Compliance Risk Assessment and 3 rd Party Due Diligence & Monitoring

Compliance Risk Assessment

and 3

rd

_{Party Due Diligence &}

Monitoring

May, 2011

Advisory Services

Compliance Risk Strategy – 3

_{Party Due Diligence – 3rd Party Auditing}

The differing ways in which a company approaches overall compliance risk will have impact on the implementation of an effective program Third Party/Business Partner program.

Compliance Risk

Management

Risk Tolerance

Go to market strategy

Third Party Due Diligence

Third Party Population

Levels of due diligence

Steps before and after

contracting

Third Party Auditing

When to exercise?

Scope?

Many companies are engaged in a complex web of 3

_{party relationships and}

face challenges in developing and implementing scalable, efficient processes to

address the risks associated with such 3

_Parties:

Regulatory

• Anti-corruption

• Export controls

• Anti-money

laundering

• Recovery of

revenues / costs

• Compliance with

key terms

• Grey market /

piracy

• Conflicts of interest

• Intellectual

property

•

Resellers

•

Distributors

•

Contractors

•

Sales Agents

•

Lobbyists

•

Manufacturers

•

Value Added Resellers

•

Joint Venture Partners

•

Logistics / Supply Chain

Example risk factors:

Example risk factors:

•

Consultants

The current regulatory environment expects, and regulators are

increasingly demanding that companies know who is conducting business on their behalf and the risks associated with doing business with them.

Companies use 3rd party business partners to assist them in various activities including, but not exclusive to sales, marketing, consulting and procurement. The pure number and complexity of such relationships and their role are sometimes unknown and not part of a Company’s global risk assessment.

A methodology designed to identify, assess, accept, and monitor

relationships with 3rd party business partners is a key component of a strong compliance program.

Compliance Risk Strategy – 3

_{Party Due Diligence – 3rd Party Auditing}

The differing ways in which a company approaches overall compliance risk will have impact on the implementation of an effective program Third Party/Business Partner program.

Compliance Risk

Management

Risk Tolerance

Go to market strategy

Third Party Due Diligence

Third Party Population

Levels of due diligence

Steps before and after

contracting

Third Party Auditing

When to exercise?

Scope?

Business partner compliance framework

Business Partner Data

ERP systems Vendor master

Approvals & Contracting /

Contract amendments

Identify, Consolidate, and De-Duplicate Business Partners

Risk Assessment Risk Analysis & Rating

Business Partner Risk Classification Segmented into Low, Medium &

High Risk

CRM systems

Perform Due Diligence

Incident response and remediation Auditing Continuous Reassessment Reporting / Monitoring C on tr ol en vi ro n m en t an d to n e at th e to p G ov er n an ce ,e xe cu ti ve sp on so rs h ip ,c om p li an ce en fo rc em en t T ra in in g, p ol ic es an d ch an ge m an ag em en t T ec h n ol og y, to ol s an d in fo rm at io n m an ag em en t Standardize or systematize using third party databases, industry specific factors, questionnaires, etc.

The following framework is designed to address the key risks related to 3rd_{party relationships and sets out the potential elements of an}

Partner approval, contracting and continuous reassessment

Approval team reviews

evaluations:

+ Head of Compliance

+ Central or Regional

Compliance Officer

Local Management

Rejection

Conditional Approval:

•Enhanced internal controls •Additional monitoring •Enhanced contractual terms •Schedule Internal Audit

Further Investigation

Approval

The extent of approval required will depend on the level of risk. Final decisions can include conditions for approval that require enhanced internal controls or monitoring.

Contracting /

Contract

Renewal /

Amendments to

T&Cs (e.g. FCPA

language,

payment terms)

Business partner on boarding should be periodically revisited to ensure there have been no significant changes to the partner profile. This can include: annual re-certifications; updating questionnaire responses every one to three years; or revisiting due diligence procedures as

Due diligence considerations

Depending on a the results of the partner risk assessment, appropriate levels of due diligence should be conducted. The level of due diligence undertaken should be commensurate to the risk exposure:

Example Low Risk Procedures Additional Medium Risk Procedures

• For all business partners, obtain certification from new Business Partner and/or employee requesting partner onboarding

• Consider conducting minimal checks of entity against an industry leading compliance database (e.g. WorldCompliance) or restricted entity listing to identify informative indicators via watch lists, sanctions lists, or PEP designation

• Consider comprehensive surveys (tiered based on level of risk) addressing compliance risk factors, such as ownership structure, compliance history, internal controls programs, etc.

• Amend standard contractual language to reflect appropriate provisions (e.g. FCPA,

right to audit clause)

• Consider 3rdparty due diligence reports that may include analysis of:

• Compliance databases and regional-specific business/company/regulatory

information databases;

• English-language and relevant foreign-language media database; • Litigation databases across relevant jurisdiction(s); and

• Commercial open source search engine for any readily-apparent adverse

information.

Additional High Risk Procedures

• Consider enhanced 3rd party due diligence reports that, depending on the location of the entity and availability of information, may include: • on-site public record searches at government offices, ministries and court houses;

• reputational and business information interviews with source contacts (diplomatic, commercial, intelligence, etc.); • source information assessments of noteworthy relationships to political, military or government officials; and • discreet inquiries with commerce officials, local embassies, etc.

Compliance Risk Strategy – 3

_{Party Due Diligence – 3rd Party Auditing}

The differing ways in which a company approaches overall compliance risk will have impact on the implementation of an effective program Third Party/Business Partner program.

Compliance Risk

Management

Risk Tolerance

Go to market strategy

Third Party Due Diligence

Third Party Population

Levels of due diligence

Steps before and after

contracting

Third Party Auditing

When to exercise?

Scope?

Reporting and continuous monitoring

After a business partner is on-boarded, the business will need to consider ongoing transactional risk. This could include procedures

such as:

•

Evaluating partner data sources (e.g. CRM, POS, ERP) and developing dashboards for monitoring key partner metrics

•

Periodic reviews of transaction detail to ensure transactions are limited to compliant partners

•

Monitoring training records for compliance with training requests

•

Periodic reviews of accounting records, marketing funds / partner incentives and time & expense records

•

Monitoring Whistleblower/helpline activity for business partner involvement

•

Monitoring status of onboarding process activities and reviewing outstanding requests

Channel Audits

Investigation into unusual business practices Changes to T&Cs

Prevent deals with high risk partners Escalate performance issues to Sales

Compliance audits with business partner contractual terms

Companies seek to improve their competitive advantage, grow revenues, and reduce development time and costs through

their relationships with 3rd parties.

Periodic independent inspections of activities under these contracts can improve the value received. Companies can get

more performance from these agreements and maintain their good relationships through effective and sensitive contract

enforcement.

Benefits of a robust licensing or contract compliance program includes:

•

Compliance with key terms

•

Identification of potential revenue leakage / incremental revenue

•

Enhanced 3

party relationships / trust and increased communication

•

Improved predictability of future payments / enhanced reporting controls

•

Improvements to the drafting of future contracts

•

Partners / Channel understands you take contractual terms seriously

•

Flushes out contract language misinterpretations, side letters, etc.

•

Provides better understanding of the customer base usage and compliance

Identify key contracts & terms Analyze data Validate reporting and present findings Counter-party site inspection

Contacts

Patricia Etzold

Partner - Forensic Services

New York

Tel: 646 471 3691

Cell: 732 261 1992

E-mail: patricia.etzold@us.pwc.com

Ryan Murphy

Director - Forensic Services

Chicago

Tel: 312 298 3109

Cell: 773 251 3946