Attention all compliance officers at large technology companies – have you checked your mail lately? Because you might find a letter from the Securities and Exchange Commission with FCPA risk written all over it.
So say recent news reports, warning that the SEC has begun asking tech companies about the business relationships they have with distributors, resellers, and other third parties in countries with high corruption risk. This suggests that the SEC is conducting a so-called “sweep” of the tech sector, looking for possible violations of the Foreign Corrupt Practices Act. Which presumably would then be followed by lengthy investigations, expensive settlements, and awkward conversations among you, your board, and senior management.
To be clear, receiving one of these letters doesn’t mean the SEC is accusing your company of corruption violations. The agency is merely assessing the tech sector for potential violations, by asking companies about the nature of their business in high-risk jurisdictions.
Well, if the SEC is asking about third-party business relationships, your company needs to provide accurate, reliable answers. So, if these letters are anything, they are a warning – to technology companies right now, but really to all public companies – that you need to keep your third-party risk management capabilities sharp.
The TPRM capabilities that matter
We can organize that need for strong third-party risk management (TPRM) into several capabilities that will matter most.
Due diligence. Yes, as always, you’ll need strong capabilities to research the backgrounds of distributors, resellers, brokers, and other intermediaries working on your behalf. That includes ownership structure, executives’ connections to “politically exposed persons,” past allegations of misconduct, and the like.
Contract management. Even if the third party passes onboarding with flying colors, you’ll still want to monitor and govern the business relationship on an ongoing basis. For example, you will want the right to audit the party’s behavior. You might want clauses forbidding the party from sub-contracting to other intermediaries, or requiring the party to supply regular reports about its activity.
All of that can be spelled out in a contract, but to do so, your company will need a strong contract management process to assure all deals with intermediaries give you the compliance oversight you need.
Record-keeping. Companies will need to be able to prove they are governing their third-party relationships prudently; that means documentation. To get said documentation, you’ll first need to adopt policies and procedures requiring it; then you’ll need occasional internal audits or other reviews to confirm what your third parties provide matches what you require.
Anti-corruption training. You need to train employees and third parties alike that offering or paying bribes – even under the misguided notion of “I’m only trying to help the company” – is unacceptable. That training must also be relevant, such as training accounting teams on how to spot suspicious payments or training managers on the importance of stressing ethical conduct. Then you’ll need to keep thorough records of said training.
Forge strong relationships, too
Those four capabilities listed above only tell us what your third-party risk management program should do. There’s still the question of how a compliance officer achieves that high state of TPRM performance – and that’s typically the harder part to figure out.
Clearly technology will play an important role. For example, companies will need strong screening technology to manage due diligence. They’ll also need strong policy management tools to define (and enforce) anti-corruption policies consistently across the whole enterprise. And they’ll need a central repository for all that documentation, which will need to be classified and organized carefully for easy data analytics and reporting.
At the same time, compliance teams need to forge strong working relationships across the whole enterprise, to harness the full potential of all that technology.
For example, the SEC is asking tech companies about the distributors they use. If the compliance team doesn’t have close ties with the procurement team, you might not know about all the distributors or other intermediaries your company has. Good due diligence on some distributors won’t help you then, if you’re also telling the SEC, “We’re not sure this is everyone.”
We could make similar arguments about policy management, training, and recordkeeping. For all of those systems to work – for them to provide the assurance you’ll need, so you can have productive conversations with the SEC or any other regulator – compliance teams will need to work with other parts of the business.
You’ll need to explain your needs (and let’s be honest, “the SEC is asking about this” certainly helps explain them) and listen to what data or procedures those other teams have. You’ll need to work together to fill gaps on policies, procedures, contract language, documentation requirements, training and more.
Together, however, the compliance team and the rest of the business can build that third-party risk management capability your organization needs – to answer an SEC inquiry, to be a better business partner to your own customers, or to address whatever other risk the world is going to throw at us next.
Looking for solutions to help your organization stay on the right side of compliance with third-party risk management solutions? You’re in the right place. Learn more about NAVEX Third-Party Risk Management Software here.