Introduction to 3rd Party Risk Management - a podcast by Thomas Fox

Over the month of July, I will consider the risk management of third-parties in an operationalized compliance program. As every compliance practitioner is aware, third-parties still present the highest risk under the FCPA. You must assess whether the company has a business rationale for needing the third party in the transaction, and the risks posed by third-parties, including their reputations and relationships, if any, with foreign government officials. You should ensure that contract terms with third parties specifically describe the services to be performed, the third party is actually performing the work, and that its compensation is commensurate with the work being provided in that industry and geographical region.   Finally you must engage in ongoing monitoring of the third-party relationships, through updated due diligence, training, audits, and/or annual compliance certifications by the third party.
 A well-designed compliance program should apply risk-based due diligence to its third- party relationships. As the DOJ noted “the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.” This means your compliance must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party management.

Business Justification;

Questionnaire to third-party;

Due diligence on third-party;

Compliance terms and conditions, including payment terms; and

Management and oversight of third-parties after contract signing.

I will be exploring each of these steps in detail, so you will be able to fully operationalize your third-party risk management program.
Three key takeaways:

Use the full five-step process for third-party management.

Make sure you have Business Development involvement and buy-in.

Operationalize all steps going forward by including business unit representatives.


For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com. 

Further episodes of 31 Days to a More Effective Compliance Program

Further podcasts by Thomas Fox

Website of Thomas Fox