Global Third Party Due Diligence PCC 2017 28 April 2017 Presented by Darren Jones, Cory LaBarge and Michael Clarke
Key questions to be addressed 1. Central risks associated with Third Party interactions 2. How to effectively manage high-risk Third Parties where there are limited ex-ante risk mitigation options 3. Factors to consider when enhancing third party due diligence process 4. Examine best practices for the verification, monitoring and auditing of third party entities 5. How to make KPIs=KRIs for your monitoring and auditing plans 6. Evaluate best practices for using third party auditors (opposed to internal auditors) 7. How to manage third party due diligence and alliance management for M&A and Product Licensing deals 2
Why is Third Party management and oversight challenging? Less control and visibility into their work, records, organization May not have internal controls and/or compliance program Potentially divergent business interests They may delegate work to a sub-contractor (without consent or knowledge) Direct interactions with government officials (especially outside the U.S.) Easier to disclaim knowledge of wrongdoing Limited options for vendors in risky countries or in specialized markets/for specialized services 3
Bribery and corruption happen in various ways through Third Parties Forms of bribery Facilitation payments Discounts Vacations Gifts Medical Education Grants Charitable Contributions Meals Employment/Internship Product samples Free or discounted equipment Risky Third parties Distributors Suppliers (other vendors along supply chain) Travel agencies Market access consultants Event & meeting management vendors HCP/Public officials engagements Customs agents Market Authorization Holders Contract sales organizations Contract research organizations Medical society / association Patient advocacy organizations Third Parties interaction with HCPs, HCOs, or government officials is high risk due diligence is key 4
The development of systematic anti-corruption laws enhances the need for Third party (TP) monitoring North America USA Foreign Corrupt Practices Act (1977) South America North America Europe UK Bribery Act (2010) German Act on Fighting Corruption in the Healthcare Sector (2016) France Sapin 2 (2016) Europe APAC APAC China Anti-bribery laws (1979, amended in 2011) South Korea The Act on the Prohibition of Improper Solicitation and Provision/Receipt of Money and Valuables (2016) UAE Penal Code (1987) Brazil Clean Company Act (2014) Colombian Transnational Corruption Act (2016) Mexican National Anti- Corruption system (2016) South America Africa Africa South African Prevention and Combating of Corrupt Activities Act (2004) Note: this is a non-exhaustive list of laws in place to fight corruption 5
U.S. focuses on pharmaceutical companies and new DOJ compliance guidance a healthy compliance program should also include third-party agent due diligence risk that the distributor will use their margin or spread to create a slush fund of cash that will be used to pay bribes a compliance program must thoroughly vet its third-party agents to include an understanding of the business rationale appropriate expense controls must also be in place to ensure that payments to third-parties are legitimate business expenses and not being used to funnel bribes to foreign officials Andrew Ceresney, Director, Division of Enforcement DOJ Evaluation Guidance provides guidance and benchmarking for best practices in the US and Globally. This aligns in with the Five Elements of Risk Management: Elements of Risk Management 1. Policies Policies DOJ Evaluation Guidance 2. Processes Procedures Risk Assessment Third Party Management Mergers and Acquisitions 3. People & Organization Senior and Middle Management Autonomy and Resources Training and Communications 4. Systems & Data Books & Records 5. Management Reporting Confidential Reporting and Investigations Incentives and Disciplinary Measures Continuous Improvement, Periodic Testing and Review Analysis and Remediation of Underlying Misconduct 6
Third party oversight and management: 5 key objectives Reliability As with all compliance programs, having consistent policies and procedures is essential to ensure program effectiveness. Consistency in areas such as initial screening/risk rating criteria, riskbased due diligence and approval/denial criteria are particularly important for TP oversight. Transparency The volume and diversity of TP engagements makes it challenging to gain visibility into key TP compliance data points such as: how many TPs are we actually engaged with? What do they do for us? Who vetted and approved the engagement? Business and approval rationale? Efficiency Efficiency in execution is vital given the geographic diversity and high volume of TP vendor engagements. For this reason, having tight and scalable policies and processes and/or some form of automation is important. Responsibility Shared or diffused responsibility among various stakeholders (compliance, finance, business, etc.) is common in TP management. This potential liability can be alleviated by a clear governance model with clear lines of review and approval, as well as structured policies and SOPs. Organization Maintaining accurate records and documentation of all TP arrangements and decision-making processes is an essential component of the TP program both for internal tracking and analytics as well as for regulatory compliance purposes. 7
Stages of Third Party Management & Oversight Life Cycle Identification Qualification Engagement & contracting Monitoring & auditing Renewal/exit strategy Business needs/rationale Initial screening Vendor questionnaire Vendor FMV or benchmarking analysis Risk-based due diligence Contracting Business stakeholder training Vendor training (as required) Risk-based & Purposeful Criteria to decide which vendors to monitor Exercise auditing rights Consideration: Who conducts the audit legal, compliance, internal audit department Pareto Principle 80% of corruption risk comes from 20% of vendors Risk-based due diligence renewal (periodic) o o Factors for termination Risk Internal resources Opportunities to correct Document conversations with business 8
Sample factors that can drive risk Geographic location (High corruption index; Advanced regulation/enforcement) Industry Distribution to Government Officials/Agencies (direct/indirect/high percentage) Sales Through Sub-Distributors Value of Contract (high dollar amount) Proposed Compensation Structure (fee-for-service, commission, salary) Financial Irregularities (Typical? Cash vs. Pre-Pay? Higher than usual? Transfer to a third party accounts or different country) Adverse Media Reports/Prior History (prior corruption, scandal, civil/criminal prosecutions, media search) Unwillingness to include contract protections (audit rights; indemnity; certifications; ABAC provisions) Strength of Third Party s Ethics & Compliance Program 9
Due Diligence for M&A and Licensing Important Considerations Contract Administration View Alliance Management View One time transaction Short to mid term profit maximization Straightforward contract provisions and clean hand off Upfront evaluation of risks and due diligence requirements Manage to the contract agreement Little interest/investment in a relationship Focused on alliance or partnership considerations Mid to longer term relationship Distribution Contract can become more complex and involved More monitoring and auditing may be required Partnership and Alliance Management must be considered and managed 10