Learn about best practice for due diligence, effective training and communications and monitoring and review to minimise ABC risks.
On 30th September 2020 Viviane Joynes, Managing Director of the EQS Group’s UK business, hosted the second part of a three-part webinar series Bribery Act 10th Anniversary – What we’ve learned so far, in partnership with the Forensic Risk Alliance (FRA). Viviane was joined by Jo Morgan, Director of Ethics and Compliance at BT and Charlie Patrick, Partner at Forensic Risk Alliance (FRA). Together our experts discussed the challenges and best practice regarding the final three of the six adequate procedures – due diligence, training and communications and monitoring and review.
This article summarises the useful learnings which came out of this discussion.
Direct resources to the highest risk: Compliance teams are very often under-resourced and, as Charlie pointed out, it is most likely that very few of a company’s third parties will actually carry a significant ABC risk; therefore screening all partners using a one-size-fits-all approach is disproportionately time and labour-intensive. The best approach is to tailor due diligence to the ABC risk third parties represent.
Create a two-way street between compliance and the business: Ideally compliance should have the final say when it comes to third parties, but this doesn’t mean operating in isolation. Engaging with the business will help educate and forge mutual understanding. In exceptional circumstances, the business may need to work with a third party despite high levels of risk, in which case compliance can work with them to put mitigation measures in place and ensure that these actions are executed.
Adapt to different circumstances: There will be instances when short notice suppliers are required and an emergency approval process is necessary. This should however be rare if compliance is training the business on how to onboard new suppliers and why this is important. At the other end of the spectrum are longstanding partners who haven’t yet been through the due diligence process. They don’t get a pass and of course the level of urgency depends on their risk rating.
Monitoring and review
1st and 2nd level tests deliver most value: Charlie pointed out that 1st level testing offers the business real time feedback, and 2nd level testing is a good way to show the business the controls that are in place and how compliance is supporting and adding value to the business. 3rd level testing which is carried out by internal or external auditors will always be more of a lagging indicator.
Automate where possible: Testing can be extremely labour-intensive so any effective automation of 1st and 2nd level testing is advantageous.
Dashboards – effort must be proportional to the result: Everyone loves a dashboard however, often the resources needed to get the right inputs into dashboards are out of proportion to the value they deliver. Dashboards only make sense when they produce meaningful data and insights that should always tie back to the risks identified. While dashboards are very useful, Jo warned not to let them substitute having proper conversations with business units to identify where risks might be emerging.