The US Department of Justice (DoJ) Criminal Division’s recently updated guidance for white-collar prosecutors — about evaluating corporate compliance programs — offers a roadmap for companies to pressure test whether their compliance policies meet defensible standards of care. An important takeaway from this guidance, in IntegrityRisk’s view, is that enterprises do in fact benefit from a refreshed look at how their third-party compliance program stacks up against these updated standards.
The 30 April 2019 DoJ guidance spells out three fundamental considerations for investigating corporations and other organizations:
— Is the compliance program designed well?
— Is it implemented effectively and in good faith?
— Does it work in practice?
One weak link in any company’s compliance program’s defense chain can come from exposure from business partners. In light of the new DoJ guidance, how would you answer these questions when it comes to managing third-party risk?
We’re committed to ensuring our products — and the rationale that underpins them — effectively safeguard our clients from potentially devastating reputational, regulatory, and legal risk. The new DoJ guidance presents a timely opportunity to compare our third-party compliance solutions against the updated standards and ensure that we, and our clients, are always asking the appropriate questions.
Know the Right Questions
Now is the time to ask:
— Are your predictive risk assessments based on the location of operations, the industry sector and the regulatory landscape in which your partner operates?
— Is the nature of your relationship with business partners, and any assessment of their political exposure, understood?
— As part of your compliance program, do you allocate resources proportionately to efficiently focus on risk? A comprehensive program should concentrate on high-risk vendors while not ignoring perceived lower risks; it will update and review information gathered from screening performed on business partners – does yours?
Drilling down still further, when it comes to third-party relationships:
— Do you know the reputation of third parties, the nature of relationships that they may have with foreign officials and the business rationale and case behind retaining them?
— Do you actively monitor your third-party relationships through updated due diligence that include annual compliance certifications?
— Do you track red flags during the due diligence process and are they remediated? Do you monitor third parties that were rejected during the due diligence process and take steps to ensure that they are not retained at a later date?
Finally, the DoJ expects that:
— Your compliance program policy is disseminated to, and read and understood by, employees and your third-party network.
— When handling a sensitive report of malfeasance, you have a confidential reporting structure in place that includes the ability to undertake a properly scoped investigation by suitably qualified personnel.
— Your compliance program inculcates a culture of compliance in your organization, and is consistent, comprehensive, and accessible to all.
If this does not describe your program, or if you’re just not sure, we welcome the opportunity to talk to you about our third-party screening platform. For starters, IntegrityRisk ScreenCheck enables our clients to:
— Check and verify third parties and associates against over 140,000 sanctions and enforcement records and approximately 128 million company registration records globally.
— Utilize an effective, risk-ranking algorithm customized to specific needs and risk tolerances.
— Escalate third parties in need of further due diligence, conduct remediation on results and perpetually monitor such to ensure constant compliance.
— Understand the background of their third parties through questionnaires and structured compliance communication.
— Store and manage all records pertaining to third parties in an auditable and secure environment.
Give us a call or drop us a line to explore how we can help.