Example procedures for screening, engaging and managing third parties Stage 1 : Registration and pre-qualification Action Registration Existing 3Ps Business case review and approval
PQQ completion
PQQ evaluation
Low value, one-off contracts All other contracts • Self-completion of online registration form on the company’s third party (3P) website by all 3Ps with which the company is considering an association. • Includes unsolicited approaches from 3Ps 1 and those being invited to become 3Ps. • Existing 3Ps are identified and a process implemented for conducting due diligence One-off, low risk purchases can be • The requisitioning business unit makes a business case for the 3P appointment. made by the requisitioning • Review and approval of the business case is carried out at management threshold levels according to factors department without a business such as the size, length, jurisdiction, complexity and criticality of the contract. case up to a financial threshold. The • High risk contracts require review and approval by divisional manager or director. relationship should be fully • 3Ps under consideration are asked to complete a Pre-qualification Questionnaire (PQQ) issued by contracting, documented. procurement, agent management or other relevant onboarding function. • If the 3P has completed a PQQ recently it is asked to confirm that the PQQ data remains valid. • The signature of a director or relevant manager is required attesting to the accuracy of the information. • •
Follow-up (if necessary) Invitation to tender or supply
• • • • • •
1
Some companies may have a policy not to accept unsolicited approaches.
The completed PQQ is pre-checked by the requisitioning department and then reviewed by a dedicated onboarding function such as contracting, procurement, agent management. Specific checks include: 1. Does the 3P have the requisite expertise and a proven track record? 2. Who are the 3P’s other clients and third parties (e.g. agents and key lower tier suppliers)? 3. Who are the beneficial owners or persons with interest in the company? 4. Does the 3P have connections or transactions with government entities? 5. Does any public official have an interest in the company including ownership or influence, a familial connection or a business interest? 6. Are there any bribery and corruption red flags? Follow up any concerns or red flags and request further information. Any further information supplied is attested by a director or senior manager of the 3P. Once PQQ information has been assessed as satisfactory, the 3P is invited to tender by the requisitioning business unit or the relevant onboarding function. Where red flags are identified, preliminary due diligence may be necessary before inviting companies to tender. The company informs prospective 3Ps on the engagement process and how it works with 3Ps, including its anti-corruption practices. Invited 3P(s) are subject to due diligence (see Stage 2).
Stage 2: Due diligence Due diligence Internet check Due diligence research
Review of 3P documentation and operations
Review local and sector sources In-house evaluation
Details Basic check carried out by requisitioning business unit Detailed business profile Media and social media screening Checks of open source information and databases Search of watch and sanctions Lists External data and audit providers such as Sedex, TRACE Background checks on key people Politically Exposed Persons (PEPs) check Credit and other financial checks Bank references Due diligence report by external provider Audit of books and records 3P and Business Unit questionnaires tailored to the 3P’s assigned risk category Customer references Identification of red flags Face-to-face meetings with key contacts and management Interviews of CEO / senior management including discussion of any concerns and red flags Meetings with the 3Ps key business associates e.g. joint venture partners, consortia, key contractors Site visits Checks for conflicts of interest and other risks such as familial connections to PEPs Compliance check: • Evaluation of the 3P’s governance, values, code of conduct, anti-corruption programme and policies • Assessment of the 3P’s public reporting and information provided by the 3P • Checks for evidence of good practice compliance such as independent anti-bribery audits or certification against ISO 37001 Review of interviews, references, testimonials, informal comments from Embassies and High Commissions, business chambers, business associates of the 3P, NGOs, opinion formers Assessment that proposed fees or other contractual considerations are appropriate and justifiable for the services rendered
Low risk Yes
Yes
Basic check for conflicts of interest
Medium risk Yes Yes English or other main international languages Yes Yes Yes Yes Yes Yes Yes As necessary By exception Yes
High risk Yes Yes International and main local languages Yes Yes Yes Yes Yes Yes Yes Yes As necessary Yes
Yes Yes Yes As necessary
Yes Yes Yes Yes
As necessary
Yes
As necessary Yes
Yes, including extended visits Yes
Yes
Yes
As necessary
Yes
Yes
Yes
Mitigation
Report and approval to proceed to contract
Comments and information obtained from the relationship manager, employees who interface with third parties, buyers and local management If concerns have been identified though due diligence, these are mitigated or a mitigation plan set out, e.g. through discussions with the 3P, elimination of risk areas or amendment of the company’s antibribery controls The due diligence report is completed and reviewed and, if satisfactory, a decision is made to appoint. The discussion and the reasoning for the decision should be documented.
Decision by requisitioning manager
Yes
Yes
Yes
Yes
Decision by requisitioning manager, next line manager plus compliance or legal department
Decision by requisitioning manager and senior manager plus compliance or legal department
Stage 3: Contract Action Pre-contract discussions and communications Basic contract terms
• • • • •
Additional contract terms Signing and issue of purchase order or contract
•
Low risk Medium risk High risk Code of conduct at the very least should • Documents tailored to the form of 3P and assigned risk category, e.g. code of also be communicated to low risk 3PS conduct, business conduct guidelines and standard terms Commitment to comply with anti-corruption laws Commitment to a no-bribes policy and to implement an adequate anti-bribery programme Audit rights Right to terminate the contract in the event of or suspicion of bribery • Right to audit lower tiers of high risk supply chains By purchasing, contracting or other • By purchasing, contracting or other relevant function with legal counter-signature relevant function
Stage 4: Management Action
Low risk
Communications
•
Advice and speak up channels
•
Relationship management
•
Online training
•
Evidence of 3P training Face-to-face training
Tone-from-the-top
•
Performance measures
• •
Medium risk
High risk
The company communicates to 3Ps its code of conduct, any tailored communications materials (e.g. supplier code of conduct and business conduct guidelines), its anti-bribery programme policy and procedures, and any 3P advice or speak up lines. The company provides channels for seeking advice on the anti-bribery programme and reporting by 3P employees of concerns or suspicions relating to bribery. • A relationship manager is assigned to each high risk 3P. Provided to 3Ps and relationship managers in English and other main • Provided to 3Ps and relationship international languages. managers in English, other main international languages and main local languages. • The company requires evidence of the anti-bribery training provided by the 3P to its employees on an annual basis. • The company provides tailored face-to-face anti-bribery training, or requires the 3P to undergo satisfactory training from a provider chosen from a list of organisations. • Every 3P employee working on behalf of / with the company, should be recorded as having undergone such training. • Training is repeated annually. Responsibilities are assigned for overseeing and managing third parties.
The company leadership communicates the anti-bribery commitment to 3Ps. • 3P leadership is involved in trainings and communications to reinforce the message. • Location visits to third parties by someone from the board and senior management. Anti-bribery performance measures and targets are established for management of 3Ps, e.g. scope and quality of training. Targets and performance metrics may be reported publicly.
Incidents
• • • •
If possible bribery is detected, the issue is dealt with immediately by legal and compliance and reported to senior management. If bribery has been made by a 3P on the company’s behalf, the incident is reviewed by legal department reporting to the authorities is considered. If bribery has occurred in a 3P, the contract should be reviewed and a decision made as to whether mitigation can take place or the contract should be terminated.
Audit rights should be exercised when there is reasonable suspicion bribery has occurred and the 3P has not addressed concerns in a satisfactory manner.
Stage 5: Monitoring Action Monitoring 3P anti-bribery practices
Low risk •
Contract owners advise 3Ps where to get information and support if needed.
Medium risk • •
Renewed due diligence
•
No longer than three years
• • • •
Exercising third party audit rights
Relationship managers manage and monitor groups of medium risk 3Ps. The level of engagement is increased for 3Ps where issues are detected or suspected.
High risk •
Relationships are closely managed for each high risk 3P. • Relationship managers make frequent reports to management and compliance. Every two or three years or at completion of a project term Consideration of any changed circumstances Before a contract renewal, the business case is reviewed and due diligence repeated as deemed necessary, including an audit of the 3P Reasons for not reviewing the business case or renewing due diligence should be documented
•
As a control, audits are conducted according to a statistical sampling methodology.
•
Review by senior management and the board
•
Continuous improvement
•
Reports are made on a quarterly basis to management, the board or the relevant board committee on the company’s 3P anti-bribery management, the quality of implementation, any incidents, issues or concerns and proposals for remediation or improvement. • Reports are made more frequently on high-risk 3Ps. • Individual cases are raised where necessary. The results of monitoring, audits and lessons from incidents are used to improve the programme for 3Ps.
Regular audits (e.g. every two to three years).
Stage 6: Review and evaluation Action
Low risk
Medium risk
High risk