Mini Summit VI - MANAGING THIRD PARTY RELATIONSHIP RISKS

Transcription

1 Mini Summit VI - MANAGING THIRD PARTY RELATIONSHIP RISKS

2 Third-party risks FCPA prosecutions frequently cite use of local agents to pay bribes and conceal payments FCPA prohibits both direct or indirect bribes including bribes paid through agents Legal standard is known or should have known FCPA books and records provision effectively prohibits commercial bribes, not just bribes to government officials Common third parties Contract sales representatives Contract manufacturers Contract research organizations Distributors Law firms Customs agents and freight forwarders Accounting firms Tax consultants/advisors Other professional services firms Page 1

3 Global Due Diligence Methodology Page 2

4 Third party due diligence Components of an effective program Consistency Is the process consistent and transparent across third party types and markets Example: Summarized ratings with detailed findings, consistency documented Demonstrates management s intent Do management s actions provide for a robust third-party due diligence process? Example: Robust reporting for management decision making Independent Are the decisions objective and performed separately from the requestor to avoid inherent conflicts of interest? Reasonable Is management doing the best they can with the available resources? Example: Due diligence should include adequate checks of open source databases Page 3

5 Third Party Management Lifecycle One model Identification Procurement Termination Ongoing monitoring and auditing Onboarding and Maintenance Page 4

6 Identification Identification Identification/Population of Third Parties Vendor Master Customer Master Challenges: Definitional question TPI v HCP v Other TP Other category other intermediaries and other payment mechanisms Where to begin: New process, old company Page 5

7 Procurement The supplier vetting activities Key Deliverables: Supplier Due Diligence Questionnaire Supplier Business Justification Form Supplier Ranking Decision Matrix Process for 3 rd Party Background d Checks Procurement Business justification Vetting/screening Contracting Filtering Criteria Example: 80,000 third parties Total supplier universe 10,000 moderate risk 1,000 high risk 250 negative hits 150 denied Develop supplier category and geographic filtering criteria* Develop detailed filtering criteria on supplier relationship and nature of contract Develop supplier vetting protocols to effectively document legal, regulatory & reputational risks Develop decision criteria for acceptance, denial or specific contract modifications, based on risk profile Approve Approve with restrictions Denied Page 6 *Geographic filtering will include Transparency International's Global Corruption Perception s Index, among other criteria.

8 Contracting and training The right to audit Sub-distributor approval requirement (and sub-contractor considerations) Onboarding and Maintenance Annual compliance certification and communication of training requirements Abide by local laws and FCPA Termination clause Challenges: How to train? Additional contract provision Page 7

9 On-going Monitoring Typical activities Perform re-training on a yearly basis Perform Due Diligence on a two or three year basis Ongoing monitoring and auditing Reporting of all new elements during the time of the relationship that might require extra targeted due diligence: New Shareholders New services added to the original relationship (new products, promotional activities, other) New Sub- contractors Page 8

10 On-going Monitoring New trends Data mining and trend analysis to identify inconsistencies, irregularities and potential red flags: Reimbursement of expenses Payment of commission Sales (quantities, prices, discounts) Credit notes (rebates, returns) Ongoing monitoring and auditing For distributor margin analysis (sales in and sales out) Recalculate or challenge distributors reported days of inventory Page 9

11 Auditing Reactive approach: Allegation Irregularities resulting of internal controls (internal audit finding, compliance monitoring, etc.) Ongoing monitoring and auditing Proactive approach: Risk ranking (Activity, CPI, Volume, etc.) Level of the review: Review all activities or just targeted activities Scope period under review Procedure performed (interview and / or testing) Page 10

12 Termination Termination Case discussions drivers Contract refresh Monitoring Auditing Business decisions and alternative remediation Page 11