Six degrees of separation and third-party management

Who are your business partners? Not an easy question to answer today when contractors have contractors and subcontractors. Today’s supply chain can look like the aerospace version of six degrees of separation. The web of potential failure points has expanded exponentially, and so have the associated risks.
 

Changing landscape

There are more than 35 global laws in place solely to regulate corruption, and the list is growing daily. The Wall Street Journal recently reported that “more than a half-dozen universities have introduced undergraduate majors, MBA concentrations, and even entire degree programs dedicated to…..global supply-chain strategy.” This, compounded with the fact that more than 90% of the Department of Justice’s anticorruption actions involve third parties, highlights the attention this topic will continue to receive for some time to come. Despite this, only 36% of respondents to a recent NAVEX Global survey indicated that they track information on their most critical third party relationships, while 35% of respondents indicated that they track zero third-party data.

For those that do track information, many rely on manual processes to screen and monitor key partnerships and are struggling to keep up with the volume. According to Rich Becks’ “Addressing Supply Chain Challenges” in the August- September 2014 issue of Aerospace Manufacturing and Design, the average aerospace project can use 6 million parts that come from more than 30 countries and 550 suppliers. Attempting to manage this process through spreadsheets and Internet searches is ripe for error and is a logistical nightmare. In this day and age – where transparency with your key stakeholders, the government, and other contractors is the cost of doing business, and strategic decisions are made at the speed of light – understanding an organization’s geographic footprint is the first step in building a solid foundation for a third party anti-corruption management program.
 

Establishing an effective program

In the NAVEX Global survey, 25% of more than 300 senior level compliance professionals indicated that their 2014 program budgets would expand by 20% to help better manage third-party risk; a clear recognition that third-party risk management is a growing concern. Whether or not you are one of those fortunate enough to secure additional budget, there are key steps you can take to implement and manage a successful program:

Know the supply chain universe. One of the first steps in establishing an anti-corruption process is to fully understand who makes up the third-party universe. Understand distributors, resellers, agents, and others and work with internal partners in legal, procurement, and compliance to compile the most comprehensive list possible. Look for ways to leverage the information in the company’s other systems, such as vendor management systems, to help in the identification process.

Understand the risks. Each organization has risks directly correlated to their industry, business model, and geographic footprint. Conduct a risk assessment or partner with an organization that can conduct one for you. Once risks are understood, prioritize them and map channel partners to those risks for a better understanding of where the organization may be the most vulnerable.

Evaluate the policies. Is there a third-party anti-corruption policy? In addition to ensuring contract language clearly outlines expected behavior for suppliers, it is a best-practice to establish a standalone policy that clearly outlines company expectations from third parties as well as the company’s process for dealing with failures. It is strongly suggested that contractors and subcontractors attest to their understanding of their obligations as this can be invaluable from an auditing and defense standpoint.

While evaluating policies, don’t forget your code of conduct. Make sure it outlines the organization’s expectation that contractors adhere to the spirit of the code. The code should also provide general direction to those with procurement or sourcing job duties and outline who in the organization has ultimate responsibility in ensuring that third parties meet their obligations.

Review the current training model. Do training initiatives align with the risk profile? Consider tying organizational risks to the roles that are most likely to be exposed to the risks. When building the training plan, remember to include the executive team in the process. Key stakeholders often get left out of training initiatives as it is assumed that they already know everything about the business and industry when they do not. The regulatory landscape is changing every day, so provide the executive staff with the information they need to stay informed.

Don’t forget to include contractors and subcontractors in the training planning process. Under the Foreign Corrupt Practices Act and U.K. Bribery Act, third-party training is highly recommended and can actually help to reduce fines and penalties. Despite this recommendation, nearly 47% of companies do no training of their third parties, according to a 2013 report in Compliance Week.

Constantly review and adjust mitigation processes. Once the foundation of the program is established, continue to monitor and reassess it on a periodic basis. As risks change, the third-party anti-corruption screening process will need to change as well.
 

Using technology, management systems

Automation is the key to successful anti-corruption programs. Given the potential number of failure points and the number of contractors and subcontractors in most organizational distribution spheres, technology can handle the volume and screening process at a rate well beyond what manual processes can. Additionally, supporting software to assist in the development, deployment, and certification of policies and procedures, and issue-resolution can be leveraged to ease burdens associated with both tracking and reporting.

The use of automation in third-party screening processes will ensure consistent screening of all parties entered into the system. Third-party anti-corruption systems can serve as a central repository for all contractors and subcontractors, significantly simplifying the audit process. They also allow customized screening parameters and ranking based on the organization’s risk profile and supplier relationship. This is extremely important to those in the aerospace manufacturing and design industry as the questions used in due diligence may need to include elements of the International Traffic in Arms Regulations, government-sanction monitoring, and other aerospace-specific considerations.

In addition to the customization of questions, best practice systems should allow screening for financial checks, watch-list violations, adverse media, or reputational and compliance issues. The system should also highlight critical status changes in a contractor’s risk profile and trigger proactive notifications to system administrators, affording the organization the opportunity to take immediate action. Reporting and audit trail capabilities should also be standard in a third-party anti-corruption management system. Systems should also support multi-lingual capabilities and allow vendors to complete the screening application process via the system. This is of particular importance when dealing with global vendors.

Learning management systems (LMS) can help systematically distribute and track employee and contractor training assignments and completion. These systems allow training to be assigned with the click of a mouse while providing an audit trail for easy reference. Best-in-class learning management systems offer scheduling of automated reminders and reporting options. These systems allow organizations to deploy training in multiple formats – including video, which can be useful in emphasizing key takeaways and driving comprehension.

Policy management systems can be leveraged to develop and distribute policies, a critical step in anti-corruption management. The best systems will allow selected users to create policies and generate approval workflows to ensure visibility and sign-off by executive stakeholders. In addition to tracking changes to policies routing through the approval process, the system can track completion of policy reviews by contractors. The system can also serve as a data repository for contractors and subcontractors, as well as employees, allowing users to access mission-critical reference documents from one centralized location.

Case management systems allow managers tracking third parties to investigate issues that may involve vendors. These systems can facilitate an investigation by capturing interview notes, relevant policies, and its disposition. Best-practice systems are often integrated with LMS, allowing users to quickly identify training completion dates for the accused parties, avoiding the hassle of spending critical time researching training records. These systems will also let administrators quickly identify other cases where the involved parties have been mentioned – essential in spotting trends and repeat offenders.
 

Success criteria

Best-practice third-party anti-corruption management programs are built to expand as the demands in this area evolve. Great programs do not just focus on screening but approach third-party management from a holistic perspective to include risk assessment, policy development, training, and continuing education processes – relying on systems to manage the arduous task of managing their due-diligence processes.

NAVEX Global
www.navexglobal.com

About the author: Diane Brown, vice president and head of operations for the NAVEX Global advisory services team, has more than 16 years of experience in compliance and legal roles. She can be reached at 866.464.1705, 704.301.1903, or dbrown@navexglobal.com.

EMI and RFI filters

An expanded line of mil/aero products includes AC and DC EMI/RFI filters for all current and voltage ratings for 50/60 Hz, 400 Hz, and wild-frequency 330Hz to 880Hz applications.

Designed to meet mil/aero certifications, requirements, and EMI testing – including MIL-STD-461, MIL-STD-220, TEMPEST, and RTCA-DO160 and manufactured in ISO 9001:2008 and AS9100 C registered facilities – these filters offer high reliability in mission-critical applications. They are available with various levels of transient voltage protection options including EMP, HEMP, HERF, and lightning strike.

The filters operate at extended temperatures (-55°C to 100°C), meet MIL-STD-810 for shock and vibration conformance, support MIL-STD-704, MIL-STD-1275, and MIL-STD-1399 power specifications, have demonstrated exceptional mean time between failures, and offer a variety of options to conform to the most complex performance requirements.

Videos from Astrodyne are available at www.youtube.com/astrodynepowersupply.
 

Astrodyne Corp.
www.astrodyne.com