INSIGHT: Anti-Corruption and Third-Party Management Controls—Can’t Have One Without the Other

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Patty P. Tehrani, Esq.

We all want to believe we work for organizations that operate ethically relying on well-defined compliance and ethics programs to support this belief. But even the most robust compliance programs are tested from time to time. These tests often arise in the ongoing efforts to battle corruption in all sectors, both private and public. Bribes, kickbacks, and false or unrecorded transactions all too often become part of the way an organization does business in jurisdictions where this is the norm.

The reality is that with an increasing list of global laws and regulations designed to manage corruption, including dire consequences for non-compliance, organizations must make every effort to comply. The U.S. Foreign Corrupt Practices Act (FCPA), the preeminent anti-corruption law, now sits atop of growing list of expansive anti-corruption and bribery regulatory requirements. Collectively, these efforts have created a rigorous enforcement atmosphere in international business where compliance is not optional but the new norm. And customary practices that at one time accommodated non-compliant behavior must now be retired.

What do organizations have to do to avoid violations of the FCPA and related anti-corruption laws in conducting international business?

The good news is that there are measures your organization can take to avoid corruption risks. Instituting anti-corruption controls under one framework—an anti-corruption program—is an absolute necessity. In doing so, your organization will want to consider some preliminary questions, such as:

  •  Does your organization conduct business in different countries?
  •  Is this business done through your employees or third parties, or a combination of both?
  •  Does your business assess and screen third parties before it engages them to do business on its behalf?
  •  Does your organization have requirements for providing or receiving business courtesies, political donations, or charitable contributions?
  •  Does your organization conduct business that requires permits or licenses to engage in the relevant activity?
  •  Does your organization allow for facilitation payments when obtaining permits, licenses, or other governmental?
  •  Does your organization have a dedicated hotline or email account for reporting concerns and issues for alleged improper activities?
  •  Do any of your training programs cover your organization’s anti-corruption controls and principles?
  •  Has your board of directors or senior executives issued any communications on their support of your anti-corruption controls?
  •  Does your organization have a dedicated group or individual to administer your anti-corruption controls?
  •  Has your organization been sanctioned or involved in litigation involving corruption failures? Have the issues/deficiencies been remediated?
If your organization is not positioned to respond to some or most of these questions, it may be time to work on your anti-corruption controls. While no anti-corruption program can prevent or detect every bribe or other violation, this should not hinder your efforts to institute and maintain effective controls.

Your organization will be in a much better position to manage its corruption and bribery risks and possibly garner points from regulators in the event of enforcement action or other legal liability. Using the the Bloomberg Law practical guidance materials on anti-corruption programs is a great start. The materials outline effective program controls that include:

  •  Integration of anti-corruption controls into organizational values, codes of conduct, and business measures
  •  Ongoing commitment and support of the board and senior management
  •  Current and approved anti-corruption policy—including a zero-tolerance policy on bribery
  •  Implementation of anti-corruption controls in documented and robust procedures
  •  Documented risk assessment to periodically identify risks
  •  Accountable anti-corruption program administrator
  •  Maintenance of financial and accounting controls
  •  Periodic training for the board, senior executives, employees, and third parties to maintain awareness on the program
  •  Documented assessment, due diligence reviews, and other measures for engaging third parties
  •  Dedicated channels to report actual or suspected instances of non-compliance
  •  Effective disciplinary measures for non-compliance
  •  Anti-corruption compliance provisions in contracts
  •  Periodic maintenance reviews
  •  Documented risk assessment addressing individual company circumstances
  •  Periodic monitoring and testing of anti-corruption controls to measure effectiveness and identify deficiencies and gaps for remediation

Do organizations have to worry about more than their own employees?

Before you delve into the anti-corruption assessment, make sure to pay special attention to how you manage third-party engagements. No anti-corruption program can truly be effective without robust third-party management controls. Think of your organization’s current operations and its reliance on third parties: vendors, distributors, consultants, lawyers, accountants, independent contractors, agents—the list can go on and on. Some global organizations use thousands of third parties, so just having a current inventory of who they are is a challenge. And delegating responsibilities, and in some cases full organizational functions, to them does not exonerate your organization for their failures.

Your organization can manage these risks and liabilities by standardizing third-party risk and performance management processes. The Bloomberg Law practical guidance library provides materials to help establish a third-party management framework factoring in important principles that cover:

  •  Risk assessment: Consider the level of risk and complexity of the third-party relationship before engagement
  •  Due diligence: Conduct a review of a potential third party before signing a contract to manage the risks posed by the third party
  •  Contracts: Define and document expectations and responsibilities of the parties, the location of services, and liability and dispute issues, among other considerations
  •  Oversight: Manage the risk of the third-party relationship by monitoring:
  •  the quality and sustainability of the third party’s controls
  •  its ability to meet service-level agreements
  •  performance metrics and other contractual terms
  •  compliance with legal and regulatory requirements
  •  Maintenance: Maintain controls through training, tracking changes, monitoring, and testing controls, and scheduled periodic reviews.


Having well-defined controls for anti-corruption risks, including management of third-party relationships, is critical to the long-term success of your organization. Some recommendations to help you launch your efforts:

  •  Make sure you have the commitment and resources from senior executives and the board
  •  Know and assess the risks of your operations—types of business, locations, external parties used or relied upon, and how carried out
  •  Define and develop a plan for remediation factoring in:
  •  Existing controls and deficiencies
  •  Resources—budget, people, processes, and technology
  •  Deadlines and priorities
  •  Objectives and goals
  •  Assign roles and responsibilities and engage stakeholders from across the organization to assure a collaborative process
  •  Institute a communication protocol
  •  Keep stakeholders informed
  •  Report on results, challenges, and issues to senior management and the board
  •  Deliver communications and training to affected staff
  •  Retain records for future reviews
  •  Define maintenance measures to assess controls and update them as needed periodically
Patty P. Tehrani, Esq., is an experienced compliance attorney and has nearly 20 years’ experience in compliance including senior in-house roles at top financial institutions, authoring articles and blogs, and compliance consulting engagements. She has created a series of tools, guides, and reference materials on governance, risk, and compliance functions—including guidance to help establish reputational risk frameworks—available in the compliance-focused practical guidance on Bloomberg Law’s Corporate Practice Center.

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Corporate on Bloomberg Law