As every compliance practitioner is well aware, third-parties still present the highest risk under the FCPA. The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third-party management. It begins with the following: 

How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

What was the business rationale for the use of the third-parties in question? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?  

This first set of queries clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance process must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements laid out in the 10 Hallmarks of an Effective Compliance Program and the Evaluation. They are:   

1. Business Justification and Business Sponsor;
2. Questionnaire to Third-party;
3. Due Diligence on Third-party;
4. Compliance Terms and Conditions, including payment terms; and
5. Management and Oversight of Third-parties After Contract Signing.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here.

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.