The task of where to begin a full compliance and ethics program can often times appear quite daunting. Most US companies fully understand the need to comply with the Foreign Corrupt Practices Act (FCPA). However most companies are not created out of new cloth but are ongoing enterprises with a fully up and running business in place. They need to bring resources to bear to comply with the FCPA while continuing to do business. This can be particularly true in the area of performing due diligence on foreign business partners or vendors in the supply chain. Many companies understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence required under the FCPA.
In a recent Compliance Week webcast entitled “Getting Unstuck, Tactics for Defining and Executing Systematic, Risk-Based Third Party Due Diligence for FCPA Compliance”, Diana Lutz, Managing Director and Chief Compliance Officer of the Steele Foundation discussed mechanisms to utilize to assist an enterprise setting parameters to perform due diligence on foreign business partners such as agents, resellers, distributors, joint venture partners and any other such entities which might represent a US based company internationally. Her presentation presented concrete steps to take to allow businesses to ‘get their arms and heads around’ what they need to do and how to go about doing it in this area.
The initial step was to conduct a risk inventory. This could be accomplished via a programmatic approach or via a forensic approach. The programmatic approach uses an overall roadmap to lead the assessment. It stresses a consistent and systematic linear approach which tends to identify and exclude low levels of risk. The forensic approach focuses on assessment at the individual third party level. However this approach can not only be more costly but allows a processor to manipulate certain information which could result in false result.
Lutz suggested that a risk-based approach afforded not only consistency but is also “predictable and cost effective.” Such an approach would allow the visibility a company would need focus its due diligence resources. After an initial identification of the categories of third parties by such means as business segment, company or geographic region; there should be a weight and assessment of the level of exposure. Thereafter one should define the risk thresholds and the due diligence which should be applied to each risk level. All of this information would then allow a full risk matrix to be created and from such matrix, resources could be marshaled to perform an appropriate level of due diligence on foreign business partners.
Using these steps, a company can establish the foreign business partners it needs and desires to perform due diligence on in a rational and reasonable manner. The mechanisms which Lutz outlined in the Steele webinar are useful tools for the Compliance Professional or Corporate Legal Department employee to demonstrate to management the ‘how’ of the mechanism of accomplishing this task in an ongoing FCPA compliance program.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2010