The task of where to begin a full compliance and ethics
program can often times appear quite daunting. Most US companies fully
understand the need to comply with the Foreign Corrupt Practices Act (FCPA).
However most companies are not created out of new cloth but are ongoing
enterprises with a fully up and running business in place. They need to bring
resources to bear to comply with the FCPA while continuing to do business. This
can be particularly true in the area of performing due diligence on foreign
business partners or vendors in the supply chain. Many companies understand the
need for a robust due diligence program to investigation third parties, but
have struggled with how to create an inventory to define the basis of risk of
each foreign business partner and thereby perform the requisite due diligence
required under the FCPA.
At the SCCE 2010 Annual Conference, Ken Kurtz, Chairman
and CEO of the Steele Foundation presented some ideas in a session entitled "Getting
Unstuck, Tactics for Defining and Executing Systematic, Risk-Based Third Party
Due Diligence for FCPA Compliance". In this presentation he discussed some
tools and tactics for ensuring third party due diligence compliance on foreign
business partners such as agents, resellers, distributors, joint venture
partners and any other such entities which might represent a US based company
internationally. He gave the audience some 'nuts and bolts' guidance on
cost-effective, risk based approaches to defining and vetting of foreign
The initial step in any system is to begin with a clear,
demonstrable commitment to perform due diligence on foreign business partners.
But equally importantly, a company should engage in a systematic approach which
would involve a specific methodology. The due diligence program should begin
with a solid foundation. This would include defined objectives and scope;
defined roles for each person in the process and coherent definitions which an
employee could rely on in making decisions. The process should also be scoped
to include how to conduct the due diligence, what should be done if a Red Flag
is discovered, when should due diligence be re-performed and how such
information should be retained.
After this foundation has been set, Kurtz suggested that
a company should then perform a third party inventory to define its risk basis.
A company should determine which of its business areas present the greatest
exposures in the area of FCPA compliance risk. This can be based on one or more
factors including geography, types of business units or business relationships.
Kurtz listed two different types of approaches. The first he labeled as
"Programmatic" which has the following characteristics: assessment at the program
and category level, incorporating a linear approach, with an emphasis of
setting risk at an enterprise level and is consistent and systematic. The
second approach he labeled as "Forensic" and this approach focuses more deeply
on the individual level. However, he noted this approach is potentially
inconsistent and also can be more costly.
Using these steps, a company can then begin to identify,
rate and aggregate its foreign business partners to create a manageable due
diligence process. This process should be intentional, consistent and
systematic to ensure full transparency through the use of a central tool. This
can allow audit trail accountability to ensure full visibility. The mechanisms
which Kurtz outlined are useful tools for the Compliance Professional or
Corporate Legal Department employee to demonstrate to management the 'how' of
the mechanism of accomplishing this task in an ongoing FCPA compliance program.
Visit the FCPA Compliance
and Ethics Blog, hosted by
Thomas Fox, for more commentary on FCPA compliance, indemnities and other forms
of risk management for a worldwide energy practice, tax issues faced by
multi-national US companies, insurance coverage issues and protection of trade
This publication contains general information
only and is based on the experiences and research of the author. The author is
not, by means of this publication, rendering business, legal advice, or other
professional advice or services. This publication is not a substitute for such
legal advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified legal
advisor. The author, his affiliates, and related entities shall not be responsible
for any loss sustained by any person or entity that relies on this publication.
The Author gives his permission to link, post, distribute, or reference this
article for any lawful purpose, provided attribution is made to the author. The
author can be reached at email@example.com.
© Thomas R. Fox, 2010