Identify and Understand Your Third Population (Part IV of V) | The Volkov Legal Group
This is a daunting task at the outset: identify all of your third-party partners that your company does business with. For large global companies, this is not an easy question. Some companies do not have an easily accessible list or an understanding of the size and scope of their third-party population. This can be a first obstacle in itself.
The first step usually involves some kind of list of third parties – often on an Excel spreadsheet. Good luck, that’s another challenge.
With this list, I’m looking at several ways to slice and dice the population.
First, I would suggest excluding third parties that are involved in the sales side and that the sales side typically interacts with on a regular basis.
Second, I usually categorize the supplier/seller side into categories.
Most companies initially divide their seller/supplier side into two broad categories: direct and indirect sellers/suppliers.
Direct sellers are those who provide the raw materials and other inputs needed to manufacture specific goods. Indirect providers are those who provide other categories of services, including professional services, customs or export logistics, administrative services, consulting and other relevant indirect categories.
Defining each category takes time and needs to be coordinated with the business so that the categories are familiar and understandable to the business. To build a defined classification system, legal and compliance departments need to understand exactly how the business operates – on the sales, supply and manufacturing side. Most CCOs find the process of understanding and classifying the third population to be educational and informative.
Once the categories have been defined and assigned, it is important to identify the potential risks: operational, legal, cyber and other specific factors. From an operational point of view, third parties should be classified according to their overall importance in the supply or distribution chain. An exclusive distributor in a country or region will have a significant weight in a risk score, as will a supplier responsible for delivering a critical input. As part of this overall analysis, sales and purchasing managers should coordinate and support compliance or provide access to relevant information on these issues.
In addition to the operational risk factor, the compliance team should review and identify legal risks – anti-corruption, money laundering, antitrust, sanctions and export control, and cyber risks. As part of this investigation, it is important to collaborate in the definition and assessment of these risks, including trade compliance, procurement, sales channel managers and information technology. This partnership brings together legal and compliance experts to assess the importance of specific risk factors and strategies to uncover those risks.
We know all the usual questions to consider — the business case for engaging a third party; the specific role of the third party and the need for the third party; the beneficial owners of the third party; the reputation of the proposed third party; the terms of remuneration, invoicing and payment proposed; the nature of the legal relationship between the company and the third party (i.e. whether the third party represents the company before government officials); the third party’s reputation for ethics and compliance; computer systems and cyber protection of data stored and transmitted by the third party; and the third party’s existing ethics and compliance program.
Although everyone is familiar with this list of information, however, the key question is how to use this information to assess specific risks. Anti-corruption risks extend to situations where a government official or close family member retains an ownership interest in the third party. Sanctions risks may require consideration of beneficial ownership interests as well in order to apply the 50% rule. And, of course, any relationship with a third party could lead to reputational risks.
The third party population presents a unique set of risk factors that are often separated by geographic issues, types of third parties, expectations of interactions with government officials on behalf of the business (i.e. representative) and annual revenue as a proxy for the number of interactions and the level of risk. Again, some of these basic factors need to be weighed against the specific risk – vendors and suppliers located near North Korea, for example, create material sourcing risks from North Korea as part of of the company’s supply chain. Companies operating in countries with a high risk of corruption or in high-risk sectors create a very different risk profile than those operating in low-risk countries.
Conducting due diligence for integration purposes is not scientific inquiry. This requires discretion and the exercise of judgment. There are hard and fast rules, but more often than not the company must apply its own risk tolerance to issues that strike a fine balance. The onboarding process should include appropriate follow-up requests and documentation requirements (eg, beneficial ownership statements when questions surround legal owners).