It’s probably not news to compliance officers that third-parties represent the single greatest anti-corruption compliance risk. In fact, evidence suggests that the vast majority of FCPA cases and enforcement actions have involved third parties. Not surprisingly, compliance departments largely focus on implementing rigorous third-party due diligence programs.
Yet, as important as third-party due diligence is, monitoring third parties after initiating a relationship requires just as much effort and resources. Your monitoring program could even impact your decision to onboard third parties in the first place and comprehensive monitoring could allow you to take on more high-risk third parties. A monitoring program can include annual certifications, adverse media reports, new backgrounds checks, or even full audits.
Some may argue that the most effective form of mitigation is the ability to alter the behavior of anyone working for or on behalf of your company. Let’s explore the mitigating role effective training can have on third-party risks in particular.
What to keep in mind when setting up a third-party compliance training program
Identify the type of the third-party
Categorize your third-parties to achieve a high level of accuracy when building out your compliance training program. Not all types of third parties should undergo the same type of training, just as not all in-house employees are subject to the same training program.
Locate where your third parties are situated
The location of your third party is crucial to understanding what should be included in the training. Despite the fact that FCPA training and UK Bribery Act training should be delivered to most of your third parties, since these laws have global jurisdiction, local anti-bribery and corruption laws may differ from one place to another. Likewise, thresholds set for gifts and hospitality are not the same across geographies. Even cultural business practices diverge. Thus, identifying the location of your third parties should be one of the stepping stones to building out your third-party training program.
Tailor your training program to the needs of your third parties
You have probably heard it many times already, but no one-size-fits-all program can serve the purpose of your training. Tailor your compliance training to the needs of your third parties. The most classic example is to provide content in the local language, but considering the environment of your third party is also crucial. Ask yourself: Do they have access to computers to take the training? Should your training be customized to be accessed from a specific type of device? Would on-site training make more sense?
Create training your third-party can identify with
There are many ways you can deliver compliance training, but the more your third-party can identify with it, the better. Including real-life scenarios, with which the third party can identify and reflect his or her day-to-day tasks, will resonate more with the trainee. Again, consider the third-party’s location and environment when coming up with personalized scenarios.
You’ve created a sensible compliance training program, now what?
Don’t just talk the talk
Despite third parties being more removed from the company than in-house employees, propagating a culture of compliance still applies to employees working on your behalf. Countless times, headlines have featured what was expected to be - and may truly have been - companies with a high level of transparency embroiled in corruption investigations or hit with large FCPA fines, because some third party had bribed on the company’s behalf in Uzbekistan or Nigeria. Managers and employees who engage with third parties in high-risk countries should make it clear that that is not how we do business. If corrupt practices are widespread in your third-party’s local environment, pressure to meet performance targets might push them in the unethical direction. Sensitize your third parties to adopt the values and business ethics of your company and not the local practices.
Use technology to boost your program
It can prove difficult, particularly for larger companies, to have a full and comprehensive overview of a third-party due diligence program let alone join your due diligence program with your compliance training. Putting technology to good use could solve your problem. Centralizing all third-party related data in one place will provide you with the overview you need to customize your training to the different third-party groups. A clear visualization of high, medium, and low risk third-party groups will also allow you to make the right decisions on the frequency with which you should deliver compliance training. High-risk third parties will eventually need to take training more often than low-risk ones.
Use automation to increase resonance
Another concept that has been closely associated with employee training throughout compliance circles is nudging. As much as training has been stressed as the means through which policies and procedures come to life, nudging, some argue, is more effective in steering towards the right behavior. Imagine the effect reminders, notifications of policies, code of conduct, or other automated messaging could have on third parties submitting exception requests or filing expense reports. Tempted to implement? This effort would require implementing integrated and automated solutions to your compliance program. The effort, however, is definitely worth your while.
Developing meaningful stakeholder engagement to successfully manage risk
Integrating third-party data into your third-party risk management (TPRM) program - Integrating with third party systems
Interacting with high-risk parties and government officials in the life sciences and extractive industries sectors