Poll shows room for improvement on training third parties

Even knowing that, however, many companies today still don’t train their third parties, leaving themselves vulnerable to bribery and corruption risk.

That was just one of many key findings to come from a recent anti-bribery/anti-corruption (ABAC) benchmark report conducted by Compliance Week, in partnership with Refinitiv (formerly the Financial and Risk business of Thomson Reuters). According to the findings, 38 percent of risk and compliance officers polled said they have never trained their third parties. This finding is particularly concerning given that more than half of respondents (52 percent) said they have third parties based in, or operating in, high-risk or sanctioned jurisdictions globally.

Equally pressing is that enforcement agencies in the United States and elsewhere around the world expect companies to train their third parties as part of a robust compliance program. The 2012 FCPA Resource Guide, for example, specifically states that “companies should undertake some form of ongoing monitoring of third-party relationships. Where appropriate, this may include updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications by the third party.”

On a practical level, compliance departments must overcome a variety of obstacles that may explain, in part, why so many companies still don’t train their third parties, including lack of resources, time, and budget; potentially a lack of support from senior management; a desire to “move the needle forward” as it relates to business; and/or not recognizing the potential risk that a third party poses.

On a positive note, 62 percent of survey respondents said they do train their third parties on their anti-bribery and anti-corruption compliance program in some fashion. Among these respondents, the plurality (38 percent) said they train their third parties annually, while 15 percent said every two years, and nine percent said every three to five years.

Survey respondents further indicated that they train and educate their third parties on anti-bribery and corruption issues through a variety of means, including:

• Distributing or posting printed materials for employees to review (39 percent);
• In-person or on-site training (30 percent);
• Online or Web-based training (46 percent);
• Including certification in contract materials (34 percent);
• Making it part of an onboarding questionnaire (40 percent); and
• Including an anti-bribery statement in the Code of Conduct policy (64 percent).

Done right, the delivery methods used to train and educate third parties should be dictated by certain factors. For a domestic distributor that poses a low risk to the business, for example, online training and self-certification upon completion may be enough, whereas a third-party intermediary operating in a high-risk jurisdiction may require in-person training. “Everything should be predicated on the risk assessment,” says John Arvanitis, a managing director in the Compliance Risk and Diligence practice at Kroll.

Relying on the risk assessment

What third parties pose the highest risk in the supply chain? Where are they located? “The training should always be appropriate and should be based on the risk assessment that’s conducted and potentially the risk profile that the business faces in the jurisdictions or industry in which it operates,” Arvanitis adds.

Just as delivery methods of third-party training will vary, so should the subject-matter of that training. This means ensuring that the training is “specific and relevant,” Arvanitis says, “rather than providing a litany of information that may not be impactful or substantive for the third party.”

Sales distributors, for example, often need training on anti-bribery and anti-collusion risk, whereas technology vendors need training on data privacy and cyber-security risk. Cultural nuances are another factor: Certain gifts and entertainment that pose a common bribery risk in one country may not pose any risk in another country.

Evaluating or monitoring the effectiveness of third-party training is also important. When asked how they follow up on third-party training, respondents gave a variety of answers, including attestations (37 percent); in-person meetings (35 percent); questionnaires (32 percent); and auditing (29 percent).

One way to evaluate the effectiveness of third-party training is to include a scenario-based quiz at the end of the training course. Asking third parties how they would handle a certain situation will garner much deeper insight than merely asking them the definition of a bribe, for example. Another helpful metric may be to track the rate of inquiries made by third parties to the compliance department in the days and weeks following the training.

It’s also important to periodically reassess third-party risks so that the training stays aligned with changing risk profiles. Third parties that do not pose a high risk today may pose a high-risk tomorrow, as new products and services are added, executives rotate, or allegations of misconduct come to light.

Above all else, however, because compliance teams cannot effectively train third parties without knowing their third parties or the specific risks they pose, performing enhanced due diligence is the most important precursor to any training program, including background and integrity checks. Refinitiv, for example, provides compliance teams with enhanced due diligence reports that focus not only on the company, its owners, and its operating and litigation history, but also on key management and decision makers.

These Refinitiv reports specifically provide insight on the company and individuals’ “backgrounds, track records, competencies, potential conflicts of interest, and political and criminal links,” Refinitiv said. “Business conduct and reputation history are analyzed, and a thorough search is made for hidden liabilities. Additional intelligence can be gathered from industry observers.”

The most important thing when it comes to establishing a third-party training program is just to start. “Sit down and develop a plan for your training program,” Arvanitis says. From there, you can then ensure that it is risk-based, relevant, and impactful. Taking those steps will put the company in a much better position with enforcement authorities if problems arise than if they had not taken any steps at all.