Risk Assessment and Due Diligence - Center of Excellence ... · common business situation, new/different business operations with greater/lesser exposure) as well as the Company’s

⼤大成 Salans FMC SNR Denton McKenna Long

Henry Chen Vice Chairman of International Risk and Compliance Association

Senior partner of Dentons Shanghai Office Former AP Compliance Director of Ford Motor Company

Licensed to practice law in China and New York

Risk Assessment and Due Diligence

Lawful means “safe”, “legitimate”, but could be less “effective”. Case study: Peter Humphrey jailed for unlawful investigations Key issues: how to be ”effective” while “lawful”.

On-going means non-stop monitor and being alerted always. Case study: it is no good for a DD report in Day 1 covers many years after Key issues: how to be “on-going”?

Hand-made means a DD report needs brain storm not one-size-fits-all templates. Key issues: human judgments are indispensable.

In local language means translation could impair accuracy and even bring errors. The report should be bilingual or with working papers at least in Chinese. Case study: a senior manager is fired, but his ghost supplier remains unchanged in the English database of the headquarters.

Four cardinal principles:

Risk-based DD scope

• Compliance risk (e.g., environmental protection, outbound bribery, price-cartel or monopoly, privacy or infringement on citizen personal info, data safety & integrity, cyber security, EHS, etc.)

Case study: A polluting supplier forced to shut down results in inability to supply

• Fraud risk (e.g., conflict of interest, “ghost” suppliers or dealers, inbound bribery, etc.)

Case study: Two lovers working in the same company broke up and were fighting. He threatened to publicize her nude pictures. Lawyer proposed her to file a criminal case including in-bound bribery. She refused as she did the same thing.

• Risk of under-credible or under-capable (e.g., not as capable as advertised in supplying or incapacitated due to EHS incidents )

• Bankruptcy risk

• Contingent unusual risk

Case study: a supplier of auto laser radar that collects mapping data is suddenly investigated for violation of Chinese law on geographic survey and infringement upon state secrets

Case Study: How to Identify and Assess Risks

Risk IdentificationRisk

Verification

Prohibitive Obligations Obligors

Control Obligations Obligors Risk Evaluation

Risk Code Risk

Risk sourc

e

Risk source

Case / case source

Compliance obligation / source 1

st 2ndCompliance obligation /

source1st 2nd 3rd

Frequency of risk taking

place

Seriousness of the risk

Likelihood of

occurrence

Risk value

01 Giving bribes a SalesWhat law? What corporate code? Sales

VP on sales

What corporate code? Finance

Compliance Direct

or

Audit Direct

or3 6

4

72

2018/12/24

For each dimension: low risk 1-2; medium risk 3-4; high risk 5-6 For risk value: low risk 1-8; medium risk 9-64; high risk 65-216

4

Stage-wised investigations

• Revaluation of the target • Consultation with industrial experts • Check upon and/or with the target’s suppliers, dealers, clients, and even

competitors

• In-depth FinTech and RegTech check upon the consent of the target • Interviews of the personnel and reviews of the documents of the target

• Possible field investigations • Commercial DD platforms (one-time and/or on-going risk alerts) • Desktop research of materials publicly available

Escalated

Notes：High-levelled\Mid-levelled\Preliminary

Risk-based assessmentLevel of Risk Criteria for Judgment

HighGenerally occurs where violations result in high severity of consequences and there is high likelihood of occurrence. The target should be disconnected unless a robust compliance system is established.

Medium

Generally occurs where:(1) Violations result in high severity of consequences and there is low likelihood of occurrence; or (2) Violations result in low severity of consequences and there is high likelihood of occurrence.A concern identified as medium risk generally requires greater explanation and improvement actions should be strongly considered.

Low

Generally occurs where violations result in low severity of consequences and there is low likelihood of occurrence.Any concern identified as low risk may be monitored in the future for changes. Improvement action may be considered, but is not required.

Severity means the overall magnitude or seriousness of potential consequences for violation based upon potential for legal/regulatory harm (violation of law, imprisonment), financial harm (e.g., damages, settlements, fines), operational harm (e.g., interference with business, loss/prohibition of sales), and/or reputational harm (e.g., embarrassment to the Company, negative media attention).Likelihood of occurrence means the probability a violation may occur considering the nature of the Company’s business (e.g., common business situation, new/different business operations with greater/lesser exposure) as well as the Company’s abilities to avoid/prevent the risk (e.g., strong/weak training and education, monitoring and detection, internal control or systems that prevent).

Example: Integrity DD for YOUR COMPANY to set up JV with TARGET (1)

2. TARGET Group

Highlights: There are at least a dozen of high-profiled corruption and bribery cases in relation to TARGET’s biggest shareholder TARGET Group or its affiliated companies. For example, the former Chairman and executives of TARGET Group were found guilty of and imprisoned for taking bribes and/or embezzling corporate assets, so were some executives of TARGET Group’s affiliated companies.

Example: Integrity DD for YOUR COMPANY to set up JV with TARGET (2)

Lawyer’s Comments and Suggestions: TARGET Group and its affiliated companies failed in managing bribery risks and establishing the culture of integrity.

The mass involvement of the top leaders and executives of TARGET Group and some of its affiliated companies in corruption and bribing means that TARGET Group and the affiliated companies failed in compliance management.

We would not draw a conclusion that Your Company shall stop its joint venturing with TARGET. However, we suggest that YOUR COMPANY shall take following measures to mitigate any possible compliance risks in the establishment and running of the joint venture:

• Escalate the integrity due diligence on TARGET and especially the individuals that TARGET (or its affiliated companies) appoints to work in the joint venture as leaders;

• Request TARGET to provide integrity undertakings and commitments in the joint venture contract;

• Establish a robust compliance management system and build up the culture of integrity for the joint venture when the joint venture is established.

What is DueDiligence.Asia?

Due diligence targets are categorized as “⾼高” (High), "中” (Medium), and “低” (Low) in risk exposure to manage risks proportionately and cost effectively.

Snapshot 1: Risk Categorization

Snapshot 2: On-going Risk Monitoring

A single repository records all activities related to the processing of third party risks. All records are accessible on line.

Snapshot 3: Better Risk Profiles

We achieve high quality risk profiles by leveraging RegTech available in the market.

Welcome to contact [email protected] 


132019/9/26

Please also review Henry Chen’s articles: -- What compliance obligations to meet to transfer data from within China http://www.compliancereviews.cn/Arc-v.Asp?ID=1031

-- Data must stay within China to gain tiered protection under China Cybersecurity Law http://www.compliancereviews.cn/Arc-v.asp?id=1033

-- Intelligent and digital infrastructures are scheduled to accompany automatic vehicles in China http://www.compliancereviews.cn/Arc-v.Asp?ID=1038

mailto:[email protected]://www.compliancereviews.cn/Arc-v.Asp?ID=1031http://www.compliancereviews.cn/Arc-v.Asp?ID=1031http://www.compliancereviews.cn/Arc-v.asp?id=1033http://www.compliancereviews.cn/Arc-v.asp?id=1033http://www.compliancereviews.cn/Arc-v.Asp?ID=1038

Many thanks

2019/9/26 14

⼤大成是世界上第⼀一家全球多中⼼心的律律师事务所，坚持超越⾃自我，以客户需求为中⼼心，始终如⼀一地提供专业、全⾯面、及时、⾼高效的服务，荣膺“Acritas 2015全球顶尖20家精英品牌律律所”称号。
我们知道，深谙本地⽂文化对于达成交易易、解决纠纷以及化解商业⻛风险都⾄至关重要，这促使我们深⼊入客户业务所在的各个地区，让客户保持竞争优势。⼤大成--全球最⼤大的律律师事务所--全球服务团队现在更更加灵活，在遍及全球50多个国家超过125个地区，为个⼈人及公共客户提供量量身定制的解决⽅方案，满⾜足客户在本地、本国及全球的法律律服务需要。


© 2015年年⼤大成 。⼤大成是⼀一家全球性律律师事务所，通过其成员律律所及关联机构服务全球客户。本⽂文件并⾮非意在提供法律律或其他意⻅见，阁下不不得基于本⽂文件内容采取或不不采取任何⾏行行动。我们基于阁下愿意保守保密协议⽽而发送此⽂文件给您，如果您给我们发送机密⽂文件但未做申明，我们有可能会作为他⽤用。 法律律声明请浏览 dentons.com.

© 2015 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. This document is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. We are providing information to you on the basis you agree to keep it confidential. If you give us confidential information but do not instruct or retain us, we may act for another client on any matter to which that confidential information may be relevant. Please see dentons.com for Legal Notices.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways.
Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries.
www.dentons.com.

Dentons Shanghai Office 15th/16th Floor, Shanghai Tower 501 Yincheng Road (M), Pudong New Area Shanghai 200120, China