The true measures of success in any compliance programme
Third-party monitoring is a well-established critical component of risk-based due diligence and anti-bribery anti-corruption compliance. Compliance teams must determine the amount of risk posed by a third party and then apply a commensurate level of both initial and ongoing due diligence to that third party. Factors generally applied in this risk determination may include any combination of:
- the amount of spend
- the size of the company
- the industry
- the geographic location of the business and its country risk
- internal compliance procedures
- past wrongdoing
- how vital the good or service is to your business operations (are there other sources, etc.) among others.
Once this determination is made, higher risk third parties should be subject to refreshes of more in-depth due diligence reviews annually or biannually. These may include confirmation of ownership, litigation searches, media searches, reverse directorship searches, sanctions and watchlist screening and other related background investigation strategies.
In addition to these in-depth enhanced due diligence reviews for higher risk third parties, ongoing monitoring of all third parties regardless of risk level is advised. The DOJ as well as the SFO suggest a due diligence programme that fits within the reasonable resources available to a company. With the prevalence of such databases in the marketplace and the relative low cost of such monitoring, it would be difficult to imagine a defensible scenario in which such monitoring was not conducted and subsequently resulted in violations of sanctions or ABAC laws. A purpose-built compliance database should be used and at a minimum include all relevant sanctions and watchlists. Depending on your industry and risk appetite, you may choose to also include screening for politically exposed persons and adverse media. Besides legal risks, you may want to be aware of reputational risks that could arise from relationships with your third parties. Such database monitoring acts as a trip wire alarm designed to trigger further investigation. The amount of information contained in a single reference to a third party may not be enough to formulate an informed determination of risk.
With monitoring now described, what is the measure of success?
As with any initiative, successful implementation requires establishment of goals and objectives and subsequent measurement of the achievement of those goals. The goals of your compliance programme must be tailored towards the risks, and risk tolerances, of your organisation. Industry, geography, compliance resources, and other variables will impact the goals and objectives you establish. Your measures of success may vary but in general should comprise:
- Employee surveys and hotline reporting – hotline reporting, whether internal or outsourced, should include concise metric reporting such as number and type of incidents, outcome of internal investigations, etc. However, given that various studies have shown that not 100% of incidents are reported, employee surveys may be a good means of measuring the number and type of compliance related incidents occurring in your organisation.
- Number and type of compliance-related incidents uncovered during routine due diligence and monitoring and the resulting appropriate level of controls placed on higher risk third parties. Were your compliance policies and procedures followed 100% of the time?
- Number and type of disclosures and/or investigations with law enforcement and regulatory bodies. Hopefully these remain few and far between but keeping this number as close to 0 as possible should be a goal and should be measured.
- Established and measured KPIs for your monitoring programme. These will certainly vary but examples may include:
- 100% of third parties monitoring daily against key sanctions lists
- remediation of possible identified risks within 5 business days
- implementation of enhanced internal controls for third parties found to pose additional risk within 30 business days.
Last but not least, it is important to calibrate your ongoing monitoring of third parties in the same manner you applied your initial due diligence. A one size fits all approach has been expressly described as inconsistent with the guidance of the US Department of Justice as well as the U.K. Serious Fraud Office. As with any initiative, establish your goals and objectives, measure them, evaluate the effectiveness, and adjust as needed to ensure your organisation is protected as intended.