More Making Third-Party Anti-Corruption Training a Must

Companies are becoming more insistent that third parties they do business with provide their employees with anti-corruption training, and they want more say in exactly how that training is conducted.

The move is part of a shift where companies are increasingly turning the guidelines they have traditionally provided to third parties on anti-corruption and anti-bribery compliance into guardrails that are a condition of doing business. 

Microsoft, for example, announced late last year that as of January 2014 all of its business partners worldwide must certify that they're in compliance with Microsoft's Anti-Corruption Policy for Representatives and must further provide anti-corruption training to all their employees who resell, distribute, or market Microsoft products or services.

Companies such as BT Group, Cisco, and IBM have also made compliance training a requirement for third parties, such as resellers and joint-venture partners, if they want to do business with the companies. “I expect to see it more and more as a best practice,” says Randy Stephens, vice president of Advisory Services at Navex Global.

Traditionally, anti-corruption and anti-bribery training of third parties has been a weakness for many compliance departments. According to an anti-bribery and corruption benchmarking report conducted by Compliance Week and Kroll Advisory Solutions, for example, 47 percent of 260 ethics, compliance, and audit executives polled said they conducted no anti-corruption training with their third parties at all.

The move to demand anti-corruption training for third parties comes as many companies that face investigations or charges of violating the Foreign Corrupt Practices Act are finding the trouble comes not from actions of their own employees, but from actions of those at a third party they are affiliated with.

The Department of Justice and the Securities and Exchange Commission, for example, are investigating Microsoft for potential violations of the FCPA, the Wall Street Journal reported. The agencies are reportedly investigating allegations as to whether Microsoft partners paid bribes to government officials in several countries, including China, Russia, Pakistan, Romania, and Italy, in exchange for contracts.

In response to the allegations, Microsoft's Vice President and Deputy General Counsel John Frank, says, "We take all allegations brought to our attention seriously, and we cooperate fully in any government inquiries. Like other large companies with operations around the world, we sometimes receive allegations about potential misconduct by employees or business partners, and we investigate them fully, regardless of the source."

"In a company of our size, allegations of this nature will be made from time to time," says Frank. "It is also possible there will sometimes be individual employees or business partners who violate our policies and break the law. In a community of 98,000 people and 640,000 partners, it isn't possible to say there will never be wrongdoing."

"Our responsibility is to take steps to train our employees, and to build systems to prevent and detect violations, and when we receive allegations, to investigate them fully and take appropriate action," Frank adds. "We take that responsibility seriously."

According to a Microsoft spokesman, “anti-corruption training is fairly common among most, if not all, IT vendors with their partner communities.” If partners have not provided training on anti-corruption laws, however, they either must agree to do so, or must participate in training that Microsoft will make available to them, the company stated. Microsoft's Partner Network Disclosure Guide did not specify what specific course material will be provided to partners, or what the potential costs might be.

BT's Training Requirement

Aside from Microsoft, other companies across industries and across geographies are also now requiring their third parties to undergo anti-corruption training, including London-based telecommunications giant BT Group.

Similar to Microsoft, BT Group also provides training to its third parties on the company's anti-bribery and anti-corruption policies and practices if they do not currently have training in place. “In some cases, the third parties themselves would have good evidence of the training they have in place for anti-corruption and bribery,” says Bruno Jackson, director of compliance operations at BT Group.

Cisco also has a firm requirement that third parties ensure employees get anti-corruption training that meets with the networking equipment maker's standards.  Cisco “requires our channel partners, distributors, and sales-supporting consultants to complete anti-corruption training.” Cisco provides the training, which is available in multiple languages, as an online course.

Then there are other companies that promote third-party anti-corruption training as a strong recommendation rather than a full-on requirement. Oracle, for example, states on its Website that, prior to executing a distribution agreement, the company “strongly encourages” its partners to confirm their understanding of Oracle's business ethics practices by taking its anti-corruption training and passing a short skill assessment.

“The most challenging part is the preliminary stage of making the business partners aware that they have to fulfill their anti-corruption obligations.”

—Deborah Luchetta,

Compliance Officer,

Mercedes Benz Argentina

Siemens “invites” its third parties to take part in the company's training sessions, which are conducted by compliance officers. “We are mainly focused on anti-corruption, anti-trust, data protection, facilitation payments—all kinds of conduct that can strongly effect us in terms of reputation and financial risks, and in terms of values,” says Claudia Maskin, regional compliance officer for German engineering giant Siemens, Argentina.

Many compliance executives say just getting third parties to voluntarily commit to a company's principles of ethics and compliance can be a challenge, never mind making it a requirement. “The most challenging part is the preliminary stage of making the business partners aware that they have to fulfill their anti-corruption obligations,” says Deborah Luchetta, compliance officer and head of legal for Mercedes Benz Argentina, a subsidiary of Daimler.

Maskin agrees that the first step is getting third-party affiliates to understand the risks. “Sometimes when a global company does business in a high-risk region—such as Argentina—local business partners aren't always aware of the broader reputational and financials risks posed to a company that is found in violation of anti-corruption laws,” she says.

Getting Due Diligence Started

Third-party liability is “only going to bedevil compliance officers even more in the coming years,” says Stephens. As a result, companies that are not yet requiring their third parties to take anti-corruption training cannot afford to do nothing at all. “Do something,” he advises.

TRAINING AND CONTINUING ADVICE

Below is an excerpt from the FCPA Resource Guide in which the Department of Justice and the Securities and Exchange Commission discuss the importance of anti-corruption training:

Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, the Department of Justice and the Securities and Exchange Commission will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents, and business partners.

For example, many larger companies have implemented a mix of web-based and in-person training conducted at varying intervals. Such training typically covers company policies and procedures, instruction on applicable laws, practical advice to address real-life scenarios, and case studies.

Regardless of how a company chooses to conduct its training, however, the information should be presented in a manner appropriate for the targeted audience, including providing training and training materials in the local language. For example, companies may want to consider providing different types of training to their sales personnel and accounting personnel with hypotheticals or sample situations that are similar to the situations they might encounter.

In addition to the existence and scope of a company's training program, a company should develop appropriate measures, depending on the size and sophistication of the particular company, to provide guidance and advice on complying with the company's ethics and compliance program, including when such advice is needed urgently. Such measures will help ensure that the compliance program is understood and followed appropriately at all levels of the company.

Source: The FCPA Guidance.

Many compliance executives agree that third-party risk mitigation done right starts with the initial screening process. For example, Siemens has embedded into its business processes a “business partner compliance tool,” an automated process that ranks business relationships by risk category. “We perform a very deep analysis,” says Maskin.

The type of information Siemens analyzes includes former incidents of litigation, relationships with foreign government officials, whether the potential business partner has been charged with corruption in the past, and other red flags. Integrated into the compliance tool is a standard set of due-diligence questions, based on whether the business relationship is categorized as low, medium, or high risk.

BT similarly employs a thorough inspection process before bringing any business partner on board, says Jackson. One way BT achieves that is by subscribing to various third-party databases that automatically scan potential business partners against government watch lists and alerts BT whenever it comes across an entity that has been associated with corrupt activity in the past, he says.

The depth of the due diligence questions posed to a third party “depend on the risk profile of each business partner,” says Jackson. Those categorized as high risk—such as the 350 agents BT engages with—go through an “enhanced due diligence” process, which involves a “deep dive to find out everything we can about those particular individuals,” he says. “At times, we won't get into relationships if we're not comfortable about the risks or exposure.”

Many companies still regard third-party risk mitigation as an “all-or-nothing approach,” says Stephens. “They think they have to do the same level of due diligence around every single third party. That's not the case.”

Hurdles to Adoption

Before companies can begin to adopt mandatory anti-corruption training of their third parties on a widespread scale, Stephens says some wrinkles still need to be ironed out. Prior to making such training mandatory, companies should consider the following questions:

Who will be conducting the training?

How would training be tailored to local jurisdictions, where anti-corruption laws and regulations may differ?

Who will pay to provide the training?

How will employees in geographically remote areas of the world be trained, where they may not have access to online learning management tools?

What will happen to employees who don't complete the training? How will the company ensure that they are being consistent in treatment and follow-up?

At a minimum, third-party risk mitigation needs to be continuously improved. “It's something that should be regularly reviewed,” says Stephens. “You don't want an incident of bribery or corruption to be the trigger point for the review of your third-party due diligence process.”