This is the third in a series of postings by Jeff Kaplan on compliance and ethics (C&E) programs and cost. In the second I examined one cost-effective approach to C&E risk assessment, which is to embed risk assessment into training of senior managers. In today’s post I address a related idea: how to embed risk assessment into the process of drafting “third-party” codes of conduct.
Third parties – including suppliers, contractors, agents, consultants and other providers of goods and services – have long been a cause of significant C&E risk, e.g., in some of the major defense procurement cases of the 1980’s (“Operation Ill Wind”), the insurance agent sales misconduct scandals of the 1990’s, and various of the FCPA and financial reporting prosecutions of our decade. Yet despite this history – and, indeed the sheer obviousness of third parties being risk creators – far too few companies take meaningful steps through C&E functions to mitigate such risks, and fewer still undertake a structured effort to even identify what those risks really are.
One opportunity for doing both of these things – identifying and mitigating third party risks, and doing so in a cost-effective way – is to:
o draft a code of conduct applicable to one’s third parties (rather than simply providing them with a copy of the employee code – which can be a confusing and very ineffective form of mitigation for many risk areas); and,
o after preparing a first draft of this code, circulate it to key individuals in the company – particularly those with direct third-party business dealings – and ask for their help in developing Q&A’s and examples relevant to the company’s third parties for each risk area (e.g., gifts, confidential information) addressed in the draft.
In addition to helping to make the final code more effective, this process could itself serve as an important form of third-party C&E risk assessment.