MANAGING THIRD PARTY RISK : CHECKLISTS The Enabling Environment Indicator Governance and commitment to integrity 1
Is there a procedure to ensure board oversight and accountability for third party anti-bribery management?
2
Is responsibility for oversight and governance of third party antibribery management assigned to a board committee?
3
Do the board and senior management demonstrate the company's commitment to third party anti-bribery management through tonefrom-the-top?
4
Does the company have a procedure to monitor anti-bribery and other relevant laws related to third parties?
5
Is the board regularly informed of requirements and changes in laws related to third party anti-bribery management?
Organising for anti-bribery management 6
Has a senior executive been given clear overall responsibility for third party anti-bribery management?
7
Is there an integrated or coordinated approach across the company for third party anti-bribery management?
8
Has the company clearly assigned responsibilities for third party anti-bribery management to support functions (e.g. finance, legal and compliance)?
9
Do the procedures for third party anti-bribery management involve cross-functional working?
10
Does the company empower local business or market units to provide input to the design of procedures and make decisions relating to third party anti-bribery management?
Building trust in your relationships 11
Does the company assign formal responsibility for anti-bribery management to third party relationship managers?
Y N
Unclear
In plan? Comment
Ref no:
The Third Party Anti-Bribery Framework Indicator Identification 12
Has the company defined the forms of third party and the scope of its third party anti-bribery programme?
Risk assessment 13
Has the company implemented a procedure for identifying and prioritising the risks and risk factors attached to third parties?
14
Are the internal risks attached to third party management included in risk assessments (e.g. kickbacks to employees, use of third parties to channel bribes)?
15
Are the results of risk assessments used to design and improve the anti-bribery controls for third parties?
16
Is there a systematic procedure for the engagement of all third parties applied consistently across the company?
17
Is a business case required before the engagement process can begin?
18
Are there thresholds of authority for approving the business case?
19
Are all third parties under consideration for a contract or business relationship required to complete a pre-qualification questionnaire (PQQ)?
20
Is there a procedure for review of the completed pre-qualification questionnaire?
21
Does the company inform prospective third parties on its process for engaging and working with third parties, including its anticorruption practices?
Due diligence 22
Are potential and existing third parties assigned to a risk category using risk factors identified during risk assessment?
23
Is there a systematic process for conducting due diligence on third parties?
Y N
Unclear
In plan? Comment
Ref no:
24
Is the level of due diligence conducted in direct proportion to the level of risk posed by a third party?
25
Do the due diligence checks include the following external checks: Detailed business profile Media and social media screening Checks of open source information and databases Search of watch and sanctions lists External data and audit providers (e.g. Sedex, TRACE) Background checks on key people Politically Exposed Persons (PEPs) check Credit and other financial checks Bank references Due diligence report by external consultant Audit of books and records
26
Do the due diligence checks include obtaining the following from the third party: 3P questionnaires tailored by risk category Customer references Disclosure of conflicts of interest and related risks (e.g. familial connections to PEPs) Evidence of good practice compliance (e.g. independent antibribery audits or certification against ISO 37001)
Information on governance, values, code of conduct, anti-corruption programme and policies, and public reporting 27
Do the due diligence checks include the following methods: Face-to-face meetings with key contacts and management
Interviews of CEO/ senior management including discussion of any concerns and red flags Meetings with the key business associates of the third party (e.g. joint venture partners, consortia, key contractors)
Site visits References and testimonials from local sources (e.g. embassies and high commissions, business chambers, NGOs and opinion formers) 28
Is there a procedure to assess that any proposed fees and other contractual considerations are appropriate and justifiable?
29
Is information obtained from the relationship manager, employees who interact with third parties, buyers, business units and local management?
30
Is there a procedure for mitigating risks identified though due diligence?
31
Is the decision to proceed with an engagement dependent on there being a satisfactory due diligence report?
32
Is the legal function required to approve due diligence reports for medium and high risk third parties?
33
Is there a procedure to properly document due diligence reviews?
Contract 34
Is there a procedure for initiating contracts with all third parties?
35
Does the company do the following before entering into contract negotiations with a third party: Discuss its model and expectations for working with third parties Provide tailored documents according to the form of third party and assigned risk category (e.g. code of conduct, business conduct guidelines, and standard terms)
36
Does the company provide model contracts to standardise antibribery terms and requirements across the company?
37
Is there a procedure for renewal of third party contracts after a defined period?
38
Is there a procedure to tailor contracts to comply with local antibribery laws?
39
Do contracts with third parties include the following standard terms:
Requirement to implement an adequate and proportionate antibribery programme Right to be informed of use of sub-contractors and the procedure to be followed Commitment to complying with relevant anti-bribery and corruption laws Requirements for countering specific corruption risks (e.g. small bribes, dealings with public officials) Specification of who in the third party is responsible for the antibribery programme Warranty that no public official or a close relative of an official is associated with the third party whether as an investor, officer, employee or shadow director Warranty that the third party is not or has not been the subject of an investigation, settlement or conviction for bribery or other form of corruption Terms for fees and commissions (e.g. jurisdiction for payments, prohibition of cash payments/payments to off-shore accounts and requirements for supporting documentation) Commitment to maintain accurate books and records available for inspection by the company or its representatives
Audit rights (tailored to comply with local laws) Immediate notification in writing of suspicion of or an incident of bribery Provision for cooperation with authorities in the event of an investigation Right to terminate in the event of suspicion of or an incident of bribery and where there is evidence of inadequate anti-bribery programme Provision for regular performance reviews related to the anti-bribery programme Terms for renewal of the contract 40
Where the company does not have effective control of a joint venture or consortium, is there procedure to communicate the company's anti-bribery programme to the other entities in the venture and encourage them to adopt a programme for the venture consistent with its own?
41
Where due diligence shows that a joint venture or consortium does not have an anti-bribery programme consistent with that of the company, is there a procedure to establish contract protection?
42
Is there a procedure that where the company is unable to ensure that a joint venture or consortium has a programme consistent with its own, it has a plan to exit from the arrangement if bribery occurs or is suspected to have occurred?
Management 43
Is there a policy to implement the company's programme in all business entities over which it has effective control?
44
Is there a procedure for management of third parties?
45
Are dedicated anti-bribery documents provided to third parties (e.g. tailored code of conduct, business conduct guidelines, advice and speak up guidance)?
46
Does the company communicate clearly to third parties the sanctions for violations of its programme?
47
Is tailored anti-bribery training given to employees who manage or interact regularly with third parties?
48
Is regular tailored training given to high risk third parties?
49
Is regular tailored training given to high risk lower tier third parties?
50
Is tone-from-the-top used to reinforce third party training?
51
Are advice and speak up (whistleblowing) channels provided for use by third parties?
52
Are metrics and actions related to use of these channels reported to management and the board?
53
Is there a procedure for managing incidents or allegations of bribery related to third parties?
54
Does the procedure cover self-reporting to the authorities?
55
Does the procedure provide for protection of data on third parties involved in a bribery incident?
56
Is there a procedure for applying sanctions to third parties?
Monitoring 57
Are all third parties required to complete an annual questionnaire updating basic information about their company (e.g. ownership, acquisitions, annual report)?
58
Does the company require annual certification from a director or the chief executive of high risk third parties that: The anti-bribery programme is implemented and has been subject to review during the year There have been no bribery incidents during the year
59
Does the company require annual certification from business unit managers or country managers that the third party anti-bribery programme has been implemented for high risk third parties?
60
Are there internal controls to ensure the following: Compensation paid to agents, lobbyists and other intermediaries is appropriate and justifiable remuneration for legitimate services rendered Compensation paid to agents and other intermediaries is paid through bona fide channels Payments are made only in jurisdictions where third parties are based or operate Payments to third parties are not made to off-shore accounts Appropriate and enforced thresholds and countersignatures for approvals of contracts, payments and transactions Checks that the third parties’ controls match those of the company
No cash payments and strong petty cash controls Segregation of duties Invoices for payments are supported by full documentation Activities invoiced conform to the company’s policies for hospitality, travel expenses, gifts, donations, sponsorships and small bribes (‘facilitation payments’)
Additional scrutiny of payments for high risk expenses (e.g. visas, customs, taxes, government certificates, licences, bonuses, commissions, gifts, entertainment, travel, donations, marketing) 61
Is a procedure implemented to exercise audit rights and carry out audits as follows: On high risk third parties every one or two years On medium risk companies on a sampling basis On control samples of low risk third parties
On high risk lower tier third parties as necessary 62
Do on-site visits form an integral part of audits of high risk third parties?
Review and evaluation 63
Is there a procedure to monitor the implementation of the antibribery programme for third parties?
64
Are KPIs and targets set for implementing the anti-bribery programme?
65
Are KPIs discussed with stakeholders to ensure they meet material interests and expectations?
66
Does the company have a procedure to record all incidents, whistleblowing concerns and identified red flags and steps taken to review and mitigate issues and improve the anti-bribery programme?
67
Are the results of monitoring and audits reviewed regularly by senior management?
68
Does senior management make regular reports to the board on the implementation of the third party anti-bribery programme?
69
Is there a procedure for continuous improvement of the programme?
70
Does the company benchmark its anti-bribery programme for third parties?
Public Reporting Indicator 71
Does the company publish its code of conduct and policies and procedures for working with third parties?
72
Does the company report its procedures for managing third parties?
73
Does the company report on KPIs, including targets and results?
74
Does the company report the number of third parties contracts terminated for non-conformance with the company’s anti-bribery programme?
Y N
Unclear
In plan? Comment
Ref no:
Information management and technology Indicator Documentation 75
Is there a procedure to document fully all material aspects of its relationships with third parties?
New technology and data management 76
Is there a comprehensive company-wide system for managing data on third parties?
77
Is there a procedure to ensure compliance with relevant data and privacy laws in its countries of operation and those of its third parties?
78
Does the company regularly review how it can apply new technology to third party management?
79
Does the company obtain the agreement of due diligence subjects to record sensitive information about them?
80
Does the company have agreements with third parties about transferring sensitive information about them to third countries?
81
Does the company control access to data and implement controls to ensure there is no unauthorised access?
82
Does the company use automated analysis to handle big data?
83
Is there an automated process to register third parties (prospective and existing)?
Y
N
Unclear
In plan? Comment
Ref no: