Risk By Association: Complicance In A Global World

Corporate Board Member
Third Quarter 2014

In a corporate community that is increasingly interconnected around the globe, and one in which geophysical and political boundaries are nearly a thing of the past, it is becoming more important than ever to examine business connections and their potential for liability.

According to Eric Morehead, senior compliance counsel for NYSE Governance Services, an Intercontinental Exchange company, reducing the risk of running afoul of anticorruption regulations globally is becoming more a function of identifying and managing the risk of third parties—inherently one of the most difficult and elusive risk sources to track.

Third parties—distributors, agents, accountants, suppliers, lawyers, the list goes on— have now become one of the leading sources of anticorruption risk, Morehead states. Logically, then, companies that have expanded or are considering expanding into new global territories in just about any conceivable capacity should have their radar tuned to all the ways in which fraudulent or corruptive practices can lurk within their organizational networks.

“Third parties could be anybody your organization does business with or who potentially could represent your organization,” Morehead states. That could be your supply chain or your distribution chain. So you need to take a broad view on which third-party entities are going to be included in your review, Morehead advises, because suppliers could get you in trouble, distributors could get you in trouble, and indeed any agents or representatives could get you in trouble.

Morehead also points out that under some laws, including the U.K. Bribery Act, misconduct isn’t limited to bribery of government officials; it also includes bribery of commercial partners. “So bribes could be happening between your company and some of your commercial partners, which could include your distributors or suppliers.”

The important thing, Morehead says, is to take as broad a view as possible when examining the organization for possible misconduct or violations. While this can make the task seem impossible, he suggests undertaking a prioritization approach, whereby the company ensures that the hottest spots are under the most scrutiny.

“You have to figure out where your risk lies for your particular organization. It’s important to ‘risk-rank’ third parties to make sure that compliance officials are applying the right amount of due diligence depending on the risk that the third parties pose to the company,” he says. “Not every third party is going to bring the same amount of risk.”

Morehead also says international companies need to be aware of the fundamental changes coming out of the Brazil Clean Companies Act, which went into effect in early 2014.

In brief, the Brazilian Clean Companies Act is similar in a lot of respects to the FCPA, but it is a much broader law. Probably the most significant change, Morehead says, is that it invokes strict liability— meaning that an organization doesn’t need to intend to commit an offense or even have “willful blindness” about a third party committing an offense on its behalf for the law to take effect.

“That’s a big change, and that’s much different from the FCPA, U.K. Bribery Act, or any of the other major anticorruption laws that are out there,” he says.

In addition, much attention is being placed on the Brazilian Clean Companies Act because the potential penalties are very stiff compared to the FCPA and other laws. Penalties up to 20% of the total revenue during the time period in RISK BY ASSOCIATION: COMPLIANCE IN A GLOBAL WORLD COMPLIANCE WATCH which the illegal activity occurred have been applied in some cases.

It remains to be seen, Morehead says, how vigorously Brazilian authorities will end up enforcing this law, but it’s something about which any organization either operating in Brazil or engaged in activity that would make themselves subject to Brazilian jurisdiction should be cognizant.

“Anyone who is at all concerned that they may have some point of contact with Brazil needs to pay attention to this and make sure their internal controls and their policies are compliant with the law there,” Morehead says.

This last point, he notes, harkens back to earlier recommendations about managing third-party risk. “Companies should be asking, ‘What’s our process for due diligence whenever we start conducting business with a third-party entity? How do we risk-rank our third parties? How do we conduct due diligence? And how do we monitor them on an ongoing basis?’” In doing so, a company will be able to show it took reasonable steps to stay informed and manage and monitor global operational risk.