Third parties continue to be the highest risk under the FCPA. The Man From FCPA suggests that the risk management process around third parties be separated into five steps in the lifecycle of third-party management.
Business Justification and Business Sponsor;
Questionnaire to Third Party;
Due Diligence on Third Party;
Compliance Terms and Conditions; and
Management After Contract Signing.
Step 1 - Business Justification
The purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third party relationship is renewed.
Step 2 - Questionnaire
The term ‘questionnaire’ is mentioned several times in the FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. This requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company.
Step 3 - Due Diligence
Most compliance practitioners understand the need for a robust due diligence program to investigation third parties. You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, they must be cleared or you must demonstrate how you will manage the risks identified.
Step 4 - The Contract
In compliance terms and conditions, there are a few basic minimum clauses required. These include right to audit, certifications and training clauses, with the right to termination for a FCPA violation. The 2012 FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.”.
Step 5 - Management of the Relationship
It is in this step the real work begins, for if you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA or U.K. Bribery Act violation.
Third party risks can be adequately managed. But it takes continued commitment to doing so. The true test is execution in your third party risk management program.