Third-Party Risk Management: Implementing a Strategy
GP_for_Third_Party_Anti-Corruption_product_sheet
1. The vast majority of corruption enforcement actions involve bribe payments made by third parties, as opposed to those made
directly by employees or officers. Given this fact, a company’s ability to readily identify which of its third-party business partners
represent heightened risk and then hold those high-risk third parties to a higher standard of care, is a critically important
component of an overall anti-corruption program.
Having a strong, thoughtfully conceived anti-corruption policy is an important
starting point but it is not enough. Organizations need to implement the
underlying procedures and align them with internal controls and their audit
program to operationalize an anti-corruption program. Having a combination
of the right resources with the right skills to collect and parse large volumes of
data regarding third-party business partners – and perform escalating levels
of due diligence investigation for those that represent a disproportionate
degree of risk – as well as a technology solution to manage this overall program,
is often the difference between high-performing programs and those deemed
to be ineffective.
Leading organizations work smart by utilizing the Governance Portal as the
backbone of their anti-corruption program to manage the corruption risk within
their third-party population.
Sustainable Third-Party Anti-Corruption Program
The Governance Portal for Third-Party Anti-Corruption enables companies to
apply a risk-based approach to the third parties with whom and through whom
they do business. The system features the ability to gather third-party data,
analyze and score corruption and other types of risk based on a proprietary
scale, manage work flows, approvals and due diligence investigations, as
well as to continuously monitor these relationships.
Protiviti’s Governance Portal for Third-Party Anti-Corruption
Scope, Sponsor, Justify
CollectandCertify
TrainandCommunicate
Score and Contract
Scope Collect
Measure and ReportTrain
• Establish a framework of third-party
business partners, automated risk
scoring and detailed due diligence.
• Identify “in-scope” third-party entities.
• Match key sponsors within your
organization to create accountability.
• Develop a set of standard questions to
create a consistent program applied
across your entire organization.
• Automate the data collection process
by deploying surveys to collect information
anddatafromthird-partybusinesspartners.
• Obtain“certification”toyouranti-corruption
program via an annual survey.
• Train your executives, employees, agents
and business partners regarding your
anti-corruption program.
• Communicate changes to your policies
and procedures with existing vendors and
obtain acknowledgement and certification
regarding your anti-corruption program.
• Developastandardrisk-scoringmodel
andevaluatethird-partysurveyresponses.
• Analyze survey responses and create a
risk scorecard for each third party.
• Identify “red flags” that require further
investigation
1
A Resource Guide to the U.S. Foreign Corrupt
Practices Act (“the Guide”), www.sec.gov/spotlight/
fcpa/fcpa-resource-guide.pdf.
The Governance Portal is a market-leading
governance risk and compliance (GRC)
software solution used by hundreds
of clients around the world, providing
visibility and insight needed to manage
and mitigate critical risk and compliance
issues today and in the future.
The Governance Portal:
• Enhances project team efficiency
• Promotes enterprise accountability
• Produces business intelligence
• Optimizes your GRC platform
investment
Protiviti has been positioned as a “Challenger”
by Gartner, Inc. in the September 2013
Magic Quadrant for Enterprise Governance,
Risk, and Compliance Platforms.
“DOJ’s and SEC’s FCPA enforcement actions
demonstrate that third parties, including
agents, consultants, and distributors, are
commonly used to conceal the payment of
bribes to foreign officials in international
business transactions. Risk-based due diligence
is particularly important with third parties
and will also be considered by DOJ and SEC
in assessing the effectiveness of a company’s
compliance program.”1
Gartner does not endorse any vendor, product or service depicted
in its research publications, and does not advise technology users
to select only those vendors with the highest ratings. Gartner
research publications consist of the opinions of Gartner’s research
organization and should not be construed as statements of fact.
Gartner disclaims all warranties, expressed or implied, with respect
to this research, including any warranties of merchantability or
fitness for a particular purpose.