- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
- Does the corporation’s compliance program work in practice?
- cover (all) third parties (so you need to create a reliable inventory of your third parties),
- be risk based (so you need clear, documented risk factors and a risk based approach to your diligenceand oversight), and
- be substantive (you actually need to ‘understand the qualifications and associations of your third-party partners’; a check-the-box compliance exercise won’t work).
- How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company?
- How has this process been integrated into the relevant procurement and vendor management process?
2. Appropriate Controls
- How does the company ensure there is an appropriate business rationale for the use of third parties?
- If the third parties were involved in the underlying misconduct, what was the business rationale for using those third parties?
- What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed and that compensation is commensurate with the services rendered?
3. Management of Relationships
- How has the company considered and analyzed the compensation and incentive structures for third parties against compliance risks?
- How does the company monitor its third parties?
- Does the company have audit rights to analyze the books and accounts of third parties, and has the company exercised those rights in the past?
- How does the company train its third-party relationship managers about compliance risks and how to manage them?
- How does the company incentivize compliance and ethical behaviors by third parties?
4. Real Actions and Consequences
- Does the company track red flags that are identified from due diligence of third parties and how those red flags are addressed?
- Does the company keep track of third parties that do not pass the company’s due diligence or that are terminated, and does the company take steps to ensure that those third parties are not hired or re-hired at a later date?
- If third parties were involved in the misconduct at issue in the investigation, were red flags identified from the due diligence or after hiring the third party, and how were they resolved?
- Has a similar third-party been suspended, terminated or audited as a result of compliance issues?
So here’s what this all means. If something goes bad with one of your third parties, and the prosecutors come knocking, you better have a well-designed and substantive third-party management program in place. Simply checking the boxes won’t cut it. Prosecutors are looking at how you manage risk and compliance across the entire lifecycle of your third-party relationship that includes procurement, due diligence, contracting and ongoing third-party relationship management. They also expect your staff to be trained on how to do these things properly.