The task of where to begin a full compliance and ethics program can often times appear quite daunting. Most US companies fully understand the need to comply with the Foreign Corrupt Practices Act (FCPA). However most companies are not created out of new cloth but are ongoing enterprises with a fully up and running business in place. They need to bring resources to bear to comply with the FCPA while continuing to do business. This can be particularly true in the area of performing due diligence on foreign business partners or vendors in the supply chain. Many companies understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence required under the FCPA.
At the SCCE 2010 Annual Conference, Ken Kurtz, Chairman and CEO of the Steele Foundation presented some ideas in a session entitled “Getting Unstuck, Tactics for Defining and Executing Systematic, Risk-Based Third Party Due Diligence for FCPA Compliance”. In this presentation he discussed some tools and tactics for ensuring third party due diligence compliance on foreign business partners such as agents, resellers, distributors, joint venture partners and any other such entities which might represent a US based company internationally. He gave the audience some ‘nuts and bolts’ guidance on cost-effective, risk based approaches to defining and vetting of foreign business partners.
The initial step in any system is to begin with a clear, demonstrable commitment to perform due diligence on foreign business partners. But equally importantly, a company should engage in a systematic approach which would involve a specific methodology. The due diligence program should begin with a solid foundation. This would include defined objectives and scope; defined roles for each person in the process and coherent definitions which an employee could rely on in making decisions. The process should also be scoped to include how to conduct the due diligence, what should be done if a Red Flag is discovered, when should due diligence be re-performed and how such information should be retained.
After this foundation has been set, Kurtz suggested that a company should then perform a third party inventory to define its risk basis. A company should determine which of its business areas present the greatest exposures in the area of FCPA compliance risk. This can be based on one or more factors including geography, types of business units or business relationships. Kurtz listed two different types of approaches. The first he labeled as “Programmatic” which has the following characteristics: assessment at the program and category level, incorporating a linear approach, with an emphasis of setting risk at an enterprise level and is consistent and systematic. The second approach he labeled as “Forensic” and this approach focuses more deeply on the individual level. However, he noted this approach is potentially inconsistent and also can be more costly.
Using these steps, a company can then begin to identify, rate and aggregate its foreign business partners to create a manageable due diligence process. This process should be intentional, consistent and systematic to ensure full transparency through the use of a central tool. This can allow audit trail accountability to ensure full visibility. The mechanisms which Kurtz outlined are useful tools for the Compliance Professional or Corporate Legal Department employee to demonstrate to management the ‘how’ of the mechanism of accomplishing this task in an ongoing FCPA compliance program.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2010