Business Partners: Pragmatic Steps to Managing Your Clients Compliance and Litigation Risk

Transcription

1 Business Partners: Pragmatic Steps to Managing Your Clients Compliance and Litigation Risk By: Ryan Murphy and Sara Putnam 1 A global company, facing a joint DOJ/SEC probe involving strategies and business operations in seven emerging markets and in the midst of conducting its own internal investigation has engaged you to provide counsel on remediation considerations. Aware that your client s expansive third-party footprint creates both regulatory scrutiny and litigation exposure, you advise the company to embark on a top-to-bottom review of its global compliance program. The internal review uncovers a staggering fact: over 800 business partners, arrayed across the world, are involved in the execution of the company s strategy and operations. Any one of these third-party business partners could expose your client to significant regulatory, litigation, financial, and reputational risk. Your client, including its board of directors, tasks you to provide counsel on some crucial questions: How do we assess and monitor these hundreds of business partners that we believe are key to ongoing strategy? How and where should we exercise our compliance audit rights? Which of these third parties carry such risks as to warrant a deeper corporate intelligence effort? The one-two punch For the foreseeable future, global compliance risks including corruption, import/export violations, money laundering, counterfeiting and cybercrime will continue to be driven by two factors. First, the growing economic power of emerging markets is creating significant globalizing competitive pressures. These pressures are felt on both the front end of R&D, supply chain, manufacturing and logistics; and the back end of marketing, distribution and sales and many will involve agents, vendors or other business partners. Second, this global trend is being met, step for step, by an escalation in economic crime enforcement around the world. We have found that many companies conduct up-front due diligence on their business partners but fall short on auditing and monitoring. This exposes them to compliance and litigation risk. With both U.S. and international regulators holding organizations accountable for the actions of their third-party business partners, it s clear that such relationships should remain a significant concern for global organizations. 1 Ryan Murphy is Partner at Pricewaterhouse Coopers LLP and Sara Putnam serves as Director at Pricewaterhouse Coopers.

2 Every touchpoint a risk For illustration, consider a global pharmaceuticals & life sciences (PLS) company. Although these issues can be more broadly applied to any industry manufacturing, oil and gas, technology or financial services may come to mind the PLS sector serves as an excellent illustration of the risk landscape faced by global organizations. While most PLS companies have robust compliance programs in place and understand their risks and obligations, many still struggle to fully control the actions and behaviors of the business partners they rely upon to execute their business strategy. With a supply chain and business model that require a significant number of touchpoints with government officials through intermediaries such as clinical trial partners, medical consultants, distributors, sales agents, logistics providers, marketing agencies, lawyers, accountants, etc. even the best-managed players face the potential for hundreds of compliance breakdowns every year. Further amplifying the risk, the industry s perpetual cycle of deals and divestitures makes the task of identifying and tracking high-risk business partners more onerous, not to mention more precarious. A strategic imperative: Doing more with less Regulatory expectations are clear regardless of the size, sector or geographic footprint of a company. Companies are expected to maintain a robust compliance program which includes both monitoring and auditing (as separate concepts, under the Federal Sentencing Guidelines, and as recently reinforced in the DOJ s public stance on the ten hallmarks of good compliance programs 2 ). An effective compliance program must include insight into each business partner s commitment to compliance, and broadcast a clear understanding of its position on business ethics. It should also provide visibility into potential red flags, including: a lack of clear business purpose or structure, close associations with government officials, use of shell companies, existence of offshore bank accounts, excessive commissions or discounts, or any of several other suspicious conditions. But with risks growing far faster than compliance budgets, many companies face a fundamental, structural problem: how to credibly monitor hundreds or thousands of business partners with finite resources? The solution may, in fact, be to do more with less. Instead of attempting a blanket audit or assessment of each partner (which is a practical impossibility, anyway), the company should undertake a systematic, strategically focused approach to its compliance and litigation risk profile across its entire operational footprint. 2

3 Targeting the highest-risk business partners: A three-step method Given the number of government touchpoints and business partners, a one-size-fits-all approach to managing compliance and litigation risk would be not only impractical, but ineffective. From our experience, targeted assessments of a small number of identified high-risk business partners are likely to prove far more effective than lighter-touch reviews of a wider population of lower-risk entities. The goal is to improve the company s compliance spend by isolating the highestrisk strategic third-party relationships, and targeting resources and trained compliance professionals into those critical areas. But first you have to determine where the efforts should be focused. We have found that a step-bystep method such as the one outlined below can be useful: Step 1: Stratify Start by identifying the population of business partners, and then breaking down that population, both quantitatively and qualitatively, into manageable subsets. These subsets would be defined by weighted, risk-based criteria, as well as those you reasonably believe to pose the greatest regulatory or litigation risk. The risk criteria you choose will of course be determined by the organization s individual profile, operations and risk tolerance, or by findings specific to unique situations known by the company. While the list below is far from exhaustive, a useful starting point could include: Step 2: Pilot company risk tolerance, and resources available to manage the risk geographic location of the business partner volume of interactions with state-owned entities anticipated spend and profit margins involved knowledge gained from investigations and other sources (external/hotline/media) information indicating known or suspected misconduct whether and to what extent the business partner uses subcontractors duration of the existing relationship or contract, including ones that will not be renewed Once you ve stratified the entire business-partner population, it s time to execute an in-depth pilot of a thoughtful subset of that population. The goal is to learn from that population analyze where there are issues, and look for patterns of risk based on the regional or operational qualities of those third parties.

4 The pilot may entail: discussions with the business partner s management team; analysis of the strength of their compliance operations; transactional review to confirm what you have learned from discussions and document review; and corporate intelligence of publicly available information to seek out any irregularities. Based on this analysis, your client may then choose to refine its approach, or update the risk categories or selection method, before conducting assessments of additional business partners. Step 3: Remediate Too often, this step gets too little attention. Your client has identified one or several business partners with which to exercise its contractual compliance audit rights, or has performed extensive corporate intelligence on a given third party and highlighted areas that need to be addressed. So what happens next? Sadly, the critical final step of actual remediation is sometimes mishandled either left to in-country management or not properly communicated to those tasked with following through with the remediation. Beyond re-exposing the company to the same compliance and litigation risk as before, an ineffective remediation may actually increase the risk by identifying known compliance mishaps and creating a trail documenting the client s knowledge of, and inadequate response to, the problem. Effective remediation doesn t necessarily require exiting relationships where a mishap has occurred. Many companies find that remediation efforts can be best focused on helping key partners conduct business in the right way, while staying on course with the client s overall business strategy. What is important is that your client undertake a thoughtful, detailed process which it learns from and then remediates appropriately. This process should be defensible in front of not only the company s management, board and shareholders but also, crucially, before regulators and enforcement bodies. The right resources in the right places How to structure the right team to address your client s compliance risk? How to deploy the correct resources in the right places?

5 The composition of the team will be paramount. Ideally it would include a combination of in-house and external resources highly experienced and skilled in compliance and forensic work deployed both in your client s home country and in the local geographies where it is conducting business. It is crucial that in-country resources have credibility and significant experience with both local language and business practice. Alternative structures work as well for companies who are equipped to follow this process, but who may still benefit from outside support in assessing the methodology, information gathered and remediation adopted. Credibility + clarity = confidence Achieving consistent compliance in a fast-evolving regulatory environment is a significant challenge one at which even stellar companies occasionally fall short. Yet as we ve discussed, there is a productive, effective way to tackle a large pool of business partners, and that way is not to attempt to audit or assess them all. The pragmatic steps we outline here stratify, pilot, remediate can be useful in helping to cut a seemingly impossible problem down to size, and managing it in a way that not only uses federal compliance guidelines to the company s advantage, but also appreciably decreases your client s regulatory and litigation risk, while focusing on minimizing both operational disruption and compliance spend. A thoughtful and defensible approach can yield both clarity and confidence to your client s stakeholders internal and external. An added benefit of mitigating risks strategically is the ability to realize the company s larger business objectives in an increasingly competitive, increasingly global playing field. Ryan Murphy is a Partner in PwC Forensics Services Tel: ryan.d.murphy@us.pwc.com Sara Putnam is a Director in PwC Forensics Services Tel: sara.putnam@us.pwc.com 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.