MANAGING THIRD PARTY RISK : CHECKLISTS The Enabling Environment Indicator
Y
Governance and commitment to integrity 1
Is there a procedure to ensure board oversight and accountability for third party anti-bribery management?
2
Is responsibility for oversight and governance of third party anti-bribery management assigned to a board committee?
3
Do the board and senior management demonstrate the company's commitment to third party anti-bribery management through tone-from-thetop?
4
Does the company have a procedure to monitor anti-bribery and other relevant laws related to third parties?
5
Is the board regularly informed of requirements and changes in laws related to third party anti-bribery management?
Organising for anti-bribery management 6
Has a senior executive been given clear overall responsibility for third party anti-bribery management?
7
Is there an integrated or coordinated approach across the company for third party anti-bribery management?
8
Has the company clearly assigned responsibilities for third party antibribery management to support functions (e.g. finance, legal and compliance)?
9
Do the procedures for third party antibribery management involve crossfunctional working?
N
Unclear
In plan?
Comment
Ref no:
10
Has the company clearly assigned responsibilities for anti-bribery management to third party relationship managers?
Building trust in your relationships 11
Is the company’s approach to build trust and constructive relationships with third parties?
The Third Party Anti-Bribery Framework Indicator Identification 12
Has the company defined and identified the forms of third party and the scope of its third party anti-bribery programme?
Risk assessment 13
Has the company implemented a procedure for identifying and prioritising the risks and risk factors attached to third parties?
14
Are the internal risks attached to third party management included in risk assessments (e.g. kickbacks to employees, use of third parties to channel bribes)?
15
Are the results of risk assessments used to design and improve the anti-bribery controls for third parties?
16
Is there a systematic procedure for the engagement of all third parties applied consistently across the company?
17
Is a business case required before the engagement process can begin?
18
Are there thresholds of authority for approving the business case?
19
Are all third parties under consideration for a contract or business relationship required to complete a pre-qualification questionnaire (PQQ)?
20
Is there a procedure for review of the completed pre-qualification questionnaire?
Y
N
Unclear
In plan?
Comment
Ref no:
21
Does the company inform prospective third parties on its process for engaging and working with third parties, including its anti-corruption commitment and practices?
Due diligence
22
Are potential and existing third parties assigned to a risk category using risk factors identified during risk assessment?
23
Is there a systematic process for conducting due diligence on third parties?
24
Is the due diligence carried out proportionate to the risks posed by types of third parties, with a focus on those of highest risk?
25
Do the due diligence checks include the following external checks?: Detailed business profile
Media and social media screening
Checks of open source information and databases Search of watch and sanctions lists
External data and audit providers (e.g. Sedex, TRACE) Background checks on key people
Politically Exposed Persons (PEPs) check
Credit and other financial checks
Bank references
Due diligence report by external consultant Audit of books and records 26
Do the due diligence checks include obtaining the following from the third party?:
3P questionnaires tailored by risk category (including evidence of policies and procedures, an adequate antibribery programme, facilities, track record, expertise, etc.) Customer references
Disclosure of conflicts of interest and related risks (e.g. familial connections to PEPs) Evidence of good practice compliance (e.g. independent anti-bribery audits or certification against ISO 37001) Information on governance, values, code of conduct, anti-corruption programme and policies, and public reporting Information on beneficial ownership
27
Do the due diligence checks include the following methods?: Face-to-face meetings with key contacts and management Interviews of CEO/ senior management including discussion of any concerns and red flags Meetings with the key business associates of the third party (e.g. joint venture partners, consortia, key contractors) Site visits
References and testimonials from local sources (e.g. embassies and high commissions, business chambers, NGOs and opinion formers) 28
Is there a procedure to assess that any proposed fees and other contractual considerations are appropriate and justifiable for the services to be rendered?
29
Is information obtained from the relationship manager, employees who interact with third parties, buyers, business units and local management?
30
Is there a procedure for mitigating risks identified though due diligence?
31
Is the decision to proceed with an engagement dependent on there being a satisfactory due diligence report?
32
Is the legal/compliance function required to approve due diligence reports for medium and high risk third parties?
33
Is there a procedure to properly document due diligence reviews?
Contract 34
Is there a procedure for initiating contracts with all third parties?
35
Does the company do the following before entering into contract negotiations with a third party?: Discuss its model and expectations for working with third parties Provide tailored documents according to the form of third party and assigned risk category (e.g. code of conduct, business conduct guidelines, and standard terms)
36
Does the company provide model contracts to standardise anti-bribery terms and requirements across the company?
37
Is there a procedure for renewal of third party contracts after a defined period?
38
Is there a procedure to tailor contracts to comply with local anti-bribery laws?
39
Do contracts with third parties include the following standard terms?: Requirement to implement an adequate and proportionate anti-bribery programme Right to be informed of use of subcontractors and the procedure to be followed Commitment to complying with relevant anti-bribery and corruption laws Requirements for countering specific corruption risks (e.g. small bribes, dealings with public officials) Specification of who in the third party is responsible for the anti-bribery programme Warranty that no public official or a close relative of an official is associated with the third party whether as an investor, officer, employee or shadow director
Warranty that the third party is not or has not been the subject of an investigation, settlement or conviction for bribery or other form of corruption Terms for fees and commissions (e.g. jurisdiction for payments, prohibition of cash payments/payments to off-shore accounts and requirements for supporting documentation) Commitment to maintain accurate books and records available for inspection by the company or its representatives Audit rights (tailored to comply with local laws) Immediate notification in writing of suspicion of or an incident of bribery Provision for cooperation with authorities in the event of an investigation Right to terminate in the event of suspicion of or an incident of bribery and where there is evidence of inadequate anti-bribery programme Provision for regular performance reviews related to the anti-bribery programme Terms for renewal of the contract 40
Where due diligence shows that a joint venture or consortium does not have an anti-bribery programme consistent with that of the company, is there a procedure to establish contract protection?
Management 41
Is there a policy to implement the company's anti-bribery programme in all business entities over which it has effective control?
42
Where the company does not have effective control of a joint venture or consortium, is there procedure to communicate the company's antibribery programme to the other entities in the venture and encourage them to adopt a programme for the venture consistent with its own?
43
Is there a procedure that, where the company is unable to ensure that a joint venture or consortium has a programme
consistent with its own, it has a plan to exit from the arrangement if bribery occurs or is suspected to have occurred? 44
Are dedicated anti-bribery documents provided to third parties (e.g. tailored code of conduct, business conduct guidelines, advice and speak up guidance)?
45
Does the company communicate clearly to third parties the sanctions for violations of its programme?
46
Is tailored anti-bribery training given to employees who manage or interact regularly with third parties?
47
Is regular tailored training given to high risk third parties?
48
Is regular tailored training given to high risk lower tier third parties?
49
Is tone-from-the-top used to reinforce third party training?
50
Are advice and speak up (whistleblowing) channels provided for use by third parties?
51
Are metrics and actions related to use of these channels reported to management and the board?
52
Is there a procedure for managing incidents or allegations of bribery related to third parties?
53
Does the procedure cover self-reporting to the authorities?
54
Does the procedure provide for protection of data on third parties involved in a bribery incident?
55
Is there a procedure for terminating third parties?
Monitoring 56
Are all third parties required to complete an annual questionnaire updating basic information about their company (e.g. ownership, acquisitions, annual report)?
57
Does the company require annual certification from a director or the chief executive of high risk third parties that?: The anti-bribery programme is implemented and has been subject to review during the year
There have been no bribery incidents during the year 58
Does the company require annual certification from business unit managers or country managers that the third party anti-bribery programme has been implemented for high risk third parties?
59
Are there internal controls to ensure the following?: Compensation paid to agents, lobbyists and other intermediaries is in accordance with contracts Compensation paid to agents and other intermediaries is paid through bona fide channels Payments are made only in jurisdictions where third parties are based or operate Payments to third parties are not made to off-shore accounts Appropriate and enforced thresholds and countersignatures for approvals of contracts, payments and transactions Checks that the third parties’ controls match those of the company No cash payments and strong petty cash controls Segregation of duties Invoices for payments are supported by full documentation Activities invoiced conform to the company’s policies for hospitality, travel expenses, gifts, donations, sponsorships and small bribes (‘facilitation payments’) Additional scrutiny of payments for high risk expenses (e.g. visas, customs, taxes, government certificates, licences, bonuses, commissions, gifts, entertainment, travel, donations, marketing)
60
Is a procedure implemented to exercise audit rights and carry out audits as follows?: On high risk third parties periodically
On any third party where there is a significant bribery concern
Including on-site visits as an integral part of audits of high risk third parties Review and evaluation 63
Is there a procedure to review the implementation of the anti-bribery programme for third parties?
64
Are KPIs and targets set for implementing the anti-bribery programme?
65
Are KPIs discussed with stakeholders to ensure they meet material interests and expectations?
66
Does the company have a procedure to record all incidents, whistleblowing concerns and identified red flags and steps taken to review and mitigate issues and improve the anti-bribery programme?
67
Are the results of monitoring and audits reviewed regularly by senior management?
68
Does senior management make regular reports to the board on the implementation of the third party antibribery programme?
69
Is there a procedure for continuous improvement of the programme?
70
Does the company benchmark its antibribery programme for third parties?
Public Reporting Indicator
Y
71
Does the company publish its code of conduct and policies and procedures for working with third parties?
72
Does the company report on its procedures for managing third parties?
73
Does the company report on KPIs, including targets and results?
74
Does the company report the number of third parties contracts terminated for non-conformance with the company’s anti-bribery programme?
N
Unclear
In plan?
Comment
Ref no:
Information management and technology Indicator
Y
Documentation 75
Is there a procedure to document fully all material aspects of its relationships with third parties? (including identification, risk assessment, risk assignment, due diligence, contracting, monitoring and review)
New technology and data management 76
Is there a comprehensive companywide system for managing data on third parties?
77
Is there a procedure to ensure compliance with relevant data and privacy laws in its countries of operation and those of its third parties?
78
Does the company regularly review how it can apply new technology to third party management?
79
Does the company obtain the agreement of due diligence subjects to record sensitive information about them?
80
Does the company have agreements with third parties about transferring sensitive information about them to third countries?
81
Does the company control access to data and implement controls to ensure there is no unauthorised access?
82
Does the company use automated analysis to handle big data?
83
Is there an automated process to register third parties (prospective and existing)?
N
Unclear
In plan?
Comment
Ref no: