From the Foreign Corruption Practices Act (FCPA) enforcement actions in 2022, one clear theme emerges; that is, organizations must reprioritize their third-party risk management programs. Many companies are becoming complacent in this arena, not realizing the potential consequences of not properly assessing their third-party risk management practices.
I recently had the opportunity to visit with Alexander Cotoia of the Volkov Law Group to discuss the importance of reprioritizing third-party risk management and how organizations can assess the effectiveness of their current practices.
In this 5-part blog post series, sponsored by Diligent, we've considered the full range of third-party risk management. You can explore Episode 1 on third-party risk mitigation here, Episode 2 on due diligence here, Episode 3 on ongoing program management here and Episode 4 on reporting here.
In this final episode of the series, we review three 2022 FCPA enforcement actions to explore the importance of proper third-party risk management and how to avoid the potential consequences of not properly assessing these risks. Join us as we explore the details and implications of these enforcement actions and how organizations can reprioritize their compliance programs for the ever-changing dynamics of third-party risk management.
1. Understanding Third-Party Risk
Understanding that third-party risk, especially as it pertains to anti-bribery and anti-corruption, is a universal constant is an important step in the risk management process. As evidenced by three key enforcement actions, ABB Limited, Oracle and GOL Airlines, organizations must evaluate the risks posed by potential business partners and ensure that the information collected is adequate to objectively assess the totality of the risks.
Organizations should be aware that the DOJ requires companies to adopt a risk-based approach to third party risk management. To ensure that the organization is compliant with these regulations, they should review their existing practices and be prepared to supplement them if necessary. Additionally, organizations should be aware that they may be given credit for voluntary disclosure and cooperation efforts when faced with potential violations. This may be beneficial when determining penalties and is an important factor to consider when dealing with third party risk.
2. Reassess Your Third-Party Framework
Reassessing the framework by which third parties are evaluated and objectively evaluating the totality of risks posed by a potential business partner to the organization is a critical step in reprioritizing your third-party risk management strategy. This should be approached holistically, focusing on the information being collected and its adequacy in objectively evaluating risks.
Organizations should adopt a risk-based approach, as recommended by the DOJ, and not simply have a one size fits all approach. This approach should include due diligence, assessing the potential partner’s reputation and business practices, verifying their legitimacy and background, and understanding their country of origin and its laws. Additionally, organizations should consider the potential partner’s relationship with government officials and whether it could violate any anti-bribery or corruption laws. If any of these issues are identified, organizations should look into it further to ensure that their partner is compliant. By doing this, organizations can ensure that they are not engaging in any activities that could be deemed illegal or unethical.
3. Implement a Risk-Based Approach
Implementing a risk-based approach to third-party risk management is essential to any organization's compliance program. This involves assessing the external parties on which an organization relies operationally and identifying any risks associated with those external parties. This assessment should include evaluating their qualifications and experience to ensure they are able to meet the organization's expectations. Additionally, organizations should consider conducting background checks on potential external parties and assessing any potential conflicts of interest that may arise.
Once potential external parties have been identified, organizations should consider conducting due diligence to ensure that the external party has not been involved in any fraud, bribery, or other criminal activities. Organizations should also consider developing contracts and compliance policies for external parties and monitoring their activities to ensure compliance. Finally, organizations should consider developing a training program for their external parties to ensure they understand the organization's expectations and policies. By implementing a risk-based approach to third party risk management, organizations can reduce the risk of an FCPA violation and ensure their organization remains compliant.
Third-party risk management is one of the most critical components of any organization's compliance program. Organizations should take the initiative to reprioritize third-party risk management and assess the effectiveness of their current practices. Through the exploration of three enforcement actions and the introduction of the joint compliance note, this article has highlighted the importance of properly assessing third-party risk and how to best prepare for the ever-changing dynamics of third-party risk management. By implementing a risk-based approach to third party risk management, organizations can protect themselves from potential violations of the FCPA and ensure their organization remains compliant. With the right tools, processes and dedication, you can achieve the same results and protect your organization from costly fines and penalties.
To get an in-depth look at current FCPA enforcement actions and how your organization can stay compliant, download our comprehensive anti-bribery and anti-corruption enforcement white paper here.
Listen to Alexander Cotoia on the podcast series here.
Check out the Volkov Law Group here.Learn how Third-Party Risk Management from Diligent can help your organization assess third-party frameworks and implement a risk-based approach. Request a demo today.