1. Home
  2. Insights
  3. Articles
  4. Establishing a Third-party Risk Management Strategy for Law Firms

Article

Due diligence, assessment and on-going monitoring

Engaging a third party brings inherent risk, so a law department is advised to help its company create a strategy to mitigate that risk.

Typically, a company engages third parties when it enters into cross-border transactions. These third parties help perform key activities to advance the company's interests. They can include—but are not limited to—accountants, advisors, agents, attorneys, brokers, consultants, contractors, distributors, freight forwarders, sales representatives, suppliers, vendors, and other intermediaries and goods and services providers. 

For example, these third parties can assist the company in:

  • Complying with local laws and regulations
  • Interacting with government officials and regulatory agents
  • Obtaining necessary business licenses and permits
  • Understanding a foreign market
  • Moving goods across borders
  • Meeting with customers and developing business
  • Marketing and selling products in a designated territory
  • Sourcing parts and other supplies
  • Performing outsourced functions such as technology, data management, and consumer call center support

Risk of third-party agreements

Third parties pose a significant compliance risk for companies under anti-bribery and anti-corruption laws, such as the U.S. Foreign Corrupt Practices Act of 1977 (FCPA) and the UK Bribery Act 2010 (Bribery Act). Agents and other intermediaries authorized to represent the company pose the highest bribery and corruption risk. Suppliers and vendors can also pose substantial risk involving kickbacks, bid-rigging, conflict minerals, or human rights abuses.

The corrupt activity of a third party can expose the company to criminal and civil liability under U.S. and non-U.S. laws and result in the prosecution of company managers and employees. Corrupt activity by a third party can also harm the company’s reputation and damage the company’s ability to conduct business in certain jurisdictions.

The U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have stated that companies using third parties should perform risk-based due diligence on those third parties based on the risk profile of the proposed relationship. This risk-based due diligence should be part of the company’s overall compliance program to prevent, detect, remedy, and report misconduct.

It is also considered one of the minimum requirements for a compliance program to be effective and can help the company reduce liability for third-party misconduct (see DOJ Criminal Div. and SEC Enforcement Div., A Resource Guide to the US Foreign Corrupt Practices Act Second Edition (2020), available at justice.gov).

To determine the extent of due diligence required, the company should conduct a preliminary risk assessment of the third party. A business unit questionnaire is a useful tool for counsel to gather third-party information internally for the preliminary risk assessment.

Performing a preliminary risk assessment

The preliminary risk assessment should follow a written process to identify key risk indicators (also known as risk factors or red flags) and determine the extent of the due diligence required. Information to be gathered should include:

  • The name, addresses, and websites of the third party, including any other names used by it to conduct business
  • The name, title, and contact information of the organization's primary business contact at the third party
  • Information about the third party's shareholders, principals, and key employees
  • A description of the business opportunity that creates the reason for the third-party relationship
  • The services to be provided by the third party
  • How the third party was identified and why it was selected
  • Terms of the proposed business relationship

It’s also important to gather any other information about the third party and the proposed business relationship that may help the due diligence process, such as information about the third-party's reputation, financial status, or particular issues relating to the relevant market.

Once a risk assessment is performed, in-house counsel can create a risk profile for each third party to conduct due diligence that matches the risk level and the complexity of the relationship. In the 2020 edition of the FCPA Resource Guide, the DOJ and SEC discouraged performing identical due diligence on all third-party agents, noting that such due diligence diverts attention and resources away from third parties that pose the most significant risks.

Performing due diligence

In-house counsel should use the risk profile generated during the risk assessment to inform their due diligence. Using techniques and tools such as questionnaires, requests for documents, and other information, interviews, government databases and filings, other publicly available information, and professional due diligence services, they should investigate and confirm:

  • Business rationale for including the third party in the transaction.
  • Role of and need for the third party in the transaction.
  • Commercial and financial terms of the contract with the third party, such as payment, duration, and location, the reasonableness of those terms, and how those terms compare to typical practices and provisions in the applicable industry and jurisdiction.
  • The timing of the third-party's involvement in the transaction.
  • The qualifications and associations of the third party, including its relationship—if any—with foreign officials.
  • The required level of involvement by the third party with governments and foreign officials.
  • The existence or absence of any prior ethics or compliance issues involving the third party.

If red flags surface, in-house counsel should increase their due diligence efforts to ensure all relevant issues are identified, raised, and appropriately addressed. The organization should use the results of the due diligence exercise to determine whether retaining the third party is appropriate under the organization's compliance obligations and applicable laws or whether it should identify an alternative resource.

Performing ongoing monitoring

The company should also engage in third-party risk management throughout the life of the business relationship. In the 2020 edition of the FCPA Resource Guide, the DOJ and SEC emphasized the importance of ongoing monitoring. Practical suggestions include:

  • Periodically updating initial due diligence results
  • Exercising audit rights
  • Providing periodic training to third-party relationship managers
  • Requesting annual compliance certifications by the third party

The presence or absence of ongoing third-party monitoring will be considered by DOJ and SEC in assessing the effectiveness of a company’s compliance program.

Helping you shape tomorrow, together

See how Practical Law Connect can equip you with the expert legal guidance you need to build an even stronger law department for now and into the future