An important aspect of the compliance practitioner’s duties is an evaluation of a proposed third-party relationship during the due diligence process. It is mandatory that all red flags be cleared, and there must also be evidence of the decision-making process to provide if a regulator comes knocking. The Justice Department’s “Evaluation of Corporate Compliance Program” discusses under Prong 10: “Real Actions and Consequences – Were red flags identified from the due diligence of the third parties involved in the misconduct, and how were they resolved?”
There is no set formula or guideline for clearing red flags or evaluating due diligence. At the 2014 SCCE Utility and Energy Conference, however, Flora Francis and Andrew Baird, compliance practitioners at GE Oil & Gas, described the process by which GE reviews the risks around each of the company’s third parties.
Some of the factors GE considers when evaluating a third party, include the following:
Business model: Do we need third parties to reach our customers, or can we build the organization ourselves?
In-house capabilities: Do we already have the organization in place to handle these capabilities?
Overlap: Do we already have a third party in the region/country that can handle our needs?
Volume of business: How much business will this third party bring to the company?
Compliance risk: Where is the third party located? Will they interact with government officials? Do they have the same commitment to compliance?
Regulatory environment: Is it simple or strict? What are the chances of regulatory violations?
Reputation: What is the third party’s reputation in the market?
Using a framework will help you manage any risk a proposed third party presents to your organization. The key is to use a framework that identifies your organization’s risks and allows you to manage them effectively. Finally, as always: Document, document, document your evaluation going forward.