Recent guidance from the US Department of Justice (DOJ) on the Evaluation of Corporate Compliance Programs provides best practices for assessing the effectiveness of a program, updating the information provided in 2017 and 2019.
The 2020 updates show an increased emphasis on the management of third party risk. What does this mean for corporations?
The updated guidance clearly spells out that “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”
Prosecutors must assess that the corporation is continuously monitoring their third-party relationships, through updated due diligence, training, audits, and annual compliance certifications. Factors that should be evaluated include the presence of risk-based and integrated processes, appropriate controls, relationship management, and the presence of actions and consequences in the face of misbehaviors.
Other key questions to ask include:
- Does the company engage in risk management of third parties throughout the life of the relationship, or primarily during onboarding?
- Do contract terms accurately describe the work to be done, and is the third party actually completing the work?
- Does compensation align with similar compensation for similar work in the industry and geographic area?
Most companies perform due diligence before contracting with a service provider. But the key to effective risk management is ongoing follow-up, to ensure the controls that were in place when the relationship began remain in place over time, and change as necessary to manage new risks. With MCO's vendor risk management software we automate this process.
Vendors play a key role in the success of your organization, but managing these important relationships bring risks. It’s critical to manage these risks in a way that ensures third-party products and services are in compliance with applicable laws, regulations, and security best practices.
The updated DOJ guidance continues to organize the evaluation of a Corporate Compliance program around three core questions:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith?
- Does the corporation’s compliance program work in practice?
Emphasis was also placed on whether the program is adequately implemented, resourced and empowered to function effectively. Learn more about the updated guidance here.
MCO's Corporate Compliance solution comprehensively addresses the challenges of regulatory compliance and potential fraud through our Know Your Employee and Know Your Third Party compliance suites. Both suites access a central database providing organizations with a compliance “system of record” and allow for easy recordkeeping and reporting.
Ready to learn more about how we can help? Just let us know .