Industry perspectives on the state of compliance today and effective strategies for managing compliance risk within the changing regulatory landscape
Introduction
Darryl Lew
Partner
White & Case LLP
T: +1 202 626 3674
Matthew McFillin
Partner, Forensic Services
KPMG LLP
T: +1 267-256-2647
In today's fast-paced and interconnected world of global business, a robust and comprehensive compliance program is not merely a choice, but a critical imperative for any organization. Drawing on the opinions of 201 senior decision-makers from more than 30 countries.
White & Case LLP and KPMG LLP's "2023 Global compliance risk benchmarking survey" offers powerful insights into compliance practices across industries worldwide and strategies employed by companies to manage their compliance risks—from anti-corruption risk assessments, third-party management and employee risk awareness to environmental, social and governance (ESG) practices and cybersecurity.
Among the key findings are the importance of regular anti-corruption risk assessments and robust third-party management practices—essential components for creating a culture of compliance and transparency.
Use of data analytics is gaining momentum in compliance programs, though many companies are still in the developmental stage. Testing anti-corruption programs for effectiveness is crucial, as is consistent measurement of hotline awareness and effectiveness, along with addressing employee concerns about hotline integrity.
ESG has increasingly become an area of focus, but our respondents reveal a lack of consistency in addressing ESG risks. This inconsistency in approach can hinder the effective implementation of organization-wide policies and procedures and lead to uncertainty among employees. Clearer guidance and communication are essential in navigating the complexities of ESG and ensuring successful integration into business practices.
Looking ahead, cybersecurity takes center stage as the top compliance priority for the next 12 months, as safeguarding sensitive data and proactively addressing digital threats become more important than ever.
By proactively addressing these compliance challenges, organizations can ensure ethical business practices, mitigate risks and safeguard their reputation in an increasingly complex regulatory environment. We hope you will find our "2023 Global compliance risk benchmarking survey" an insightful read.
Key insights at-a-glance
Drawing on the opinions of 201 senior decision-makers from more than 30 countries, White & Case LLP and KPMG LLP's "2023 Global compliance risk benchmarking survey" offers insights into compliance practices across industries worldwide and strategies employed by companies to manage their compliance risks—from anti-corruption risk assessments, third-party management and employee risk awareness to ESG practices and cybersecurity.
Global compliance risk benchmarking survey: Third-party management
In collaboration with
Insight
|
7 min read
Key Takeaways
01
Compliance teams under pressure to approve heightened risk third parties
02
Compliance policies and procedures related to third-party risk management gain traction
03
Most companies perform risk-based diligence on third parties both at the beginning of the relationship and periodically thereafter
04
Most companies have Compliance and Ethics teams involved in reviewing and approving potential third parties
05
Only a minority of companies require anti-corruption training for third parties
06
Opportunities exist to tighten contractual anti-corruption protections and strategies
Approximately 90% of Foreign Corrupt Practices Act (FCPA) enforcement matters between 1978 and 2023 identified a third-party intermediary, such as a sales agent, consultant or distributor, as part of the bribery scheme.1
Under the FCPA, willful blindness or awareness of a high probability that improper payments are being made by a third party may be interpreted as knowledge of a corrupt payment and provide the basis for liability for companies and individuals.
The behavior of third parties is also highly relevant under the laws of other countries. For example, under UK law, companies are liable for bribery offenses committed by their "associated persons." These are people who in any capacity provide services on a company‘s behalf. Liability is strict, and a company‘s only defense is to show that it had in place adequate procedures to prevent the commission of the bribery offense. The role of compliance in third-party risk management is therefore critically important to the overall effectiveness of a company‘s anti-corruption compliance program.
Respondents indicate that companies employ a variety of contractual anti-corruption protections and strategies. The most commonly used anti-corruption compliance provisions in third-party agreements are anti-corruption compliance representations and warranties (64%) and related audit (61%) and termination (66%) rights. More than half of respondents (56%) also contractually require third parties to cooperate with compliance inquiries. But only a small minority of companies (14%) included provisions to shift the cost of failed compliance audits to the third party.
Compliance teams report feeling pressure to approve heightened risk third parties
11% of respondents reported they have been pressured to approve the engagement of a third party presenting an unacceptable corruption risk, with 9% reporting that it happened more than once or with more than one third party.
Compliance policies and procedures related to third-party risk management are gaining traction
Most respondents (87%) have written policies regarding employee engagement/interaction with third parties.
Almost three-quarters of respondents (74%) have a code of conduct for third parties, and two-thirds (66%) of those respondents require third parties to attest to their compliance with the code of conduct or similar policy.
More than half of respondents (53%) do not require third parties to complete anti-corruption training.
The majority of respondents (85%) perform risk-based compliance diligence on third parties.
While 91% of respondents include some form of anti-corruption provision in their agreements with third parties, 39% of respondents do not use audit clauses in written agreements with third parties with a heightened risk profile, and 20% do not conduct compliance audits on third parties.
Most companies are performing risk-based diligence on third parties both at the beginning of the relationship and periodically thereafter
On average, most respondents (85%) report that their organizations perform risk-based compliance diligence on third parties.
Of these, more than half (55%) said that they perform risk-based diligence on third parties before contracting with them and also periodically thereafter, whereas the remaining 30% stated that risk-based diligence only takes place before contracting with third parties.
While 85% or more of companies across most industries reported performing risk-based compliance due diligence on third parties, the consumer & retail industry was an outlier, with only 45% of respondents reporting doing so.
At most companies, Compliance and Ethics teams perform compliance diligence
Enforcement authorities pay attention to the methods companies use in performing compliance due diligence, as well as the personnel who are responsible for performing it. Authorities generally expect to see involvement from the second line of defense in performing diligence, as business units may not have the expertise to assess third parties or the independence to reject them on compliance grounds. Authorities also consider whether information received from third parties and business teams on questionnaires is corroborated using independent sources, such as public records searches.
Most respondents (57%) reported that their Compliance and Ethics teams perform third-party compliance diligence. While 42% of companies involve the relevant business unit in conducting compliance due diligence, 14% said that they only use the relevant business unit for compliance diligence. A further 15% of respondents did not know who performs compliance diligence at their company.
Just under one-quarter of respondents (24%) outsource third-party compliance diligence to an external vendor.
Responses show that a majority of companies consider multiple sources of information as part of compliance diligence. Leading methods for screening potential vendors include using questionnaires completed either by the third parties (62%) or in-house (40%), as well as public records/media searches (63%).
Most companies have ethics and compliance teams involved in reviewing and approving potential third parties
While nearly two-thirds of respondents (65%) reported that their Compliance and Ethics function has a defined role in reviewing and approving potential third parties, more than one in five (28%) respondents stated that their Compliance and Ethics function does not have one.
Among companies that define a role for Compliance and Ethics teams in approving third parties, 47% do so based on the third party‘s risk profile, while 18% indicated that this function reviews all potential third parties irrespective of risk.
While the vast majority (75%) of respondents reported that their Compliance and Ethics function is authorized to prevent the engagement of a third party, a minority (15%) said this function lacks that authority.
A minority of companies require anti-corruption training for third parties
Anti-corruption training is generally viewed as an important tool to ensure third parties understand their obligations under applicable laws and relevant contract clauses, and to reinforce the consequences of non-compliance. These findings indicate room for growth for companies to enhance their approach to third-party risk management.
Less than one-third of respondents (30%) require third parties to complete anti-corruption training, while more than half of respondents (53%) do not require such training.
Among the 30% of respondents that require third-party anti-corruption training, 75% require third parties to complete their own organization‘s anti-corruption training.
Less than one-quarter of companies perform regular compliance audits on third parties
Third-party compliance audits are an emerging area of focus for compliance leaders and enforcement authorities. They can have particular importance in jurisdictions such as the UK, where a company can face criminal liability for failing to prevent bribery by third parties performing services for or on its behalf. When performed proactively, compliance audits can help companies increase awareness of compliance requirements and deficiencies among third parties and help prevent serious incidents of non-compliance before they arise. When performed reactively in response to a triggering event, these audits can help company counsel gather evidence and evaluate potential resolution strategies, including litigation and disclosure. In both cases, the compliance audit is an important tool in giving teeth to a company‘s contractual anti-corruption compliance requirements.
While more than half of respondents (62%) audit third parties to assess compliance with anti-corruption requirements, only 22% of respondents audit third parties regularly, whether annually (11%) or less frequently (11%). 40% of respondents report auditing third parties only based on triggering events.
Companies predominantly use anti-corruption provisions in third-party agreements, but opportunities exist to tighten agreements
A company's ability to gather information and hold third parties accountable with respect to potential anti-corruption concerns can often hinge on the contractual protections that a company‘s legal team initially incorporated into its agreements with third parties. While in general most companies (91%) reported using some anti-corruption clauses in third-party agreements, certain contractual provisions that typically support and encourage enforcement of those clauses are not being used by companies.
39% did not include compliance audit clauses, and 86% did not include provisions to shift the cost of failed compliance audits to the third party.
32% did not include provisions to allow termination of a third party in the event of non-compliance.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.