Managing Ethics and Compliance Risks Inside and Out

Managing Ethics and Compliance Risks Inside and Out

It is critical to have adequate policies and procedures in place to manage third-party ethics and compliance risks, and to monitor and update them on a regular basis.

Ethics and compliance have been with us at least since Moses and the Ten Commandments. Yet here we are in the 21st century, continuing to make headlines with ethics and compliance breaches leading to unprecedented fines and ever-longer criminal sentences. Investigations of corruption, bribery, fraud and money laundering are increasing while laws and regulations are being enacted or strengthened around the world—even in countries once presumed to be lax—with greater frequency, broader territorial reach and stiffer penalties for violators. Moreover, corporations are now being held accountable, not simply for their own conduct, but for the conduct of third parties with whom they contract.

What does this mean for leaders of manufacturing companies? It means addressing three aspects of corporate ethics and compliance that are critical for success in today’s global marketplace:

  • Establishing and actively promoting a culture of integrity that is evident in every aspect of your company.
  • Ensuring your company has adequate policies and processes in place to manage ethics and compliance risks.
  • Understanding the extent to which you are accountable for the behavior of your business partners and preparing yourself accordingly.
     

Culture of Integrity

Regulators want companies to demonstrate a serious commitment, not merely lip service, to ethics and compliance. Manifestations of this commitment can be:

  • A Code of Conduct that clearly articulates the company’s values and expectations.
  • Demonstrably rewarding those whose behavior reflects the code, whether they are speaking up and raising concerns, or refusing to accept lavish gifts or entertainment offered by influence-peddlers.
  • Demonstrably taking corrective action against code violations, such as conflicts of interest, fraud, or retaliation against people raising ethical or compliance questions in good faith.

A true culture of integrity also involves training and communications that are appropriately designed and evident, incorporating “acting with integrity” in a meaningful way into the performance objectives of managers and employees alike.

Adequate Policies and Procedures

As a strong corporate leader, you must take full and active responsibility for assessing risks based on your particular industry and the regions where your company is active. You also must identify risk areas, such as potential encounters with government officials, and have an effective program in place to manage business partners. This latter point is critical; you must recognize that the perimeter of risk does not stop at your company’s door.

Increasingly regulators in the U.S. and abroad are holding companies and executives accountable for their business partners’ illegal actions. Regulators are now of the opinion that what you can’t do yourself you also can’t do through third parties, and they no longer accept willful ignorance or benign negligence as an excuse. This may be one of the most significant changes in the ethics and compliance arena in recent years.

What You Can't Do Yourself, You Can't Do Through Others

Globalization of business over the past few decades brought with it an ever-increasing dependency on third parties. Today, third parties are positioned along the entire product lifecycle for manufacturing companies, from the earliest design stage to after-market maintenance and repair.

Take for example, an aircraft manufacturer. Third-party engineers support internal teams with the development of early design concepts. Local lobbyists and consultants worldwide lead discussions with potential government and commercial customers to develop a demand profile and influence the regulatory environment. Hundreds of suppliers of raw materials, parts, systems and sub-systems manufacture and assemble aircraft. And scores of third parties may be contracted in regions around the world to assist with business development, sales, distribution and after-market maintenance, repair and overhaul. At each stop along the product’s lifecycle, third parties—and third-party risks—exist.

While companies have made vast improvements in managing risks related to quality, safety, and the timely flow of goods and services from suppliers and other business partners, they have often overlooked or underestimated ethics and compliance risks. Yet recent high-profile compliance cases such as Siemens and SNC-Lavalin show that companies are being held accountable for non-compliance by their business partners.

According to a 2012 survey conducted by Ernst & Young, 90% of actions brought that year under the Foreign Corrupt Practices Act involved third parties. The impact is not only legal and financial; your company’s reputation can be severely tarnished, affecting recruitment, employee morale and retention, productivity, customer loyalty, business continuity, and more.

The international law firm Baker & McKenzie recently surveyed 100 global supply chain executives who ranked “reputation” higher than “cost” as a selection factor for their suppliers. The same survey found that these executives worry more about corruption and other compliance issues of their third-party partners than they do about traditional concerns of quality and on-time delivery.

So what can corporate leaders in the manufacturing sector do to mitigate ethics and compliance risks associated with third parties? Here are some basic questions to ask yourself:

  1. Is it clear what the business partner will do for your company?
  2. What is the expected value the third party will provide?
  3. What geographic scope will the third party have in representing the company?
  4. Will this third party interact with government officials? Most anti-corruption laws have higher standards—and penalties—for illicit business with public officials.
  5. Can you perform this work internally? If so, why do you need a third party?
  6. Is this a new business partner for the company? Do you have existing third-party business partners who could perform the work? If you do, why use a new third party?
  7. Do you fully understand who owns and manages the third-party company? For example, is the company owned or controlled by current or former government officials, or by people closely affiliated with them?
  8. Will the third party act in your company’s name vis-à-vis government officials or other third parties, such as a customs agent or lobbyist, a broker or an agent tasked to obtain licenses or utility services? Or will they interact exclusively with you?
  9. Have you conducted an initial risk assessment and due diligence on the third party? If not, why? For example, is the contract below a company-established level for requiring a risk assessment? And if a risk assessment was performed, is it up-to-date (less than two years old, for example)? Are you comfortable that the third-party risk profile has not changed since the most recent risk assessment?
  10. Following the risk categorization (as high, medium, or low), did you perform adequate due diligence on the third party commensurate with its risk ranking? Low risk may only require basic Internet-driven research. A high-risk third party (such as one in a notoriously corrupt country, or one that will interact with government officials) may, on the other hand, require more intense due diligence, including personal site visits and meetings.
  11. Are there any unusual payment terms, such as success fees or payment locations that would raise questions?
  12. Based on your company’s limits of authority, is it clear who will approve the third party and sign the contract?
  13. Is adherence to your Code of Conduct, or to a comparable set of standards, incorporated in the terms and conditions of the third party’s contract? If not, why not? Are the consequences of violations clearly spelled out?
  14. Is it clear who will be responsible for managing your relationship with the third party? What process is in place to ensure appropriate continuity if your relationship manager moves to another position?
     

Act with Integrity

As you consider all of your 21st century ethics and compliance needs in the global arena, steer clear of the belief that “more is better.” Building a large compliance organization is not the panacea for effectively managing ethics and Compliance risks. Hundreds of compliance officers and shelves stacked with rules won’t help if the culture is not right. You can have an effective and lean ethics and compliance program if you create a culture that makes everyone—including your business partners—aware of their responsibility to act with integrity.

Regulators like to sing the refrain of “tone from the top.” But tone alone can be misleading without action to back up the words. And if the tone and action are coming only from the top without reinforcement from middle management, you will not succeed in instilling a culture of ethics and compliance that is synonymous with a culture of integrity.

Finally, don’t be lulled into complacency by a strong internal culture. It is critical to have adequate policies and procedures in place to manage third-party ethics and compliance risks, and to monitor and update them on a regular basis. As your business expands into other regions and becomes subject to an ever-more complex web of laws and regulations, management of third-party ethics and compliance risks takes on even greater importance. Be ready.

Jeffrey Alan Thinnes is CEO and co-founder of JTI Inc., which focuses on four practice: business expansion and restructuring, corporate communications, public sector strategy, and ethics and compliance. JTI adds value for clients by providing both sound strategy and practical execution, as well as insight into the complexity of the global business environment. Thinnes’ professional experience prior to forming JTI included: vice president of Daimler-Benz’s Washington, D.C., office, with responsibility for trade and investment, public affairs, and strategic communications; vice president of the Aspen Institute in Aspen, Colo.; deputy director of the Aspen Institute in Berlin; and a practicing attorney in Arizona.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish