Our thinking

2023 Global compliance risk benchmarking survey

In collaboration with

KPMG

 

Industry perspectives on the state of compliance today and effective strategies for managing compliance risk within the changing regulatory landscape

 

Introduction

Darryl Lew
Partner
White & Case LLP
T: +1 202 626 3674

Matthew McFillin
Partner, Forensic Services
KPMG LLP
T: +1 267-256-2647

In today's fast-paced and interconnected world of global business, a robust and comprehensive compliance program is not merely a choice, but a critical imperative for any organization. Drawing on the opinions of 201 senior decision-makers from more than 30 countries.

White & Case LLP and KPMG LLP's "2023 Global compliance risk benchmarking survey" offers powerful insights into compliance practices across industries worldwide and strategies employed by companies to manage their compliance risks—from anti-corruption risk assessments, third-party management and employee risk awareness to environmental, social and governance (ESG) practices and cybersecurity.

Among the key findings are the importance of regular anti-corruption risk assessments and robust third-party management practices—essential components for creating a culture of compliance and transparency.

Use of data analytics is gaining momentum in compliance programs, though many companies are still in the developmental stage. Testing anti-corruption programs for effectiveness is crucial, as is consistent measurement of hotline awareness and effectiveness, along with addressing employee concerns about hotline integrity.

ESG has increasingly become an area of focus, but our respondents reveal a lack of consistency in addressing ESG risks. This inconsistency in approach can hinder the effective implementation of organization-wide policies and procedures and lead to uncertainty among employees. Clearer guidance and communication are essential in navigating the complexities of ESG and ensuring successful integration into business practices.

Looking ahead, cybersecurity takes center stage as the top compliance priority for the next 12 months, as safeguarding sensitive data and proactively addressing digital threats become more important than ever.

By proactively addressing these compliance challenges, organizations can ensure ethical business practices, mitigate risks and safeguard their reputation in an increasingly complex regulatory environment. We hope you will find our "2023 Global compliance risk benchmarking survey" an insightful read.

Key insights at-a-glance

Drawing on the opinions of 201 senior decision-makers from more than 30 countries, White & Case LLP and KPMG LLP's "2023 Global compliance risk benchmarking survey" offers insights into compliance practices across industries worldwide and strategies employed by companies to manage their compliance risks—from anti-corruption risk assessments, third-party management and employee risk awareness to ESG practices and cybersecurity.

In today’s fast-paced and interconnected world of global business, a robust and comprehensive compliance program is not merely a choice, but a critical imperative for any organization

Global compliance risk benchmarking survey: ABC risk assessments

tea garden

Global compliance risk benchmarking survey: Third-party management

labyrinth garden

Use of data analytics in compliance programs

mountain tea garden aerial

Global compliance risk benchmarking survey: Monitoring and review

labyrinth

Global compliance risk benchmarking survey: Compliance escalations

maze aerial view

Global compliance risk benchmarking survey: ESG

garden maze

Impact of remote working on compliance and investigations

aerial view of tea plantation

Looking to the future: Cybersecurity tops the list of compliance priorities for the next 12 months

garden maze

Survey methodology and demographics

corn maze
labyrinth garden

Global compliance risk benchmarking survey: Third-party management

In collaboration with

KPMG

Insight
|
7 min read

Key Takeaways

01

Compliance teams under pressure to approve heightened risk third parties

02

Compliance policies and procedures related to third-party risk management gain traction

03

Most companies perform risk-based diligence on third parties both at the beginning of the relationship and periodically thereafter

04

Most companies have Compliance and Ethics teams involved in reviewing and approving potential third parties

05

Only a minority of companies require anti-corruption training for third parties

06

Opportunities exist to tighten contractual anti-corruption protections and strategies

The role of compliance in third-party risk management is critically important to the overall effectiveness of an anti-corruption compliance program companies

Approximately 90% of Foreign Corrupt Practices Act (FCPA) enforcement matters between 1978 and 2023 identified a third-party intermediary, such as a sales agent, consultant or distributor, as part of the bribery scheme.1

Under the FCPA, willful blindness or awareness of a high probability that improper payments are being made by a third party may be interpreted as knowledge of a corrupt payment and provide the basis for liability for companies and individuals.

The behavior of third parties is also highly relevant under the laws of other countries. For example, under UK law, companies are liable for bribery offenses committed by their "associated persons." These are people who in any capacity provide services on a company‘s behalf. Liability is strict, and a company‘s only defense is to show that it had in place adequate procedures to prevent the commission of the bribery offense. The role of compliance in third-party risk management is therefore critically important to the overall effectiveness of a company‘s anti-corruption compliance program.

Respondents indicate that companies employ a variety of contractual anti-corruption protections and strategies. The most commonly used anti-corruption compliance provisions in third-party agreements are anti-corruption compliance representations and warranties (64%) and related audit (61%) and termination (66%) rights. More than half of respondents (56%) also contractually require third parties to cooperate with compliance inquiries. But only a small minority of companies (14%) included provisions to shift the cost of failed compliance audits to the third party.

Compliance teams report feeling pressure to approve heightened risk third parties

11% of respondents reported they have been pressured to approve the engagement of a third party presenting an unacceptable corruption risk, with 9% reporting that it happened more than once or with more than one third party.

Compliance policies and procedures related to third-party risk management are gaining traction

Enforcement authorities pay close attention to the methods companies use in performing compliance due diligence—and the personnel responsible for performing it

Most respondents (87%) have written policies regarding employee engagement/interaction with third parties.

Almost three-quarters of respondents (74%) have a code of conduct for third parties, and two-thirds (66%) of those respondents require third parties to attest to their compliance with the code of conduct or similar policy.

More than half of respondents (53%) do not require third parties to complete anti-corruption training.

The majority of respondents (85%) perform risk-based compliance diligence on third parties.

While 91% of respondents include some form of anti-corruption provision in their agreements with third parties, 39% of respondents do not use audit clauses in written agreements with third parties with a heightened risk profile, and 20% do not conduct compliance audits on third parties.

Most companies are performing risk-based diligence on third parties both at the beginning of the relationship and periodically thereafter

On average, most respondents (85%) report that their organizations perform risk-based compliance diligence on third parties.

Of these, more than half (55%) said that they perform risk-based diligence on third parties before contracting with them and also periodically thereafter, whereas the remaining 30% stated that risk-based diligence only takes place before contracting with third parties.

While 85% or more of companies across most industries reported performing risk-based compliance due diligence on third parties, the consumer & retail industry was an outlier, with only 45% of respondents reporting doing so.

At most companies, Compliance and Ethics teams perform compliance diligence

62%

More than half of respondents (62%) audit third parties to assess compliance with anti-corruption requirements

Enforcement authorities pay attention to the methods companies use in performing compliance due diligence, as well as the personnel who are responsible for performing it. Authorities generally expect to see involvement from the second line of defense in performing diligence, as business units may not have the expertise to assess third parties or the independence to reject them on compliance grounds. Authorities also consider whether information received from third parties and business teams on questionnaires is corroborated using independent sources, such as public records searches.

Most respondents (57%) reported that their Compliance and Ethics teams perform third-party compliance diligence. While 42% of companies involve the relevant business unit in conducting compliance due diligence, 14% said that they only use the relevant business unit for compliance diligence. A further 15% of respondents did not know who performs compliance diligence at their company.

Just under one-quarter of respondents (24%) outsource third-party compliance diligence to an external vendor.

Responses show that a majority of companies consider multiple sources of information as part of compliance diligence. Leading methods for screening potential vendors include using questionnaires completed either by the third parties (62%) or in-house (40%), as well as public records/media searches (63%).

Most companies have ethics and compliance teams involved in reviewing and approving potential third parties

While nearly two-thirds of respondents (65%) reported that their Compliance and Ethics function has a defined role in reviewing and approving potential third parties, more than one in five (28%) respondents stated that their Compliance and Ethics function does not have one.

Among companies that define a role for Compliance and Ethics teams in approving third parties, 47% do so based on the third party‘s risk profile, while 18% indicated that this function reviews all potential third parties irrespective of risk.

While the vast majority (75%) of respondents reported that their Compliance and Ethics function is authorized to prevent the engagement of a third party, a minority (15%) said this function lacks that authority.

A minority of companies require anti-corruption training for third parties

Anti-corruption training is generally viewed as an important tool to ensure third parties understand their obligations under applicable laws and relevant contract clauses, and to reinforce the consequences of non-compliance. These findings indicate room for growth for companies to enhance their approach to third-party risk management.

Less than one-third of respondents (30%) require third parties to complete anti-corruption training, while more than half of respondents (53%) do not require such training.

Among the 30% of respondents that require third-party anti-corruption training, 75% require third parties to complete their own organization‘s anti-corruption training.

Less than one-quarter of companies perform regular compliance audits on third parties

Third-party compliance audits are an emerging area of focus for compliance leaders and enforcement authorities. They can have particular importance in jurisdictions such as the UK, where a company can face criminal liability for failing to prevent bribery by third parties performing services for or on its behalf. When performed proactively, compliance audits can help companies increase awareness of compliance requirements and deficiencies among third parties and help prevent serious incidents of non-compliance before they arise. When performed reactively in response to a triggering event, these audits can help company counsel gather evidence and evaluate potential resolution strategies, including litigation and disclosure. In both cases, the compliance audit is an important tool in giving teeth to a company‘s contractual anti-corruption compliance requirements.

While more than half of respondents (62%) audit third parties to assess compliance with anti-corruption requirements, only 22% of respondents audit third parties regularly, whether annually (11%) or less frequently (11%). 40% of respondents report auditing third parties only based on triggering events.

Companies predominantly use anti-corruption provisions in third-party agreements, but opportunities exist to tighten agreements

A company's ability to gather information and hold third parties accountable with respect to potential anti-corruption concerns can often hinge on the contractual protections that a company‘s legal team initially incorporated into its agreements with third parties. While in general most companies (91%) reported using some anti-corruption clauses in third-party agreements, certain contractual provisions that typically support and encourage enforcement of those clauses are not being used by companies.

39% did not include compliance audit clauses, and 86% did not include provisions to shift the cost of failed compliance audits to the third party.

32% did not include provisions to allow termination of a third party in the event of non-compliance.

1 Third-Party Intermediaries Disclosed in FCPA-Related Enforcement Actions, Foreign Corrupt Practices Act Clearinghouse, Stanford Law School, https://fcpa.stanford.edu/statistics-analytics.html?tab=4 (last visited June 9, 2023)

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2023 White & Case LLP

Top