Automating due diligence
An interview with Peter Connor, the Senior Director of Global Compliance at Citrix.
It has taken a long time and many high-profile scandals to make companies realise they can be taken as responsible for the conduct of their business contacts, including manufacturers, suppliers or distributors. Consequences can range from damage to the brand name to loss of business and even legal action taken against the company. Taking responsibility for third-party conduct – such as that of the suppliers to your suppliers, and resellers of your distributors – can be an even more daunting prospect, but is a necessary step of corporate governance that companies need to take.
“While you may be dealing with a high volume of participants, due diligence can be integrated into the existing partner-management initiatives and managed online, making the task much easier and more user-friendly,” says Juliet Lui, Consultant – Advisory with The Red Flag Group.
Citrix is one company which takes full responsibility for both its distributors and resellers and, supported by The Red Flag Group, Citrix has worked out an automated compliance function which is integrated into its existing business operations.
A multinational company with a projected full-year revenue of US$2.55 billion for 2012, Citrix powers mobile workstyles with cloud, collaboration networking and visualization technologies. According to the company’s website, it has a client base of about 260,000 organizations, and its products touch 75 per cent of internet users every day. The company has posted double-digit growth in revenue for the past three years, relying on its 8000-plus employees and 10,000 partners in about 100 countries. Citrix wants to keep growing and is going the extra mile to safeguard its brand name.
Working within a two-tier business model, Citrix is in direct contact with only a few hundred distributors, but these distributors work with several thousand resellers who are in direct contact with customers and can therefore pose potential risk.
“Our due diligence focuses on both distributors and resellers. We could take the position that our resellers are customers of our distributors, and not concern ourselves with them; however, we don’t, because the risks are greater with resellers which interact with customers directly,” explained Citrix’s Senior Director of Global Compliance, Peter Connor.
Due diligence of Citrix’s distributors included a full background search, which was conducted by The Red Flag Group last year, and will be repeated next year. There are also enhanced searches carried out on any new distributors who join the network from high-risk countries, and an annual check of all distributors and resellers worldwide against compliance screening databases.
Although the company had no previous issues with bribery or corruption, it decided to do a risk assessment on resellers in high-risk countries which they defined by using the cut-off of score 5.5 on Transparency International’s Corruption Perception Index. These risk assessments were performed manually, which involved sending questionnaires to about 2000 resellers.
“After a lot of chasing and a lot of hard work we got back about 86 percent to 87 percent of the response. I thought a much easier way to get to 100 percent was to build it into an existing business process where the partners could not do business with us unless they answered the questionnaire,” Mr. Connor said.
The company finally decided to incorporate the due diligence into the existing on-boarding and vetting process. “Several months of planning with the channel and IT teams, and some investment, resulted in a very efficient automated process incorporated into the online partner registration and annual process,” Mr. Connor said. “The Red Flag Group were terrific, integration [with their system] was the easiest part, and we have come up with a fully-integrated and automated solution.
"Our preferred methodology is to link the ComplianceDesktop® Technology Platform into the clients’ partner management system. That way the partners continue to go to where they [usually] access all relevant information on the client site and [then] our system is connected with that site to share data, access information and run analytics on compliance, risks and due diligence. It simplifies the process for the client, without [requiring] any IT infrastructure on their side, apart from a few simple connectors.” says Scott Lane, CEO of The Red Flag Group
Resellers fill in an online application form to gain authorization to sell Citrix’s products. As part of the due diligence process, Citrix asks new applicants, as well as those renewing their business registrations, about the amount of business conducted with the government and any government connections, such as ownership by any government entity and whether any past officials hold company positions at a higher-management level. The online questionnaire also asks if any employee has provided anything of value to improperly influence a sale and whether anyone in management has been accused of offering a bribe.
The due diligence questions are allocated scores from zero to ten, and the results go directly to The Red Flag Group. If the score is ten or higher, it will be marked “red” and the Due Diligence team at The Red Flag Group will immediately perform a high-level search on the reseller.
“The Red Flag Group will conduct a high-level search on any reseller in a high-risk country which either has government connections or carries out any business with us. Plus, even if they have no government connections [but] conduct [US]$100,000 or more Citrix government business, they would undergo a high-level search. If they conduct over $250,000 business with any customer, they would undergo a medium-level search,” Mr. Connor said. This resulted in about 200 medium-level and 100 high-level searches in the first round of due diligence.
Completed reports are uploaded onto The Red Flag Group’s Due Diligence Manager within 14 days, and email notifications are sent to the responsible person at Citrix, who can view the results and arrange remediation as appropriate.
“Those who only earn five to 10 points will go through a medium level search. The company can manually request a search on companies in the category of zero to five,” Lui says.
The investment in this compliance process is even more noteworthy because the company has not had any bribery or corruption issues so far. According to Mr. Connor, “Whilst the partner margin on an average-size deal in a high-risk country is typically low and doesn't give much scope for bribery, we want to take proactive steps to minimize the possibility of this happening.”
Due Diligence Searches Explained
Medium-level searches: The Red Flag Group verifies company registration, location, company shareholders and directors, media and internet profiles of the company and its key personnel in local-language, financial and credit-rating information, and conducts basic bankruptcy and litigation checks.
High-level searches: In addition to everything investigated in the medium-level searches, these searches are escalated to actual company site visits, reputational enquiries, checking any previous names for the same companies and the reputation of those firms, checking any other companies directors and shareholders may own, their political connections and those of their family members, and other details.
All reports are scrutinized for red flags by an expert team of analysts, and any red flags are summarized at the beginning of the report.