Third Party Risk: 7 need-to-knows for your board TWO OF THE MOST SOUGHT-AFTER IMPROVEMENTS IN THIRD PARTY RISK MANAGEMENT ARE: Third parties pose a serious ethics and compliance risk to your organisation and can have a devastating impact on your company’s reputation and long-term financial sustainability. While a critical consideration at any time, third party risks have recently increased due to the rapidly changing business environment where organisations are being asked to on-board new vendors and suppliers quickly without the resources to undertake the appropriate levels of due diligence. Here are the seven crucial factors your board needs to know about third party risk: Your board needs to know that regulators expect you to undertake the appropriate level of due diligence and on-going monitoring of each third party relationship. This is known as taking a risk-based approach where the level of due diligence should vary according to factors such as industry, country, size of contract, and nature of the transaction. Corruption in business is happening on your doorstep COUNTRIES WHERE ORGANISATIONS UNDER FCPA INVESTIGATION ARE HEADQUARTERED Your board needs to know that corruption is not something that only happens in far off regions. In many cases, the organisations responsible are much closer to home. As legislation is more widely implemented, enforcement policies and cross-border co-operation greatly multiply the chances of an infraction ending up in the courts. Source: FCPA Tracker, June 2020, (includes closed investigations since 2017) Note: Organisations under investigation come from 47 different industry sectors (n = 183) 0 1 2 3-4 5-10 11-20 20+ Number of current FCPA investigations 83 % of organisations only identified third party risks after initial onboarding and due dilligence Gartner, 2019 44 % 52% the continuous monitoring of all third parties the consistent application of a risk-based approach NAVEX Global, 2019 Any employee can be held personally liable Your board needs to know the risks that third parties expose both your business and your people to, and provide oversight to ensure an appropriate process is in place to manage these risks. Any employee, including your board and senior management, can be held personally liable for corrupt behaviour enabled by your third parties. 1 in3 56 % board directors and senior managers say they could justify offering cash payments to win or retain business of employees state the management or the board are responsible for ensuring that employees behave with integrity EY, 2017 EY, 2017 Debevoise & Plimpton, 2020 What is a third party? Regulations governing third party risk is increasing Your board needs to know that your organisation can be held liable for the actions of your third parties from a growing number of anti-corruption regulations. Your board needs to act now to ensure your organisation is operating compliantly to all current and future regulations. Enforcement on third party regulations is increasing TOP 5 BIGGEST CORRUPTION FINES INVOLVING THIRD PARTIES Your board needs to know that not only is legislation being enforced more often, but the size of fines is growing too. Global regulators are now working more closely together to enforce regulations and hand out multiple fines for the same infringement. US, UK, France 2020 $4bn Netherlands US, Brazil, Swiss 2016 $3.5bn Brazil US 2018 $1.78bn Brazil US, Germany 2008 $1.6bn Germany US 2019 $1bn Sweden HQ Location Regulator Date Fine ENFORCEMENT ACTION IS INCREASING… …AND CORPORATE FINES ARE GROWING LARGER < 10 30 + enforcements per year by the DOJ and SEC between 1977 - 2000 enforcements per year by the DOJ and SEC between 2001 - 2019 FCPA, 2020 Wilkie, Farr & Gallagher, 2020 (Note: Figures rounded) $5.4m $44.3m Average penalty fine 2015 $43.5m 2016 $51.4m 2017 2018 2019 $116m The cost to the business is more than the fine itself Falling foul of the regulations can incur huge fines and financial penalties. Your board needs to know that there are more significant and long-term costs to also bear in mind. These include: reputational damage, share price drops, the ease of doing business, as well as ongoing legal and monitoring costs. Robust compliance can reduce the financial impact HOW DO YOU EARN A DPA DISCOUNT? Your board needs to know that robust compliance programmes and proactive due diligence can lead to forgiveness from law-enforcement agencies resulting in non-prosecution or reduced penalties through Deferred Prosecution Agreements (DPAs). DPA discount for global engineering company due to activities including, “improved due diligence in respect of intermediaries comprising business justification, external due diligence, and ongoing monitoring.” Have a robust compliance programme in place Undertake appropriate third party due diligence Self-report possible corrupt activity Cooperate with any investigations SFO, 2017 01 02 03 04 05 06 07 WHAT IS A RISK-BASED APPROACH TO THIRD PARTY DUE DILLIGENCE? NAVEX Global 's RiskRate provides a risk-based approach to third party due diligence by using automation and AI to screen and continously monitor third parties to help protect your people, your organisation's reputation and your bottom line. Learn more about reducing your third party risk now 81.8 ¢ € 10 bn of every dollar of share value loss can be attributed to reputational damage caused by imposed corruption fines decline in revenue at global telecoms giant after employees were convicted of bribery and the subsequent resignation of the CEO and supervisory head of the board Journal of Business Ethics, 2018 Journal of Business Ethics, 2018 4 x £ 1.5 bn Failure to consider the reputational damage of a bribery scandal significantly underestimates the cost to a company by at least 4 times Group loses third of market value in two days over concerns supplier factory was paying illegally low wages Volkov Law Group, 2016 FT, 2020 90 % of reported bribery/ corruption cases involve third party intermediaries EY, 2017 CHARGES AGAINST INDIVIDUALS IN FCPA* ACTIONS MAJOR COMPLIANCE REGULATIONS ARE BEING INTRODUCED AND UPDATED WITH STIFFER PENALTIES Aerospace Corporation Conglomerate Petroleum Company Industrial Manufacturer Telecoms Company Regulators expect a risk-based approach to be taken Varies based on industry, country, size of contract, and nature of the transaction Increases or decreases depending on flags raised Creates an ongoing cycle of third party monitoring and review Ensures organisations and their third parties are committed to ethical and lawful business practices in good faith FCPA, 2012 2019 40 2018 35 2017 27 Number of major compliance regulations 1 3 6 10 USA Foreign Corrupt Practices Act (FCPA) 1977 Spain Spanish Criminal Code USA Dodd-Frank UK UK Bribery Act 2010 USA Sarbanes Oxley 2002 2 France Law Sapin I 1993 2016 8 2015 Germany German Act on Combatting Corruption Netherlands Dutch Criminal Code 2017 Argentina Criminal Liability Statute Mexico General Law of Adminstration Responsibilities Peru Legislative Decree 1352 2019 Italy Bribe Destroyer Act Saudia Arabia Anti-Bribery Law Australia Corporate Crime Bill 2018 Russia Russian Criminal Code India Prevention of Corruption Act UAE Penal Code China Anti-Unfair Competition Law Malaysia Anti-Corruption Act 21 Suppliers Agents Intermediaries Consultants Joint ventures Contractors Partners Customers Distributors Vendors 1 3 50 % *Foreign Corrupt Practices Act France Law Sapin II South Korea I mproper Solicitation and Graft Act 1 8