In order to denote uncharted and possibly dangerous territories, ancient maps sometimes display the warning “Hic sunt dracones” (“Here there be dragons”). Aside from the topic of Compliance Monitoring & Review, dealing with business partners often represents the largest “blind spot” in a company’s Compliance Management System (CMS). It is estimated that only about half of companies includes its suppliers and subcontractors in its compliance program. The misconception that compliance risks can easily be shifted into business partner’s area of responsibility may contribute to this. That may not be correct. Rather, the following principles apply:
- Companies cannot discharge themselves of responsibility by entrusting third parties with the execution of risky activities
- Moreover, they are generally responsible for what third parties do on their behalf
But what are, in practice, the most important steps towards risk-based management of business-partners?
First, we need to know who is a “business partner” in the first place. This is assessed differently depending on a company’s business area. As a rule of thumb, at least those persons or organizations who work for a company (except employees) or otherwise represent it should be included. Typical examples of business partners are sales partners, customs agents, or consultants. The stock-taking process should include the following questions:
- What does the company need this business partner for?
- What can this business partner do that existing business partners were unable to do?
- Why did the company choose this particular business partner? Is this business partner particularly qualified for the task in relation to others (performance, price, experience)?
- Does the business partner use other business partners in turn? If so, for what purpose and with what specific mandate?
Business partners must then be evaluated with regard to existing risks. Did the evaluation, for example, find that
- the business partner has regular contact with representatives of local authorities,
- approval sought from the authorities is essential for the company’s business activities in the market,
then this is extremely important information. This reflects considerable compliance (and corruption) risks, without there necessarily having been any concrete evidence of undue influence.
In addition, country and industry risks (Corruption Perception Index and special regulatory requirements) are important indicators, and order volume can also be a reason to take a particularly close look at a business relationship. Last but not least, warning signs, “red flags”, may indicate special risks in individual cases, for example, if the business partner is unknown in the industry, the actual added value by the business partner is unclear, or unusual payment methods (cash payment, off-shore accounts) have been identified.
Depending on the level of risk, business partners must then be reviewed – either retrospectively, if no review has taken place in the past, and/or in a defined process for new business partners. This review is usually summarized under the heading “background checks”, which can be a comparison against the most important “blacklists” (such as the World Bank Listing of Ineligible Firms & Individuals or public corruption registers). Even simple search engine queries can yield interesting results. The higher the risks, the more the business partner must be “put to the test”, in particular through a detailed analysis of beneficial ownership.
Supporting measures may include contractual provisions and other safeguards, such as the incorporation of compliance clauses, the determination of audit rights, or training courses.
In particular, contractual compliance clauses provide necessary legal leverage to actually exercise control in the business relationship and to be able to react appropriately to irregularities.
Let’s be honest, careful management of business partners can be very costly, and yes, there are some “dragons” lurking here that have to be defeated. However, the result is “win-win”. First, the company protect itself against liability and reputational risks. Second, the transparency and evaluation of business partners produced by this review actually serves a company’s interests, namely in creating a precise understanding of the reason for and the structure of a business relationship, a business partner, and its services provided. From a business perspective, this “inventory” is often long overdue, and will later be reflected in a corresponding return on investment.
In our next – and penultimate – episode, we will deal with due diligence and integration in M&A processes.
If you are unsure how to set up your CMS successfully, please feel free to contact me.