The U.S. Department of Justice’s Evaluation of Corporate Compliance Programs, Prong 10, “Third Party Management,” asks, “What was the business justification for the use of the third party in question?” This question is one of the most basic tools to operationalize a compliance program and should form the basis of companies’ third-party risk management processes.
It is common sense that companies should have a business justification to hire or use a third party and—if that third party is in the sales chain of the international business—it is important to understand why companies need to have that specific third party representing them. This concept is enshrined in the 2012 FCPA Guidance, which says “companies should have an understanding of the business justification for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the services to be performed.”
The Internal Revenue Service also considers a business justification to be an important part of any best practices anti-corruption compliance regime. The lack of business justification is essentially a red flag; indeed, the IRS views such a lack of business justification as possible indicia of corruption. With the Department of Justice, Securities and Exchange Commission, and IRS all noting the importance of a business justification, it is clear this is something companies should use to operationalize their compliance programs.
The business justification also provides companies with the opportunity to help drive compliance into the fabric of everyday operations. The purpose of the business justification is to document the satisfactoriness of the business case to retain a third party and should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed.
It is important companies review their third-party processes regularly to ensure they are satisfying regulator requirements.