Think you've got supply chain headaches? Consider the challenges facing George Henein, compliance officer for the United Nations' procurement division. The UN deals with more than 60,000 vendors across the world and strives to give them all some level of scrutiny.

The UN's mission of fostering economic development among member states also often leads to purchases of goods and services from far-flung locales in developing nations with, to put it politely, less-than-stellar devotion to compliance.

Then there is the intense scrutiny of critics and watchdogs.  The UN is a media magnet and a political target that is under constant watch that makes taking a risk-based approach more difficult. “If we buy the wrong toilet paper, it will make Fox News within 30 seconds,” Henein says. “Reputational risk is on everybody's radar, and we are the most audited and over-audited division.”

Henein's core concerns are not unique. Even a small company can have a web of vendors and suppliers that spans the globe. So, how can a chief compliance officer, rooted to headquarters, detect bad behavior at distant suppliers and reduce the company's exposure to supply-chain risk? Data that companies may already possess, or may easily obtain, can be a starting point for anticipating problems, not just reacting to them, supply-chain experts say.

The 2014 Compliance Trends Report, a joint effort by Compliance Week and Deloitte, elaborates on third-party risk. According to the study, 85 percent of respondents said they are re-assessing their business links with joint-venture partners, suppliers, distributors, agents, and other third parties. Despite persistent concerns, however, the most common means of managing third-party risk is only to provide them with a copy of the code of conduct. More active forms of oversight are less common: Less than one-third of respondents said they perform extensive background checks on third parties, and another 17 percent said they hardly ever do.

Yet, third-party risks keep expanding. There is not only the persistent threat of bribery that can net an enforcement action under the Foreign Corrupt Practices Act, but companies also face a growing number of causes championed by legislators, activists, and consumers, including the use of “conflict minerals,” environmental and sustainability issues, and human trafficking, to name a few.

Corruption Risks

For the UN, corruption risk is no academic debate, especially in countries where bribery is prevalent and accounting standards are minimal or ignored. “How can we expect even the smallest vendors to not only have financial records or statements, but to translate them from their language to ours?” Henein asks. “It makes it so hard to even do financial due diligence, let alone something extra.”

In some countries, corruption is a fact of life. “We've had shipments stopped at the port for months at a time because the port officials are expecting a bribe. You are at a complete impasse,” Henein explains. “What do you do? Do you pay the bribe, be completely non-compliant, and face the obvious risk of prosecution—and that same country can also prosecute you for accepting the bribe. Or, do you stick to your guns and say, ‘No, we are going to do it by the book and by the rules,' but then you don't get your product.”

It all takes on an added urgency when that shipment—often perishable food items—loses value each day it sits in limbo. “Where do you draw the line? Do you just do this one bribe under the table and let it go, or do you stick to the rules?” Henein asks.

The UN, he says, takes a zero-tolerance stance in such situations. It also conducts risk assessments prior to all new procurement deals, checking financial compliance with rules established by its General Assembly of member states. Every vendor is also asked to acknowledge the UN Global Compact—a “bill of rights” related to child labor, human trafficking, and other issues. Internal compliance reviews and specialized training is used to, as best possible, see that vendors are following the rules.

“There is more information nowadays, whether that is media or social media, that can be mined to effectively identify risks and isn't necessarily cost prohibitive.”

—Tom Golding,

Vice President,

Thomson Reuters GRC

“Most of our due diligence with vendors, unfortunately, is financial in nature,” Henein says. “We would actually like to get to the point where we are doing the full deep dive. We do compliance reviews, but in reality they are more reactive because we have to wait for the hotline call where somebody calls in and complains about a specific vendor.” 

Moving to a Proactive Approach

How should an organization identify such risks as conflict minerals, human trafficking, or environmental concerns and move from reactive to proactive? Risks vary by sector and need to be prioritized to best understand what training and enforcement should be ramped up, says Tom Golding, vice president of product and proposition for Thomson Reuters GRC. Due diligence can range from a rather simple scan of local media and social media mentions, looking for red flags, to conducting audits of those third parties. The real difficulty comes from the tangled web of suppliers and sub-suppliers.

“People may agree that they don't want to do business with companies involved with human trafficking,” Golding says. “But there are very real challenges. It is not just your first tier of supplier. It is their suppliers, and the suppliers behind that.  You have this amplified effect of trying to manage data around a lot of entities.”

Data, Data Everywhere

Parsing available data should be a hunt for both known and inferred risks. The former can rely on the aforementioned news reports and online posts, and it can encompass whistleblower complaints.  “There is more information nowadays, whether that is media or social media, that can be mined to effectively identify risks and isn't necessarily cost prohibitive,” Golding says. “If information is in the online domain, you want to know about it. You will be called to task if you haven't at least done those searches.”


The following guidance on third-party risk assessment comes from a Resource Guide to the U.S. Foreign Corrupt Practices Act guidance issued by the Securities and Exchange Commission and Department of Justice.

Devoting a disproportionate amount of time policing modest entertainment and gift-giving instead of focusing on large government bids, questionable payments to third-party consultants, or excessive discounts to resellers and distributors may indicate that a company's compliance program is ineffective. A $50 million contract with a government agency in a high-risk country warrants greater scrutiny than modest and routine gifts and entertainment.

Similarly, performing identical due diligence on all third party agents, irrespective of risk factors, is often counterproductive, diverting attention and resources away from those third parties that pose the most significant risks. DoJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.

Conversely, a company that fails to prevent an FCPA violation on an economically significant, high-risk transaction because it failed to perform a level of due diligence commensurate with the size and risk of the transaction is likely to receive reduced credit based on the quality and effectiveness of its compliance program.

As a company's risk for FCPA violations increases, that business should consider increasing its compliance procedures, including due diligence and periodic internal audits. The degree of appropriate due diligence is fact-specific and should vary based on industry, country, size, and nature of the transaction, and the method and amount of third-party compensation. Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company's compliance program, DoJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.

Source: SEC.

Relatively straightforward media mining often reveals neglected problems, says Michael Grady, an associate with the law firm Willkie Farr & Gallagher and a former assistant U.S. attorney. “To the extent you find out about a problem in the Wall Street Journal, you usually could have identified that issue through a hotline tip or audit result that wasn't followed up on, or an employee bringing up a question during training.”

Inferred risk, predicting problem areas, will vary by sector and country. A venture in Malaysia may have a higher risk of human trafficking because the textile industry there is seasonal and needs to build a temporary workforce by any means necessary, Golding offers as an example. 

“Usually there is some hint of a problem before it blows up,” Grady says. “You want to consider a whole host of factors including the countries that you are doing business in and the particular risks in those countries. If everybody has a customs problem in Nigeria, that is easy to see coming around the bend. It is easy to predict if you are shipping containers from China into Nigeria that you are probably going to have a problem getting the documentation correct to get those through customs.”

Close attention needs to be paid to permits and licenses, as they are often a source of corruption, Grady cautions. He also recommends using media reviews to flag potential issues. “If your competitor is brought up on charges of criminal activity in a certain country, chances are that you have that same problem, especially if you are using the same vendor and supplier,” he says.

“If one of your vendors makes the news, you are probably going to make the news,” Henein warns. Research by the UN makes it clear that any company can find itself under scrutiny for an issue like human trafficking. Human trafficking is relevant to 50 percent of companies globally, with 8 percent of company employees indicating they have dealt with human trafficking on a daily basis. Only 60 percent of surveyed companies, however, have policies to address the risk.

Information, mined and inferred, should be used to focus resources on the 5 to 10 percent of vendors where resources are most warranted, rather than trying to tackle thousands of suppliers all at once, Golding says. He compares this process to the way an emergency room may triage patients.

Grady stresses the importance of viewing this data through the prism of FCPA guidance issued by the Department of Justice and the SEC. “We are supposed to be continuously re-evaluating, reassessing, and tailoring our compliance programs—not just to emerging risks, but to changes in business models and changes in our personnel,” he says.