Ethics resource issue 1

Ethics Resource

Bombman Turned Conman: International Fraud Case Demon-strates Collusion On Both Sides of High-Dollar Transaction Pg. 6

Europe’s Horse Meat Scandal Raises Questions About Integrity of the Corporate Supply Chain Pg. 12

Third-Party Risk Management: Does Shaking Hands with a Third-Party Partner Make You Shaky? Pg. 24

Published by

ISSUE 1, 2013CRIgroup.com

Corporate Resilience: Managing Third-Party Risks

2 Ethics Resource 1st Quarter 2013

Ethics Resource is created for business leaders, directors, investors and professionals who need the latest information and best practices for protecting their assets from fraud. Presenting practical tools, case studies, and articles focused on fraud prevention and detection, Ethics Resource pro-vides an insightful look at the issues impacting businesses worldwide.

Ethics Resource is published by Corporate Research and Investigations, LLC.

Middle east & North africaCRI Group Headquarters – Dubai, UAELevel 9, #904, Liberty House, DIFCP.O. Box 111794Dubai, UAETel: +971-4-3589884Fax: +971 4 3589094Email: [email protected]: www.CRIgroup.com

CRI Group ME – Doha, QatarLevel 22, Tornado TowerAl-Funduq StreetPO Box 27774Doha, QatarTel: +974 44292434Email: [email protected]: www.CRIgroup.com

europeCRI Group EMEA – London, UKLevel 3325 Canada SquareLondon E14 5LQUnited KingdomTel: +44 207 038 8366Email: [email protected]: www.CRIgroup.co.uk

asiaCRI Group Asia – PakistanLevel 12, #1210, 121155-B, Islamabad Stock Exchange (ISE) TowersJinnah Avenue, Blue AreaIslamabad, PakistanPO Box 2144Tel: +92 51 111 888 400Toll Free : 0800 00 CRI (274)Email: [email protected]: www.CRIgroup.com

CRI Group Asia Pacific – Singapore1 Raffles Place, #19-07, Tower 2One Raffles Place, Singapore 048616Tel: +65 6808 5634 (35-36)Fax: +65 6808 5800Email: [email protected]: www.CRIgroup.asia

WorldWide locatioNs

CRI Group is a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations.

A Licensed and Incorporated entity of the Dubai International Financial Cen-tre-DIFC, CRI Group safeguards businesses by establishing the legal compli-ance, financial viability and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business.

iMpleMeNted aNd certifiedISO 9001:2008 (Quality Management Systems)ISO27001:2005 (Information Security Management Systems)

Ethics Resource

ContentsEthics Resource | Issue 1, 2013

Corporate Resilience: Managing Third-Party RisksCorruption, bribery and a lack of due diligence harm business interests world-wide. Learn what the experts are doing to combat these and other threats.

CRIgroup.com 3

6Bombman Turned Conman: International Fraud Case Demon-strates Collusion On Both Sides of High-Dollar TransactionIn a bizarre international fraud case, a simple $20 plastic golf novelty item was re-sold to security forces around the world as a high-tech $40,000 bomb detector, which may have contributed to the deaths of scores of civilians and security personnel.

Europe’s Horse Meat Scandal Raises Questions About Integrity of the Corporate Supply Chain

Third-Party Risk Management: Does Shaking Hands with a Third-Party Partner Make You Shaky?

16

6

12

24

4 Ethics Resource 1st Quarter 2013

Letter from the CEOWith Ethics Risks, Knowledge is Your Best Weapon

In today’s international business world, where do you turn to stay informed on eth-ics issues that affect your organisation? How do you stay on the cutting edge of due diligence and compliance best practices that are essential to protecting a successful business model? Welcome to the first edition of Ethics Resource, created by CRI Group to address critical ethics and due diligence challenges facing businesses worldwide.

Our cover feature, “Corporate Resilience: Managing Third-Party Risks” (pg. 16) provides an in-depth look at the risks confronting any business engaged in dealings with other organ-isations — a landscape in which the old saying “what you don’t know can hurt you” is an unfortunate truth.

There are potential threats involved with any dealings with third-party providers: we run them down, and tell you what your organisation can do to be better protected. As part of our effort to help you be better informed, we’ve detailed our third-party risk management funda-mentals, which we represent in four important phases in an easy-to-review graphic (pg. 21).

Would you pay $40,000 for a “bomb detector” that was actually a golf novelty item worth $20? Military forces and police departments around the world did just that. Read the incredible story of the “Bombman Turned Conman” (pg. 6) and learn about oversight and due diligence checking gone wrong.

We also probe a more well-known case — the infamous horse meat scandal affecting con-sumers in the UK and other European countries. The article’s title says it all: “Europe’s Horse Meat Scandal Raises Questions About Integrity of the Corporate Supply Chain,” (pg. 12).

Finally, we round-out our coverage of ethics and due diligence with some additional in-sight on dealing with outside organisations in “Third Party Risk Management: Does Shak-ing Hands with a Third-Party Partner Make you Shaky?” (pg. 24). Learn more about the different risks that accompany any dealings with third parties, including operational, reputational, compliance, strategic and other key risk areas.

Thank you for reading this first edition of Ethics Resource. I hope you find it to be an infor-mative and useful tool in your continued business success.

Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCIChief Executive Officer of CRI Group

CRIgroup.com 5

» Risk Management Consulting

» Investigative Due Diligence

» Fraud Risk Investigations

» Fraud and White-collar Crime Prevention

» Insurance Fraud Investigations

» Corporate Security Consulting and Investigations

» Business Intelligence and Investigations

» Forensic Accounting and Investigations

» Intellectual Property Investigations

» AML Consulting Services

» Employment Screening and Background Investigations

Today’s global markets are constantly changing. Is your company at risk?

CRI Group provides clients comprehensive tools to mitigate risk in international business transactions, mergers and other growth opportunities. CRI Group offers:

CRI Group can help.

EUROPE+44 207 038 [email protected]

AMERICAS+1 (646) 513-4266 [email protected]

MIddlE [email protected]+974 [email protected]

ASIAPakistan+92 51 111 888 [email protected]+65 6808 5634 (35-36)[email protected]

Contact Us TodayVISIT OUR

MObIlE wEbSITE

CRI services ad universal.indd 1 5/27/13 11:35 AM

6 Ethics Resource 1st Quarter 2013

International Fraud Case Demonstrates Collu-sion On Both Sides of High-Dollar Transaction

By Zafar I. Anjum, CFE, CIS, MICA

bombman turned conman

n a bizarre international fraud case that recently unfolded in the British court system, a

simple $20 plastic golf novelty item was re-sold to security forces around the world as a high-tech $40,000 bomb detector, and may have contributed to the deaths of scores of civilians and security personnel in Iraq.

The parties involved included a British businessman with a secu-rity background who made mil-lions of dollars selling the fake bomb detectors to prominent security forces worldwide, and several high-ranking Iraqi officials convicted of taking massive bribes from the businessman to authorize purchase contracts.

James McCormick, 57, president of security products company ATSC (UK) Ltd., recreated a novelty golf ball finder which sold for $20 in the United States, and re-labeled the items as the “ADE 651,” a sophisticated device for detecting explosives. The ADE 651 was mar-keted and sold to military forces and police departments around the world including such volatile regions as Iraq, Syria, Lebanon, Ni-ger, Kenya, Georgia, Saudi Arabia, Hong Kong and Mexico.

The fake devices, which the company expertly claimed could detect explosives, drugs and even currency, had no functioning mechanical or electronic parts

and featured a simple retractable antenna that the company said operated similar to a dowsing rod, which intuitively swiveled in the direction of the desired “program-memed” item once that item was detected.

In the most egregious case, Mc-Cormick sold the devices for up to $8,000 each, but excessively pad-ded the final purchase orders in or-der to kick back millions of dollars in payments to several officials in the Iraqi Interior Ministry.

In 2009, Iraq’s Police Service and the Iraqi Army purchased 1,500 of the devices through a no-bid contract with ATSC, paying more than $87 million and bringing the price of each unit to nearly $60,000 which, according to McCormick, included fees associated with training and middlemen.

The devices were widely used at security checkpoints throughout Iraq, clearly giving a false sense of security to the personnel wielding them. Because they were fake and useless, the devices failed to detect explosives that would ultimately be used to kill or maim countless people in Iraq.

The scam began to unravel after a whistle-blower who worked with McCormick went to the British authorities. In subsequent inter-views with the media, the worker (who had previously sold the device alongside McCormick) once

CRIgroup.com 7

I

8 Ethics Resource 1st Quarter 2013

challenged his boss over the device’s ef-fectiveness. McCormick was said to have answered that the device did “exactly what it’s meant to...it makes money.”

As a result of a two-year British investigation of ATSC, McCormick was found guilty on three counts of fraud in April 2013 and sentenced to seven years in prison.

His counterpart in Iraq, General Jihad al-Jabiri (a senior Iraqi official who ap-proved the ADE 651 procurement con-tracts, claiming that the devices had reduced bombings throughout the coun-try by 90%) was arrested on corruption charges. He was subsequently convicted of taking millions of dollars in bribes from McCormick and was imprisoned along with two other Iraqi officials.

Up to 15 Iraqis are said to have been on McCormick’s payroll, receiving money through a bank in Beirut.

A Complete Breakdown in Oversight

Amazingly over the past decade, sev-eral government security agencies and security experts from around the world became very vocal about the viability of the ADE 651, with one skeptic going as far as to offer a million dollars to any-one who could prove that the device wasn’t “a fake, a scam, a swindle, and a blatant fraud.”

Worldwide, allegations that the device was fake (which stemmed from a host of independent tests) were well published. Germany officially “kicked the ADE 651 out of the country” in 2008, while an Israeli explosives expert was quoted in Der Spiegel magazine as say-ing, “The thing has absolutely nothing to do with the detection of explosives.” Further, an explosives expert visiting an arms and security fair in Beirut in 2009 described the device as “one big fraud.”

As a result of a U.S. Army study con-ducted on the device in 2009, the U.S. military notified all military and civilian personnel in Iraq that the bomb detec-tion device was “ineffective and should not be relied upon as a means of ensur-ing the safety of any personnel.”

The product, in fact, was banned from export to Iraq and Afghanistan by the UK “Export Control Act of 2002” after studies verified the ineffectiveness of the device.

Iraq had its fair share of skeptics as well. In 2008 an Iraqi investigation con-cluded that the devices were too costly and didn’t live up to the performance that was originally desired. But a source close to the investigation went on to state that, “there were senior officials involved in these transactions,” which, after calculating the costs involved and the financial losses, should have been a red flag that something was amiss.

Moreover, as early as 2009, Iraq’s prime minister order an investigation into the effectiveness of the devices af-ter a series of bombings in and around the capital. The report and investigation were later suppressed, and it has been alleged that corruption was the rea-son, as 75% of the value of the contract “went to kickbacks received by [Iraqi] officials.”

How Could This Have Happened?

According to the London Times, “Iraqi officials reacted with fury to the news,

Why didn’t anyone from the various security forces come

forward to voice concerns over the ineffectiveness

of the device?

CRIgroup.com 9

noting a series of horrific bombings in the past six months despite the wide-spread use of the bomb detectors at hundreds of checkpoints in the capital.”

One official, a member of the Iraqi Parliament’s Security and Defense Com-mittee, was quoted as saying, “This company (ATSC) not only caused grave and massive losses of funds, but it has caused grave and massive losses of the lives of innocent Iraqi civilians, by the hundreds and thousands, from attacks that we thought we were immune to because we had this device.”

On paper, the facts of this case simply seem too bizarre to comprehend, and beg several key questions:

•Why didn’t anyone from the various security forces come forward to voice concerns over the ineffectiveness of the device?

•How could credible and knowledge-able security personnel continue to use a product that had, for several years, been deemed junk by the inter-national community and completely incapable of detecting explosives?

•Why didn’t procurement personnel see red flags in the discrepancies be-tween the per-unit price and the total inflated contracts?

case FactsA British security products busi-

ness sold phony bomb detectors to

security forces around the world,

making tens of millions of dollars in

the process while being potentially

responsible for bomb attacks that

killed scores of innocent civilians

throughout Iraq.

Persons of Interest

•The owner of the company that sold the phony bomb detectors was arrested and convicted of fraud.

• Several senior Iraqi government of-ficials were arrested and tried for accepting bribes associated with no-bid contracts to purchase the fake bomb detectors.

Breaches in Security

• Lack of oversight in the procure-ment process.

• Lack of due diligence in examining the background of the supplier or its principles.

Impact Of BreachScores of Iraqi citizens have been

killed or seriously wounded as a

result of bomb attacks, which may

have been averted had the security

forces utilised detection devices that

worked.

CRI Solutions

•Perform due diligence checks on the company and its key principles prior to making major purchases.

•Conduct background research into the viability of the products being procured.

• Execute a risk assessment strategy to provide oversight when transac-tions involving such highly sensi-tive international deals.

• Establish an effective whistle-blower policy that focuses solely on the concerns of employees.

The ADE (Advanced Detection Equip-ment) 651 sold by ATSC (Advanced Tactical Security & Communications)

10 Ethics Resource 1st Quarter 2013

•Why did it take so long for an ATSC employee to come forward?

The fact that ATSC continued to mar-ket and sell its phony bomb detection devices years after scores of indepen-dent tests proved that they were ineffec-tive has security experts scratching their heads (as does the astonishing account that many countries today continue to utilise the ADE 651 to detect bombs, in light of the international media frenzy surrounding the case).

That said, the case presents many in-sights into the varying degrees of securi-ty breaches that enabled McCormick to reap millions of dollars while continu-ing to perpetrate his scam around the world. Those breaches, when presented on a general basis, include:

•A lack of appropriate due-diligence in-vestigations on ATSC, its product line, and its key officials.

•An unwillingness to validate (or an ignorance of relevant information about) the negative test results of the company’s product line which includ-ed the ADE 651.

•A lack of personnel oversight on the buyers’ side (or an intimidation of rel-evant personnel responsible for moni-toring and auditing the procurement contracts).

•An inability of users to voice their concerns over the effectiveness of the product.

•A lack of a whistle-blower policy on the users’ end to identify improprieties of the transactions and ineffectiveness of the device.

•A lack of oversight into the high-level chain of command responsible for authorizing the purchases.

It should be noted that, to a varying degree, human perception also played an important role in the success of this scheme. The company had fabricated seemingly credible and documented accounts of the ADE 651’s effectiveness in detecting explosives in varying appli-cations. Statements from soldiers and security personnel were used by the company (through printed sales collater-al and through the company website) as testimonies of the device’s effectiveness. Further, there was no reason to believe that the devices were fake, given the amount of money being spent by gov-ernment agencies to procure them. And surely no one could imagine that such an important piece of security equip-

ment procured by such high-ranking of-ficials would turn out to be completely fraudulent.

In hindsight, the “massive losses in money and lives” suffered through this tragic story may well have been averted had proper levels of due diligence been conducted, and the appropriate corporate security watchdogs been put in place.

Recommended Solutions To

Guard Against Such Breaches

This case clearly demonstrates that there are often at least two colluding parties in an international fraud op-eration. With regard to the fake bomb detector scheme, on one side stood a wealthy con man who was extremely convincing in selling his contraption and

From his false profits, McCormick bought a $301,900 holiday home in Florida, a $483,000 villa in Cyprus and a $950,985 Sunseeker Portofino cruiser named ‘Aesthete.’

CRIgroup.com 11

went to great lengths to tell his story worldwide, eventually bribing govern-ment officials with huge amounts of cash to get them to sign off on multi-million-dollar purchase agreements for thou-sands of the useless devices. On the other side stood high-ranking government officials who raked in millions in personal gain while spending the government’s cash to purchase the worthless devices.

Who’s responsible for the horrendous lapses in security? It’s hard to answer that question given the nature, intrica-cies and politics of the Iraqi military. But from a corporate standpoint, there are several actions one can take away from this case to ensure that these security breaches don’t occur in your business:

•Run a thorough background check on your company’s primary vendors and third-party suppliers. Although Mc-Cormick had experience as a police officer, he had no technical or scien-tific background or training. And don’t always place trust in the professional and trade associations with which the vendor is affiliated. ATSC had falsely claimed to be a member in good stand-ing with the International Association of Bomb Technicians and Investigators, and used the organisation’s logo in their sales material to add credibility to their product line.

•Conduct a risk assessment on the vendor to identify any potential vul-nerabilities. If you’re going to spend millions on a product, make sure you know the origin of manufacture and the background of the company from whom you’re buying. A thorough risk assessment will ascertain whether the vendor has the proper policies and procedures in place to address such ongoing risks as quality control, test-ing, performance criteria, reporting

processes and product integrity while verifying that the company has the wherewithal to meet your quantity requirements over the long run.

•Conduct due diligence on the various claims being put forth by the vendor. Contact supplied and developed refer-ences to get firsthand accounts of the product’s performance and drawbacks. Research news sources, industry groups and trade organisations for any derogatory information or test results related to the product. Contact other users of the product to get their feed-back on the viability of the product.

•Establish purchase benchmarks inter-nally (based on price and/or quantity levels) which trigger alarms when those levels are met or exceeded. Nev-er give any single individual authoriza-tion to procure products that exceed a pre-established level.

Sometimes, all it takes is an interna-tional case such as this to open an organ-isation’s eyes to how it is conducting its own business affairs. Utilising effective measures that verify vendor and prod-uct claims will help to mitigate the risks involved in such transactions, and keep

your organisation out of the headlines.

ABOUT THE AUTHOR Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI, is chief executive officer of CRI Group (CRIgroup.com), a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations. Email Zafar at [email protected].

EDITOR'S NOTE In May 2013, McCormick was sentenced to 10 years in prison for his bomb detector fraud. According to media reports, the judge proclaimed that McCormick “has blood on his hands” from the “callous confi-dence trick.”

sirloinRUMP

TORS

OELE

G

fLankThickRib

fORE

Rib

bRiSkETShin

nEck

?

?

??

12 Ethics Resource 1st Quarter 2013

he recent scandal in Europe over the inclusion of horse meat in food products that were purchased by

consumers who believed they were 100 percent beef has turned a spotlight on the importance of oversight in the corporate supply chain.

The scandal began in January 2013 when Irish authorities found traces of horse DNA in “value based” frozen beef burgers made by processors in Ireland and Britain and sold in Tesco, Aldi and

other major supermarkets across Eu-rope. Further testing of also showed the presence of pig DNA in the beef burger samples.

According to reports, the food prod-ucts originated from Liffey Meats and Silvercrest Foods in Ireland, and the Dalepak Hambleton food processing plant in the United Kingdom. Trace amounts of horse DNA were also found in raw ingredients imported from Spain and the Netherlands.

Europe’s Horse Meat Scandal Raises Questions About Integrity of the Corporate Supply Chain

By Zafar I. Anjum, CFE, CIS, MICA

T

CRIgroup.com 13

Ironically, the scandal posed no real

threat to human health. But it breached

many cultural taboos related to eating

horse and eating pork, and has raised

a firestorm of questions and concerns

over the integrity of the food system on

the Continent and the security of food

supply chains.

The ensuing media storm com-

ing from the scandal has supermarket

chains across Europe facing a wave of

criticism. As a result, those operators

were forced to pull millions of beef

products from their shelves that were

thought to contain horse meat.

With politicians, food standards

agency officials and the public demand-

ing protection against food fraud and

food adulteration, the industry’s meat

retailers, suppliers and supermarkets

have all suffered reputational harm and

widespread financial losses.

Tesco, the UK’s largest retailer and

a leading international retailer, saw its

market value plunge more than one

percent, or £300m, in one day after

it removed 21 lines of its frozen burg-

ers from 3,000 British supermarkets.

The operator of more than 6,000 stores

worldwide has since worked feverishly

to repair its damaged image by heavily

promoting measures that will allow it to

better track its supply chain and ensure

quality in its food products.

impact On The industry The scandal revealed a major break-

down in the traceability of the food

supply chain, and exposed a web of

fraud practiced by several food proces-

sors that took advantage of the intrica-

cies of the supply chain for their own

financial gain.

According to sources close to this scandal, a growing global economy has enabled the food industry to source its products worldwide, which has added to the sophistication of the industry and increased the complexity of the sup-ply chain. Because of these factors, it’s becoming increasingly more difficult to monitor what goes into a product.

Moreover, a stressed worldwide econ-omy has forced organisations to take extreme measures and look beyond bor-ders for cheap labour and more effective ways to preserve the bottom line. Ac-cording to one source familiar with the food industry, “Supermarkets are press-ing the supplier, the supplier is press-ing the sub-supplier, the sub-suppliers’ workers are cheating because they are paid poverty wages, being from the third world and imported as cheap labour.”

Because the supply chain has so many layers, it’s become increasingly difficult for even cash-rich companies such as Tesco to identify, monitor and secure their sources. Foreign suppli-ers are being blamed by experts who claim that those third-party suppliers have caused the contamination scare in a deliberate swindle to save money in supplying products to the value super-market chains.

Silvercrest, one of Tesco’s meat pro-ducers, defended itself by comment-ing, “Silvercrest has never purchased or traded in equine product and has launched a full-scale investigation into two continental European third party suppliers who are the suspected source of the product in question.”

Tesco has since dropped Silvercrest as a meat supplier. That move was closely followed by several well-known food re-tailers and wholesalers through Europe, and even fast-food giant Burger King,

14 Ethics Resource 1st Quarter 2013

which owns more than 500 fast food restaurants throughout Ireland and the UK.

“an alarming breach in controls”Fraud has always been a mitigating fac-tor in the corporate supply chain. And it’s no different in the food industry. It is estimated that fraud accounts for as much as 10% of food sales, with com-mon examples including Vietnamese catfish being passed off as cod, ordinary olive oil as extra virgin and vegetable fat as mozzarella cheese.

While the blame for the horse meat crisis may lie in part with lower-level suppliers and mislabeling fraud, the scandal has nonetheless shone an un-flattering light on the food industry’s supply chains, and the alarming breach in controls that has been publicly ex-posed, especially those controls utilised by the major supermarkets.

For their part, the retailers are own-ing up to the fact that they may not be as diligent in monitoring suppliers as was once thought. Tesco, for one, admitted to its lack of knowledge that one of its suppliers had been purchasing meat over the past year from an unap-proved third-party Polish supplier. Ac-cording to a statement made by one of Tesco’s technical directors, “It was im-possible to check the supplier in Poland, as we didn’t know it existed.”

That lack of knowledge of the pro-cesses being used by the companies to which the products are being sourced has led to the overriding issue that now plagues the food industry. With an ever-expanding global supply chain, it has become increasingly vital that retailers be made responsible for what they sell, how it’s made and where it comes from.

Managing Your Supply chainShort of a business launching its own in-house production or manufacturing

facility to meet all of its component needs, the only economically viable way for companies to stay competitive in this global marketplace is to rely on its supply chain network. And it’s the responsibility of the organisation to en-sure that its web of suppliers is reliable and trustworthy.

To ensure your suppliers’ values are in line with those of your business, it’s vital that you put in place an effective supply chain management system. Such a system will become a watchdog over the processes, controls and communi-cations to mitigate the inherent risks associated with outsourcing the prod-ucts that define your brand in the mar-ketplace. Here are several recommen-dations to support your supply chain management system.

Review Your Supply Chain. Launch a traceability audit with suppliers to docu-ment where your products are coming from. Every level of your supply chain (going well beyond your first-tier suppli-ers) should be reviewed, scrutinized and accredited. With that review in hand, ask yourself if your suppliers are con-ducting business in a way that conforms with your core values, and producing product that meets your requirements. A long supply chain means limited control over what you are producing, so consider the alternatives to your present suppliers and look into simpler ways to product your product.

Conduct Your Own Quality Tests. Conduct factory audits on all suppliers in your supply chain before placing that first order. Ensure that every supplier conforms to your quality levels and are adhering to strict product specifications. Those audits will come in handy should any risk issues arise down the road. Additionally, require your suppliers to conduct and produce self-administered

CRIgroup.com 15

audit reports that show the reviews were conducted by independent (and credible) industry auditors.

Maintain a Policy of Transparency. To instill confidence within your customer base, be as transparent as possible about your suppliers, producers and production operations (without divulg-ing trade secrets, of course). This could vastly reduce the potential for a public relations crisis down the road. The more information your customers have, and the more transparency there is in the your corporate supply chain, the harder it will be to be taken by an unscrupu-lous supplier.

get Legal Involved. Make sure every supplier you’re working with knows the boundaries of your business relation-ship. Employ legal contracts that spell out required benchmarks related to quality, materials, delivery, sub-contract-ing and other production facets.

Communication is Key. Do you have an internal communications system that engages with your workers (and perhaps your suppliers’ workers)? Work-ers typically have first-hand knowledge of production issues, and a communi-cations system that enables them to provide input and feedback generally gives employees a chance to voice their concerns before the situation builds to crisis proportions.

Look to the Industry for Support. As a result of the horse meat scandal, supermarket retailers across Europe were all impacted by the acts of a few third-party meat processors. There-fore, it’s important that trade partners share information on suppliers and utilise industry-sourced databases for the latest information and updates, so that red flags can be raised to identify

� continued on pg. 23

case factsSeveral major supermarket chains through-out Europe have come under intense scrutiny after horse DNA was discovered in products they claimed were made entirely of beef. The ensuing crisis has eroded consumer confi-dence over the method in which supermarkets purchase their food products.

Persons of Interest

• Several food processors in Europe are being investigated for using horse meat in the beef products they sold to supermarkets.

•Major retailers, including Tesco, Aldi and others, are under the microscope for not properly monitoring and managing their food supply chain.

Breaches in SecurityThe complexity of the food supply chain has made monitoring of food processors increas-ingly difficult. Further, some processors are turning to fraudulent adulteration methods to reduce costs and compete on a “value” level.

Impact of BreachSupermarkets have taken a beating financially, as shoppers are turning away from “value” foods which they believe contain products not mentioned on the labels. Retailers, in turn, are investing millions to restore trust and bring back that consumer confidence.

CRI SolutionsEstablish systems that enable the business to know who its suppliers are and ensure that those suppliers are complying with bench-marks, requirements and other indexes that define the corporation’s core values.

Updates•Tesco has pledged to shorten its supply

chains and source meat from inside the country wherever it can.

•Tesco has promised to spend millions of pounds annually on DNA testing, to make sure its suppliers are delivering the ingredi-ents listed on its food products.

16 Ethics Resource 1st Quarter 2013

It goes without saying

that forging strong rela-

tionships with outside

service providers, manu-

facturers, and supply-

chain and distribution

partners will strengthen

a company’s ability to

broaden its markets,

expand its product and

service offerings, re-

spond more aggressively

to ever-changing market

demands, and poten-

tially boost bottom-line

performance.

From utilising call

centers in Mumbai and

granting retail franchises

in Seoul, to outsourcing

circuit boards to manu-

facturers in Shenzhen,

fulfilling orders from

massive distribution

centers in California, and

partnering with invest-

ment banks in Dubai,

successful businesses

rely on an oftentimes

complex web of alliances

with third-party provid-

ers to reduce operational

and labour costs, en-

hance capabilities and

boost the bottom line.

But when any number

of factors impairs the

ability of a third-party

affiliate to adequately

fulfill its contractual

obligations, a business

can suddenly become

exposed to myriad crises

that could ultimately lead

to revenue loss, interna-

tional litigation, reputa-

tion damage and regula-

tory action — all while

potentially affecting the

organisation’s ability to

attract new business or

service existing customer

relationships.

The most effective

third-party partnerships

involve a multi-tiered

risk management process

that begins at the com-

pany level well before

any outside provider ever

enters into the organisa-

tion’s business model,

and ensures that the or-

ganisation itself has the

ability to be fully resilient

in the face of crises ema-

nating from a third-party

catastrophe.

The Risk of Third-Party PartnershipsIt is highly probable that,

at some point, organisa-

tions that affiliate with

outside providers will

C O R P O R A T E R E S I L I E N C E : Managing Third-Party Risks

By Zafar I. Anjum, CFE, CIS, MICA

CRIgroup.com 17

18 Ethics Resource 1st Quarter 2013

eventually have to deal

with an operational

interruption resulting

from a third-party related

issue. The risks involved

in partnering with out-

siders haven’t changed

over the centuries. It is

the potential liability that

has been ratcheted up

several notches. Interna-

tional borders have been

ripped down. Technology

has improved the way

businesses communi-

cate. Easy access to data

and information enables

the media to report on

business news before a

business can properly

respond. And the mar-

kets are quick to form

opinions based on a 24/7

on-demand news cycle.

The result of this in-

creased liability is prob-

lematic. Business litiga-

tion has skyrocketed.

Corporate reputations

are constantly being as-

saulted. Business strate-

gies are forever shifting.

Board members are be-

coming increasingly sub-

jected to intense scrutiny

from outside critics. And

a highly educated market

responds immediately

with their pocketbooks.

A simple poll of any

large or small business

will show that a vast ma-

jority of those organisa-

tions have suffered some

type of harm from the

actions (or inactions) of

a third-party affiliate. The

harm includes:

•Experiencing financial loss when a third-party provider failed

•Losing customers because of poor-quality service from a third-party

•Exposing breaches to data systems because of poor security practices by a third-party

•Experiencing supply chain issues due to poor disaster recovery proce-dures by the third-party

•Being exposed to litigation because of relationships with an outside provider that significantly violated contractual terms, potentially resulting in regulatory exposure

The most successful

organisations around the

globe are the ones that

can rise above the scru-

tiny and demonstrate an

aversion to risk and a re-

siliency to crisis. These are

the organisations that go

to great lengths to estab-

lish strong risk manage-

ment systems designed to:

1. Identify and weed out unqualified or

The most successful organisations around the globe are the ones

that can rise above the scrutiny and demonstrate an aversion to

risk and a resiliency to crisis.

CRIgroup.com 19

unscrupulous third-party providers in the pre-contract bidding phase

2. Ensure that the pro-vider is adhering to every provision of the contract while it is in effect

3. Provide viable outlets in the event that a third-party provider falters

A strong risk manage-

ment programme helps

companies effectively

identify and mitigate

risks posed by third-party

providers in critical risk

areas such as informa-

tion security, service

delivery, supply chain

processing, financial

processing, reputation

management and regula-

tory compliance.

The Fundamentals of a Third-Party Risk Management Programme By taking a proactive approach to address the risks involved in working with third-party provid-ers, an organisation can greatly decrease its susceptibility to liability, business interruption and

brand damage.

This planned approach

incorporates several

phases and demands buy-

in that starts at the top

of the organisation an

trickles right down to the

staff members to ensure

that the mechanics of the

plan are closely followed.

PHASE 1: Identify Vulnerabilities Through Risk Assessment

Third-party risk assess-

ments are used to ascer-

tain whether an organ-

isation has the proper

policies and procedures

in place to address all

potential risks at the

management, operations

and financial levels, and

takes into account the

likelihood of those risks

actually occurring.

Certain aspects of

a risk assessment may

include a review of inter-

nal auditing procedures,

compliance guidelines,

performance criteria,

internal controls, report-

ing processes and con-

tractual requirements

that are vital to foster a

long-term positive re-

turn with the third-party

provider when looking at

the relationship from a

cost-benefit standpoint.

Specific areas ad-

dressed in a third-party

risk assessment could

include:

•Audit and supervision functions that assign clearly defined respon-sibilities throughout the organisation

•Business continuity plans that take into ac-count natural disasters and third-party busi-ness closures

•Supply-chain alterna-tives that respond to every possible scenario, from regional events to currency fluctuations

•Jurisdictional consider-ations and affiliations with potential partners located in regions that may be prohibited by law

•Data and Intellectual Property protection which includes custom-er privacy and informa-tion security consider-ations

•Anti-corruption and whistle-blower policies that start at the staff education level and extend to safe internal and external report-ing mechanisms which are easily accessible to management and staff

Such assessments

ensure that there are

tight controls in place to

mitigate key risks, and

assign specific respon-

sibility for maintaining

20 Ethics Resource 1st Quarter 2013

the control to designated

management and staff

members. Any gaps that

are detected in these

internal controls are also

addressed during the as-

sessment phase.

Further, a third-party

risk assessment plan

will also help determine

whether the proposed

third-party relationship

is consistent with the

company’s stated stra-

tegic plan and overall

business strategy.

PHASE 2: Contracting Requirements

Contract requirements

related to third-party

business relationships

essentially begin in

the pre-bid phase,

with the use of stan-

dard integrity lan-

guage in bidding docu-

ments to alert bidders

that documents submit-

ted in support of or-

ganisation’s original bid

proposals are subject to

independent verification

by an outside source in

order to authenticate the

qualifications and claims

made by the bidder.

Once selected, the

organisation’s legal

department is charged

with drafting written

contracts which outline

specific duties, obliga-

tions and responsibilities

of both parties involved

in the contract.

Third-party contracts

address such funda-

mental factors as qual-

ity, price, reliability and

financial viability when

assessing potential part-

ners. They should also

stipulate security of infor-

mation and information

systems as a factor in the

contracting process.

Here are other provi-

sions to consider, depend-

ing on the breadth and

scope of the relationship,

and the resulting contract:

•Responsibilities of each

party

•Reporting procedures

and availability

•Performance standards

•Scope of work

•Compliance with laws,

regulations, safety,

labour laws, etc.

•Permissibility to

subcontract

•Confidentiality clauses, including customer lists and information security

•Data ownership

•Service level agreements

•Response time

•Productivity benchmarks

•Customer service

•Business continuity plans

•Disaster recovery plans

Properly written

third-party contracts

ensure that the organ-

isation’s compliance

management system is

adapted to effectively

address the third-party

relationship and appro-

priately respond to any

issues or compliance

deficiencies.

Any significant con-

tract with a third-party

should guard against

assignment, transfer or

subcontracting by the

third party of its obliga-

tions to another outside

entity, unless the

Third-party contracts address such fundamental factors as quality, price, reliability and financial viability when assessing potential partners.

CRIgroup.com 21

organisation determines

that such an action

would be consistent with

the scope of work or the

goals of the organisation.

PHASE 3: Conducting Due Diligence

Due diligence on poten-

tial third party provid-

ers is critical to confirm

legitimacy and reduce

the risks associated with

such business relation-

ships. The due dili-

gence process provides

management with the

information needed in

making the determina-

tion that working with

a potential third-party

would ultimately help

achieve the organisa-

tion’s strategic and

financial goals.

A comprehensive due

diligence investigation

involves a review of all

available information

about a potential third

party, focusing on the

provider’s specific rel-

evant experience, its fi-

nancial condition, knowl-

edge of applicable laws

and regulations, repu-

tation, and the scope

and effectiveness of its

operations and controls.

The evaluation of a third-

party may include the

following items:

•A thorough investiga-

tion of the provider’s

business and operations

•A comprehensive

review of the provider’s

financial condition and

reputation

•Evaluation of the

provider’s experience

in implementing and

delivering on the pro-

posed scope of services

•Review of the provider’s

culture, vision and busi-

ness style to ensure co-

hesiveness with those

of the organisation

•Reference checks, in-

cluding peer businesses

and industry groups

•Review of local and

regional government

records to identify any

past or present litigation

involving the provider

•Background checks of

the provider’s key

principals

•Reviewing the provid-

er’s internal controls,

information systems,

security, confidentiality

and contingency plan-

ning documents

PHASE 1: Identify Vulnerabilities

PHASE 2: Contracting Requirements

Third-Party Risk Management Programme Fundamentals

Risk assessment should evaluate the following areas:• Jurisdictional considerations• Data and IP protection• Whistleblower policies

• Audit and supervision functions• Business continuity plans• Supply chain alternatives

Third-party contracts should address the following:• Quality• Price• Reliability

PHASE 3: Conducting Due Diligence

PHASE 4: Management Oversight

Evaluation of potential business partners should include:• Business and operations• Financial condition and reputation• Experience, culture, vision and business style

The key elements of a successful business relationship:• MANAGE • MONITOR • MAINTAIN

• References and government records• Background checks• Insurance and certifications

• Financial viability• Security of information• Other details within the scope of the contract

1

2

3

4Figure 1: Third-party risk management programme fundamentals

22 Ethics Resource 1st Quarter 2013

•Review any existing working relationships to gauge the reliance on subcontractors

•Ensure adequacy of insurance coverage

•Review of marketing and customer service practices

•Review of certifications, quality controls and continuous improve-ment initiatives

In general, due diligence

will lead the organisation’s

management to consider

some basic questions prior

to dealing with a third-

party provider. Pending a

review of the provider’s

operations, reputation and

financial position, those

questions include:

•Would our organisation offer products or services to the provider on credit?

•Is the provider acces-sible and approachable?

•Does the provider clearly understand the organisation’s business goals?

•What are our options for terminating the contract with the pro-vider (if needed) and how will this affect the organisation’s operations?

NOTE: Not only should

due diligence be con-

ducted prior to selecting

a third-party provider, it

should also be performed

periodically during the

course of the relation-

ship, particularly when

considering a renewal of

a contract.

PHASE 4: Management Oversight

Successful organisations

that effectively engage in

third-party business rela-

tionships rank the areas

of “culture and leader-

ship” on the same level of

importance as “policies

and procedures” when it

comes to being resilient.

Therefore, management

oversight is critical to the

third-party risk manage-

ment process.

An organisation’s

senior management is

ultimately responsible

for managing activities

conducted through third-

party relationships, and

identifying and control-

ling the risks arising

from such relationships,

to the same extent as

if the scope of services

were being provided

from within the organisa-

tion. Therefore, senior

management is charged

with ensuring that the

business relationships

with third-party sources

remain strong, produc-

tive and free of risk.

To accomplish this,

management should

CRIgroup.com 23

adopt a “manage, moni-

tor, maintain” posture

that clearly defines the

key elements of a success-

ful business relationship:

•Manage — Bid propos-als, contracts, licensing, registrations, certifica-tions, training levels; review third-party con-tract provisions at least annually.

•Monitor — Produc-tion standards, output benchmarks, quality and compliance. While it is vital to ensure these standards are in line with the provisions of the contract, man-agement should also strive for and demand continuous improve-ment in these areas.

•Maintain — Regular contact with third-par-ty providers, including open communications and regular site visits to review operations and ensure compliance with the provisions of the contract. The organisation

should be vigilant at maintaining an updated database of debarred and questionable third-party providers, which will simplify the due diligence process before contracts are awarded and prevent contracts from inadvertently being awarded to such provid-

ers in the future.

While partnerships

with third-party provid-

ers can be beneficial to

the organisation on so

many levels, such alli-

ances can expose the

organisation to many

unknowns, and those

unknowns will undoubt-

edly increase the level

of risk. The key, then, is

properly managing the

infrastructure, systems,

staff and outside support

to adequately manage

that risk.

ABOUT THE AUTHOR Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI, is chief executive officer of CRI Group (CRIgroup.com), a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations. Email Zafar at [email protected].

undesirable suppliers. It’s also vital to monitor communications coming from the trade groups that cater to your industry to keep abreast of issues related to your market.

Employ Independent Consultants. Using outside advisers who are impartial to the indus-try, your customers and your suppliers will add a degree of credibility and transparency to your sup-ply chain management programme. Such advis-ers are knowledgeable at

conducting thorough due diligence investigations that can expose unde-tected risks in third-party supplier relationships, while acting as an out-side set of eyes to review your policies and pro-cedures and detect any security breaches that could potentially harm your organisation.

Any viable supply chain relies on a certain degree of trust between all parties involved. And it’s only through the use of a well designed

supply chain manage-

ment system that the

level of trust shared be-

tween parties will mature

and grow stronger.

ABOUT THE AUTHOR Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI, is chief executive officer of CRI Group (CRIgroup.com), a global supplier of investigative, forensic accounting, business due diligence and employ-ee background screening services for some of the world’s leading business organisations. Email Zafar at [email protected].

� continued from pg. 15

24 Ethics Resource 1st Quarter 2013

n this era of globalisation, organ-isations are increasingly focused on their main objectives and core

competencies. Shaking hands with third-party investors/vendors for a broader business prospective is becoming more

important than trying to build a one-man show, especially when facing competi-tion in a rapid growth market. Therefore, outsourcing becomes a major tool for minimizing the cost of production and engaging employees on competent work.

Does Shaking Hands with a Third-Party Partner Make You Shaky?

By Aniqa Bukhari

Third-Party Risk Management

I

CRIgroup.com 25

By focusing on compliance guidelines and discussing major challenges, busi-ness leaders can identify the right ways to mitigate risks.

Competitive advantage is a key to success in the race to build reputation and meet deadlines regardless of the business type — whether a manufactur-er, service provider or other business. Third parties in the form of vendors, suppliers, consultants or general out-sourcing partners can help create an efficient environment for work, reduce the cost of production, increase effec-tiveness of other chain processes, and increase revenues. Yet, engaging third parties also creates risks and vulner-abilities for an organisation. Third-party relationships should be transparent — like a reflection in of your busi-ness in a mirror.

The purpose of this article is to provide a basic understanding of the risks that can affect any entity that enters into a business relationship with another institution, organisation or company. Third parties can hardware or software companies, financial or non-financial institutions, manufacturers or service providers, regulatory or non-regulatory entities, and local or overseas corporations, just to name a few.

Not all of the following risks are ap-plicable for every third-party relation-ship; however, these definitions cover this complex and significant topic in all important areas.

Reputational Risk: Reputational risk emerges from adverse effects and nega-tive opinions that can damage the or-ganisation. The third-party relationship might result in disappointed clients, loss of trust, and consequently, finan-cial loss. For example: a third party that manufactures a product which is not up

to the mark of health standards will not only pose health problems for consum-ers, but it will also create reputational damage and regulatory problems — lead-ing to financial loss.

Compliance Risk: Compliance risk results from violations of a company’s standard procedures, internal policies, laws, rules and regulations, and eth-ics. For example: a third-party market-ing company advertises products for an enterprise, but doesn’t follow the standard procedures and privacy policy of the enterprise — this can lead to charges for breaching the Federal Trade Commission Act.

Operational Risk: Operational risk derives from inadequate procedures, internal system errors or external events

beyond an organisation’s control. For example: an organisation uses an ex-change company to transfer funds to their material suppliers before shipping and dispatch. Due to an earthquake, the system fails within the exchange compa-ny and they are unable to transfer funds on time, will resulting in late receipt of the shipment — and the late manufac-turing of certain goods.

Business Risk: Business risk develops from a third party’s system failures, hu-man mistakes, fraud or the incapability of to provide services on time. Im-proper due diligence and no appropri-ate contingency plan for selecting third parties leads directly to a heightened business risk. For example: a leading regulatory organisation makes a third-party contract with a software house to provide a system for highly confidential

Working closely with your partners will reduce time, risk and overall administra-tive involvement.

26 Ethics Resource 1st Quarter 2013

information which cannot be hacked by criminals or anti-country elements — but the system does not fulfill these re-quirements, fails, and is hacked — which not only creates a transactional failure but also a country solvency issue.

Strategic Risk: Strategic risk results from poor business decisions or incor-rect implementation of any business policy or procedure, leading to detri-mental effects on organisational strate-gic goals. For example: an organisation selects a bank for assigning an invest-ment from which they could generate adequate return to establish a new fac-tory wing. Due to a change in monetary policy, the bank decreases the rate of return, directly affecting the potential strategic goal of the organisation.

Credit Risk: Credit risk rises from the financial conditions of the third party it-self. Sometimes a third party runs short on the funds needed to perform certain tasks they had agreed to perform — cre-ating a default situation for the organ-isation. For example: a company issues TFCs Pre-IPO and IPO in the public and private sector for their factory establish-ment, and make a third party contract with an investment bank to buy remain-ing TFCs — but the investment bank runs short on the funds needed to buy total remaining TFCs.

Country Risk: Country risk refers to a third party located in a foreign coun-try having different cultural values and beliefs. The social, political or cultural values could adversely affect activities of the foreign-based third-party service providers and creates a challenging

situation that may harm the organisa-tion. For example: a food manufacturer may use ingredients that are prohibited by another culture or religion — if they enter a third-party contract, their busi-ness practices can negatively affect an organisation, legally and/or ethically, within their own country.

Other Risk: Understanding of the third party agreement is very important. If any party misunderstands the agree-ment or even a clause, then personal interests might change or delivery of services might be affected. This can include any of the above risks, which are already described as potential risks in terms of liquidity, interest rate, currency conversion rate, legal issues or target market selection.

With so many risks of failure involved with third parties, and the completion or execution of third-party projects, a competent and reputable method for third-party selection is critically important. Is

your company adhering to the following proven procedures?

Pre-screening: Selecting a third-party vendor/investor using pre-screening is the first main in conducting proper due diligence for jurisdictional and inherited risks. It includes:

•Establishing that the third party is entering into the contract for mutual benefits, and not simply their own advantage or growth.

•Knowing the third party’s business capabilities, legal status, knowledge and experience, capacity in terms of employees and in term or resources, and expertise.

•Defining any potential problems and addressing any inappropriate situa-tions that could develop through a partnership with the third party.

Planning, risk assessment, and due diligence are fundamental to third-party agreements.

CRIgroup.com 27

Assessment: A screening process that provides a complete and comprehensive risk review for the enterprise in terms of governance, reputation, finance, and regulatory analysis. This is the part of the assessment phase where the ulti-mate risk is defined. It includes:

•Audited financial review and analysis of financial condition

•Past achievements and problem- solving skills used in certain situations

•Width and length of business opera-tions in which third party is engaged

•Reputation of the third party within the consumer forum and in the business industry

•Goals, philosophy and expertise, in terms of employee and management

•Security and privacy policy tools and system effectiveness in terms of soft-ware, hardware and human intelligence

•Insurance coverage in terms of acci-dental cases and natural events

•Management capability and past background of individuals from where they got expertise, whatever is it from educational or practical

Mitigation: Mitigation or alleviation is the step where both parties, the or-ganisation and the selected third party,

thoroughly describe to each other the

scope of the assignment and how it is to

be performed. It includes:

•Detailed agreement description

•Organisational interest and

requirements

•Third-party boundaries and structural

procedural limitations

•Organisational policies, legal and

ethical rules and regulations

•Political, geographical, and social

scenario

•Religion or country values in the case

of overseas partnership

•Currency and pricing details and

conversion rates

•And any other factor which could

create any kind of risk in future

Monitor: Periodic screening to un-

derstand the current requirements,

entity’s performance, checking for

changes in policies and safety of organ-

isational risk in terms of compliance

and regulations is a final step for third-

party risk management.

To maximize benefits from third-

party relationships, your organisation

should have an effective process for

managing the associated risks. Don’t

be fearful that you might lose your

third party vendor/relationship if you

follow these steps — as it is your duty,

as a responsible third-party partner, to

seek a stable, long term professional

relationship… rather than face un-

known future risks.

ABOUT THE AUTHOR Aniqa Bukhari can be reached at +971 4 3589884.

You secure their future. We’ll secure their past.

Global hiring is on the rise. Are you confident your candidates truly have the skills, credentials, knowledge and experience they claim on their résumé, or during an interview? How can you be certain of the integrity, back-ground and personal history of potential hires? CRI Group can help.

� Address checks and physical verifications

� International criminal record checks

� Litigation record checks

� Employment verifications

� Education and credential verifications

� Reference verifications

� Local-language media/public domain searches

� Verify credit and financial histories

� Integrity due diligence checking

� Compliance and regulatory checks

� Verify identity documentation

� Immigration status verifications

� Bankruptcy research

Contact Us Today+44 207 038 [email protected]

UAE | Qatar | United Kingdom | Pakistan | Singapore

VIsIT oUR mobIle WebsITe

CRI background screening ad A4.indd 1 5/29/13 3:09 PM