Managing third party and counterparty relationship risks
August 2013 | 10QUESTIONS | RISK MANAGEMENT
FW speaks with Melvin Glapion, a managing director at Kroll, about managing third party and counterparty risks.
FW: Could you outline some of the major risks that can emerge from third-party and counterparty relationships in today’s business world? What red flags should firms try to identify?
Glapion: The risks are actually very much dependent upon the jurisdiction and the sector you are operating in. Many of our clients are exploring those less talked about countries in Sub Saharan Africa, South East Asia and the Middle East. The issues are highly dependent upon the nuances in each country and the nature of the business relationships. I would point out that the three key risks I see most regularly are the involvement of a Politically Exposed Person gaining an unfair advantage; the legal requirement to have a local partner to conduct business in the country; and the lack of clear and transparent legal structures. The key red flags to look for therefore involve some degree of risk in each of these. I advise clients to not only know their counterparties, but know their counterparties’ network of relationships. In many of these countries, a level of government involvement is a necessity. However, if that relationship veers into a quid pro quo situation, it’s dangerous. This is further exacerbated by the fact that many of these countries have strict requirements that local parties are involved. Knowing how these parties came to your attention, what the nature of the relationship is, and what level of control and oversight you have allows you to put mitigations in place. Finally, gaining an understanding of what you can do now, contractually or otherwise, to avoid being at the mercy of an unclear legal system is critical.
FW: What particular risks can emerge in relation to a company’s supply chain? How can supply chain delays be minimised and supplier compliance maintained?
Glapion: Now that suppliers have become so integrated and intertwined in the way companies conduct business, the problems of our client’s suppliers become our client’s problems as well. The issues here are not always around corruption or bribery, although it happens. The bigger issues are around environmental, social and governance issues. Take, for example, the recent garment factory fire in Bangladesh. The tragedy there had a significant reputational impact on a number of Western clothing retailers. The same can be said for the UK horsemeat scandal. A deep understanding of your supply chain is just as critical as understanding your third-party relationships. Best practice is to fully understand who the suppliers are and ensure that suppliers are not just agreeing to abide by your codes of conduct and your service level agreements, but also ensuring that you have audit rights to inspect how well they are living up to those commitments.
FW: Is there any advice you can give to firms on implementing and maintaining robust monitoring systems? To what extent can this be customised for the type of third parties they will be dealing with?
Glapion: Well, your question implies that most people are actually doing some form of monitoring. We have not found this to always be the case. I would say that firstly, there should be some level of monitoring by all companies. Monitoring itself should be done with a risk-based approach, concentrating the most amount of resource on those parties that are deemed most risky. Monitoring should be done systematically. There should be clear guidelines on who is monitored and why. Once the subjects have been determined, a clear scope for each level of monitoring should be applied. Keep in mind that the monitoring interval should also be considered in the context of the perceived risk. Finally, data on the monitoring process should be collected to determine whether the system is fit for purpose. Key questions to consider are: Have we properly defined the categories of who should be monitored? Have we defined the correct scope and frequency? What have we missed and why? Have we taken a consistent approach to issues that arise and if not, why not?
FW: With regard to processes and systems, should firms avoid taking the word of their third-party partners at face value? What steps should they take to verify the adequacy of their partners’ systems and processes?
Glapion: One of the most difficult conversations I have with clients is often around their communication to third-parties about the due diligence process they are looking to conduct. There seems to be an overwhelming sense of concern that the process could be viewed as offensive or invasive, particularly in certain parts of the world. I understand the concern, but I also see the other side—what happens when a client is facing an investigation by a regulatory body due to actions taken by a third-party. So, no, I would say do not take the information at face-value. Your company, its directors and its reputation are on the line. Make sure that what is agreed in principle is undertaken in practice. Audit systems, processes and people just as robustly as you do you financials. Eventually your ability to manage the systems, processes and people – internal and external – will show up in your financials, for better or worse.
FW: Drawing on your experience, can you highlight any notable failures in managing third party and counterparty relationship risks? What went wrong in those circumstances and what can firms do to ensure they do not end up in a similar situation?
Glapion: I just completed an engagement with a listed company that had spent 24 months defending against multiple corruption charges. Over the course of those two years, the firm lost over half of its market capitalisation. The key lessons I take away from their experience are common to many firms we work with. First, the company leadership assumes that its annual compliance training and letter from the CEO is being filtered down and fully understood by its third-parties. Second, the risk team assumes that an initial positive due diligence investigation is relevant several years later. Third, the business sponsors exert varying levels of pressure on internal staff to get the third party approved. Fourth, auditing is assumed to be far too invasive.
FW: Could you identify particular risks associated with third parties in emerging markets? To what extent do these regions present a heightened risk?
Glapion: I think here is where the issue of required local partners becomes most relevant. Many countries are mindful of the fact that they want to develop the knowledge base locally and they want to ensure a level of local participation. More often than not though, it is in these circumstances where PEPs or people working for PEPs approach Western companies. In many cases the arrangement is not a violation of FCPA or UK Bribery Act, but it’s critical to fully understand the nature of the relationship, how the local partner is paid and if it can be determined that such an arrangement is a form of kickback to a PEP. It’s not just enough to say this is a local requirement. You need to take steps to ensure that the relationship and the payment process are structured in a way that sufficiently mitigates the risk of bribery and corruption.
FW: What steps can firms take to overcome legal and cultural barriers to the monitoring process when working with third parties in emerging markets?
Glapion: I think a number of firms balk at even asking the tough questions for fear of upsetting partners. In my experience, most of the people you are likely to deal with have some knowledge of Western due diligence processes. They may not necessarily like it and in many cases they will try to avoid having to go through some of the processes, but the process is not unusual and it’s becoming less and less a cultural issue. The legal issues are a bit more of a challenge. It is helpful to understand what limitations are in each country and adjust for these. However, in my experience, the legal challenges require more time and patience than the cultural ones.
FW: In what ways can due diligence and relationship management service providers reduce third-party risk, and how should firms decide on which providers to engage?
Glapion: Our work involves coming to an understanding of the individual third parties and their wider relationship networks. We conduct several thousand investigations into third parties each year from the London office alone. We specialise in this work and as such have a defined approach to conducting reputational due diligence and probity checks. We also benefit from having relationships with consultants in just about every jurisdiction. We are also independent in our approach. While we are engaged by the client organisation, the report is written by professionals at our firm and we are not under pressure from the business sponsors to slant our findings one way or the other. I think firms looking to engage with similar organisations should consider a few things before deciding whom to engage with. They should know what they want to do internally and what they want to have done by consultants. They should know what level of scope they are looking for – public records only is not always sufficient in emerging markets. They should look for firms with a global presence, a process for gathering and managing human intelligence and a reputation for doing it well.
FW: How are regulatory and legislative changes influencing the way companies deal with third parties and counterparties? Do you foresee any regulatory or legislative change in the near future?
Glapion: Well, the recent FCPA fines and penalties combined with the introduction of the UK Bribery Act have already prompted firms to put in place the systems and processes for evaluating, risk assessing and investigating third parties. The next level of effort has begun with companies now starting to enforce their audit rights. I think the next challenge will be the regulatory and legislative changes that are coming from the emerging market countries themselves. In fact, many of them already have laws in place, but do not actively enforce them – for example, Nigeria. The most recent example of how this is becoming increasingly relevant is the case of GlaxoSmithKline in China. Expect more of these types of issues where multinationals are faced with complying with a host of laws in emerging markets with no promise of harmonisation of these statutes.
FW: What general advice can you offer to firms on managing third party and counterparty risks? What are your wider predictions for the next 12-18 months?
Glapion: I think the best advice is to know your third parties as well as you can. It is not just a matter of compliance; it’s a matter of financial and operational success. My view for the next 12-18 months is that we will not only see more emerging markets countries enacting laws that will require a deeper understanding of third parties, but that those same countries will enact stronger data protection policies. For example, Singapore and the Philippines in the last 12 months, with Malaysia soon to follow. The two will make the challenge that much more difficult for companies interested in complying – there will be the legal requirement to know your third parties, plus the added challenge of making some information much more difficult to retrieve. Publicly available information is becoming less public at a time when we need to know so much more about our third parties.
Melvin Glapion is a managing director at Kroll, leading a team of subject matter experts in the London office. He has over 16 years’ experience of M&A, corporate strategy and financial analysis, leading multi-disciplinary and multi-jurisdictional teams in conducting cross-border market entry, due diligence and competitive intelligence engagements. He can be contacted on +44 207 029 5313 or by email: firstname.lastname@example.org.
© Financier Worldwide