INT’L JOINT

VENTURES

PARTNERSHIPS

SUPPLIERS’

SUPPLIERS

CONTRACTORS

VENDORS DISTRIBUTORS

CONSULTANTS

JOINT

VENTURES

SUPPLIERS

AGENTS

YOUR

CORPORATION

A High Level of

Complexity

Corporations need to manage divergent

legal relationships across a multitude of

partners, and struggle to gain visibility

into often-hidden risks.

Source: Compliance and Ethics Leadership Council

Reputational Risks

POP QUIZ

True or False? In June 2009, Continental Airlines stranded passengers on a small plane overnight for six hours outside Minneapolis when they could have allowed the passengers to get off the plane and wait in the terminal.

True or False? In 2007, Mattel made products for children that contained unhealthy levels of lead.

True or False? In 1993, Nike employed child labor in Southeast Asia?

USFSG “As appropriate, a large organization should encourage small organizations (especially those that have, or seek to have, a business relationship with the large organization) to implement effective compliance and ethics programs.”

UK Bribery Act Individuals risk up to ten years in prison with unlimited fines. Organizations risk unlimited fines, debarment from EU contracts, and the confiscation of the value of corruptly obtained contracts.

Third-Party Risk: Regulatory and Legal Perspectives Governments worldwide are

expanding their focus on regulating third-party relationships.

o The U.S. Federal Sentencing Guidelines apply to a company’s “business partners.”

o The Organization of Economic Cooperation and Development (OECD) also recently created Good Practice Guidance for Anti-Bribery programs clearly based on the U.S. Federal Sentencing Guidelines.

o The UK Bribery Act introduces the strict liability offence for commercial organizations of failing to prevent bribe paid by any person associated with their business, even if they didn’t know about or authorize the bribe.


Anti-Corruption Investigators will focus on:

Are you acting in good faith?

Do you have a healthy, robust compliance program?

What is the likelihood of the offense reoccurring?

Did your compliance program uncover this issue?

o Was there an appropriate response?

o Was the issue widespread?

o Was there prompt remedial action?

o Was there a prompt and forthcoming voluntary disclosure?

How did you respond?

If this issue identified weaknesses in your compliance program, have they been corrected?

Is your compliance program a paper or “check the box” program only?


Global Anti-Corruption Case Studies

Risk Assessment Commitment

Policies, Procedures,

Internal Controls

Communication and Training

Compliance Infrastructure

Disciplinary Guidelines

Third Party Accountability

Monitoring and Auditing

Review and Testing

Elements of an Effective Anti-Corruption Compliance Program


Geographical and country risk

Interaction with governmental officials

Industry sectors of operation

Extent of third-party usage

Importance of licenses and permits

Degree of governmental oversight and inspection

Volume and importance of goods, and people clearing customs

and immigration Ris

k A

sses

smen

t



Strong, explicit, and visible support

Appropriate measures to encourage and

support a robust and effective ethics and

compliance program

o Adequate funding

o Adequate resources

o Adequate support


Co

mm

itm

en

t Elements of an Effective Anti-Corruption Compliance Program

Dedicated that includes designated responsibility to one or more

senior corporate executives for:

o Implementation and oversight of policies, standards,

and procedures

Compliance Officer must have direct reporting obligations to

independent body such as:

o Internal Audit

o Board of Directors

o Board of Directors Committee

Must have adequate level of autonomy from management,

sufficient resources, and authority


Co

mp

lian

ce I

nfr

astr

uct

ure


Must be explicit, clearly articulated, and visible

o FCPA and other global anticorruption laws

o Policies and procedures must include directives that “reduce the prospect of violations of anticorruption laws and the company’s own compliance code.”

o Cover policies toward “gifts, hospitality, entertainment, and expenses; customer travel, political contributions; charitable donations and sponsorships; facilitation payments; and solicitation and extortion.”

o Applicable to all officers, directors, employees, and third parties acting on behalf of the organization

Internal controls to avoid and address potential violations of books, records, and accounting provisions

o “Reasonably designed to ensure the maintenance of fair and accurate books, records, and accounts, and ensure they cannot be used for the purpose of bribery or concealing such bribery.”


Po

lici

es, P

roce

du

res,

In

tern

al C

on

tro

ls


Must carry serious consequences for violations

of anti-corruption laws, compliance code,

policies, and procedures by

o Directors

o Officers

o Employees

o Third parties

Reasonable steps to remedy harm and prevent further misconduct


Dis

cip

lin

ary

Gu

idel

ines


Effective communication and periodic training on

policies and procedures to

o Directors, officers, employees, third parties

o Know and understand

Annual certification to certify compliance and training requirements


Co

mm

un

icat

ion

an

d T

rain

ing


Ongoing to ensure effectiveness

Directed to company’s key risk areas

Measure for effectiveness

Regular audits of books and records (including third parties)


Mo

nit

ori

ng

and

Au

dit

ing


Designed to evaluate and improve effectiveness

At least once a year to assess relevant developments

in international and industry standards

Update and adapt policies, procedures, internal controls, and

compliance program to ensure continued effectiveness


Rev

iew

an

d T

esti

ng


“Institute appropriate due diligence and compliance requirements

pertaining to the retention and oversight.”

Inform third parties of the company’s commitment to abiding by

laws and ethics and compliance standards.

Obtain “reciprocal commitment” reflecting understanding and

acceptance.

Agreements and contracts (including renewals) have proper anti-

corruption language and that the company may have the right to:

o Audit

o Terminate


Th

ird

-Par

ty A

cco

un

tab

ilit

y


What Makes a Good Corruption Risk Assessment? Fits within the company’s culture

Sponsored and supported by the right people—You!

Encourages open participation and transparency

Embraced throughout the company as an important and valuable process

Used to monitor or influence factors that put the company at risk

Serves as the foundation for the company’s code of conduct, anti-corruption

controls, and overall prevention program

An ineffective risk assessment will result in deficiencies in the company’s

other initiatives


Anti-Corruption Prevention Controls Zero Tolerance—no tolerance for corruption or

other wrongdoing

Audit—actively and aggressively look for corruption

Education—need to know what corruption is and what

warning signs to recognize

Pressure—be a resource for those that may be facing pressure or problems

Code of Conduct—needs strong communication from company leaders

Anti-Corruption Policy—separate, unambiguous, communicated


What Is Due Diligence? “A rigorous and robust process of investigation over

and above (KYC) procedures that seeks with

reasonable assurance to verify and validate the

customer’s identity; understand and test the

customer’s profile, business, and account activity;

identify relevant adverse information and risk

assess the potential for money laundering and/or

terrorist financing to support actionable decisions

to mitigate against financial, regulatory, and

reputational risk and ensure regulatory

compliance.”

—Peter Warrack in the July 2006 edition of

ACAMS Today

“Due diligence" is a term used for a number of

concepts involving either an investigation of a

business or person prior to signing a contract,

or an act with a certain standard of care. It can

be a legal obligation, but the term will more

commonly apply to voluntary investigations. A

common example of due diligence in various

industries is the process through which a

potential acquirer evaluates a target company

or its assets for acquisition.[1]

Source: Wikipedia


http://en.wikipedia.org/wiki/Standard_of_care

http://en.wikipedia.org/wiki/Mergers_and_acquisitions

What Is Due Diligence? Effective due diligence

This is the process of evaluating each

third-party relationship and mitigate risk,

as well as audit the third-party

relationship. This process will be

performed indefinitely as long as a

relationship exists, and should evolve

with the relationship. This process should

be performed on all relationships

regardless of location, and is often part

of a wider Integrity Management

initiative.

Traditional due diligence

The necessary step in evaluating what

risk is involved in doing business with a

third party prior to establishing a

relationship and assesses risk at that

point in time.

Source: Wikipedia


http://en.wikipedia.org/wiki/Integrity_Management

Effective Due Diligence Best Practice Due Diligence

Building a comprehensive due diligence program can be overwhelming.

Many individuals responsible for this task often ask—Where do I begin? Our

internal experts have identified the following components of a robust

program:

o Embed language in contractual terms and conditions specific to legal, regulatory, financial,

and reputational compliance.

o Develop and disseminate a Third-Party Code of Conduct, or your organization's own

employee Code of Conduct, to all third parties mandating compliance.

o Conduct, at a minimum, global database checks (GDC) on third parties and more detailed

enhanced due diligence (EDD) on those with a higher risk exposure


Effective Due Diligence Best Practice Due Diligence (continued)

Building a comprehensive due diligence program can be overwhelming.

Many individuals responsible for this task often ask—Where do I begin? Our

internal experts have identified the following components of a robust

program:

o Require that third parties certify compliance with all laws and regulations that govern

their business, but also, that they will uphold your organization's standards and

commitment to integrity.

o Educate and train your third parties on relevant laws and regulations.

o Provide an anonymous avenue for third parties to report potential violations of laws and

regulations.


POLLING QUESTION

In your organization, who owns third-party due diligence?

1.Ethics and Compliance

2.Legal

3.Supply Chain or Procurement

4.Internal Audit

5.Other

Effective Due Diligence

1. Pre-Screen Understand and assess the inherent operational and jurisdictional risk to your organization prior to performing due diligence.

2. Risk Assessment Best-in-class screening process that provides a comprehensive view into complete enterprise risk—financial, regulatory, reputational, and governance.

3. Risk Mitigation and Action Steps

Dictates mitigation activities that must be taken by both the third party and you.

4. Ongoing Monitoring Periodic re-screening process that identifies change in enterprise risk, ensures information is kept current, and continued compliance to client policies.

4. Monitor 3. Mitigate 2. Assess 1. Pre-Screen


Global Database and Adverse Media Checks

Global Media:

Media incorporated into the data screening process is derived from ~10,000 individual sources of public-source newspapers,

magazines, television and radio transcripts, trade specialty publications, geographic special interest publications, academic

journals, and gray literature.

Sources are global, and include small, low-circulation local newspapers from the United States and abroad, as well

as widely-known newspapers and magazines.

The database process incorporates human-translated foreign-language material from domestic and overseas U.S.

government bureaus staffed with individuals who monitor timely and pertinent open-source materials.

Media sources cover every region of the world—the Americas, Asia, Africa, Eurasia, Europe, the Middle East, Near

East, South Asia, and Oceania.

Government Lists and Regulatory Authority Actions:

The database contains hundreds of regulatory and disciplinary authority and government lists from around the world,

continuously updated. The dataset includes fugitive lists, exclusions lists, global sanctions lists, fraud warnings, debarment

lists, disciplinary actions, enforcement actions, and more. The sources that feed our Monitored Lists span a broad

spectrum of local, state, and federal lists of risk-relevant individuals and organizations, including federal lists of entities that

are legally sanctioned, have been the subject of more minor disciplinary actions for violations of regulatory rules, or are on

“most wanted,” fugitive, or offender lists worldwide.

Basic Risk Assessment FATF Financial Action Task Force Bank of England Consolidated List HM Treasury Investment Ban List HM Treasury Sanctions Hong Kong Monetary Authority HUD LDP Interpol Most Wanted Exclusions OSFI Consolidated List OSFI Country Offshore Financial Centers Peoples Bank of China (PBC) Primary Money Laundering Concern Primary Money Laundering Concern Jurisdictions Reserve Bank of Australia Terrorist Exclusion List UK FSA UN Consolidated List Unauthorized Banks World Bank Ineligible Firms

Ireland Financial Regulator Unauthorized Firms Japan FSA Japan METI-WMD Proliferators Japan MOF Sanctions Monetary Authority of Singapore Nonproliferation Sanctions OFAC Non-SDN Entities OFAC Sanctions OFAC SDN OIG Australia Dept. of Foreign Affairs and Trade Bureau of Industry and Security Chiefs of State and Foreign Cabinet Members Commodity Futures Trading Commission Sanctions DTC Debarred Parties EU Consolidated List EPLS FBI Hijack Suspects FBI Most Wanted FBI Most Wanted Terrorists FBI Seeking Information FBI Top Ten Most Wanted

We also use a confidential set of 350 other global watch lists in our

screening process.


Enhanced Risk Assessment


GDC Plus

Financial Review

o Including payment performance and financial stability

Physical Records Check

o Capture physical public records in country for each business entity

On-Site Business Verification

o Photos taken both external and internal

o Validate key business executives

o Reference Checks

Litigation and Criminal Document Review

o Entity and Officers and Directors

Policy and Procedure Review (including Code of Conduct)

o Adequate procedures to prevent wrongdoing going forward

Case Study: CFO Barred by SEC

Our client requested that we screen a new potential partner. We found that the company’s chief

financial officer had been barred by the SEC due to securities laws violations.

Case Study: Murder and Manslaughter

In screening existing vendors for our client in the energy industry, we found several alerts that required

further investigation Including:

Code Alert

MUR–Murder, Manslaughter The company’s CEO, Domenic Gatto, charged with the murder and has past convictions for burglary, assaulting police, racketeering, possessing firearms, and obtaining financial advantage by deception.

MUR–Murder, Manslaughter KEPPEL Shipyard has pleaded guilty to a charge arising from a fire on board the oil tanker Almudaina at its Benoi yard in May 2004 that killed seven workers.

MUR–Murder, Manslaughter

Jacobs EngineerinInc. of Pasadena, California, was accused by the state of Minnesota over the deadly Interstate 35W bridge collapse that killed 13 people and injured 145.

MUR–Murder, Manslaughter WorleyParsons Sefaces a charge for the death of two workers during a cyclone.

Effective Third-Party Compliance Programs Are Necessary

What to do?

Conduct due diligence before you enter into a professional relationship.

Create a phased project plan to identify, prioritize, and address

greatest risks first.

Customize due diligence based on risk assessment.

Build a program using a platform or partner that enables initial

transparency, long-term scalability, and tracking of mitigation steps.

Audit and monitor.

Think and implement globally; regulators are converging.


Questions…

6/28/2012 36 INSERT > Header & Footer

“Association of Certified Fraud Examiners,”

“Certified Fraud Examiner,” “CFE,” “ACFE,” and

the ACFE Logo are trademarks owned by the

Association of Certified Fraud Examiners, Inc.

The contents of this paper may not be

transmitted, re-published, modified, reproduced,

distributed, copied, or sold without the prior

consent of the author.

managing third-party risk - fraud conference...speaker on ethics and compliance industry speaking...

Documents