By Scott Lane, The Red Flag Group®
While many companies have realised that a ‘tick-the-box’ compliance model is not particularly effective, there is still a tendency to look at compliance areas through a very small lens, making it difficult to address any issues that need fixing. There is also a rush to roll out solutions to deal with compliance risks without really thinking about whether they are long-term solutions. In many cases these solutions will do what they need to do, but they may not address a broader set of compliance risks and therefore may not be sustainable over the long term.
The development of the healthcare industry into holistic medicine (albeit slowly, and, admittedly, better in some parts of the world than in others) is a good sign as to what the compliance industry might also need to be looking at for its next major development. What is happening right now is the classic ‘take an aspirin’ approach to compliance. The medical world worked out years ago that they have to look not only at immediate relief (aspirin), but also more holistically at the health of the patient. They have to look at why the patient feels poorly by analysing their daily routine, their culture, their home life and the environment they are in, and they must also (increasingly so these days) focus on genetics.
A simple example to compare with the healthcare approach is integrity due diligence. This type of due diligence, previously known as background checks, is commonly carried out in large companies. It is typically conducted on incoming channel partners and some suppliers, with a view to determining a basic level of whether the company being checked has been involved in any form of integrity issue or is listed on a watchlist. It comes in different flavours and styles and various price points.
Having been involved in developing a business around background checks/due diligence reports over the last seven years, and conducting almost a million separate projects, I can clearly see that companies are not looking at this risk area holistically. They are running to address the symptom rather than the cause of the potential risk. While it is essential that background checks are carried out (as they are an essential part of the solution), there are many other approaches to managing that risk. The background-check approach was very much a result of FCPA cases and comments by regulators that due diligence should be conducted: as a reaction, everybody ran off to get a programme in place, without giving sufficient thought to the problem that needed solving and the best way to solve it. In fact, most issues will not be identified by conducting background checks.
More helpful is the example of signing up a new channel partner to act as a distributor for a global business.
The risks involved in signing up a channel partner are broad, and include:
- the channel partner paying a bribe to win a sales deal
- a channel sales person and the channel partner colluding to set prices in a market
- supporting the channel partner in channel stuffing and creating false sales at the end of a quarter
- facilitating sales to illegal parties or countries
- the channel partner misusing any marketing funds or rebates
- the channel partner selling outside their territory or trading in black or grey markets.
In addition, there are general risk areas such as intellectual property misuse, trademark infringement, misuse of trade secrets, and confidential information around product roadmaps. It will depend on the channel partner type, size, age, location and history to determine what risks might arise in your relationship and how you can effectively manage them. No two channel partners will be identical, although clearly – as with patients visiting a doctor – there are common themes across age groups, cultures and countries.
The current method of managing these risks is mostly by conducting a due diligence background check. Conducting a background check might address some basic risk areas in that channel partner, but it is not holistic. To truly manage those set of risks holistically and really get value out of managing that risk, you would need to build a much more sophisticated system.
When visiting the doctor and getting a holistic health overview, it is hard to pinpoint the precise action that managed the risk, but you can feel far more confident about your health than you would have had you just taken an aspirin. Like this, you need to think about taking a holistic approach to compliance and about how it can emulate that success.
If you were going to manage the risks in the new channel partner, a holistic review would look at the following.
Before starting anything, have a good hard look at the channel operations and sales teams, and work out whether you have the buy-in and interest to implement the controls that you want. To compare to the health example, if there is simply no way that the patient will change their dietary habits or stop smoking, then there is not much that you can do. You need to look at their tolerance and appetite for change. In a compliance context in a company, that is really all about measuring their tolerance for risk.
Before a patient can be holistically improved, you need to stand back and assess what is happening at the moment. To do this you would observe the patient and have them complete a series of reviews and tests to examine the state of their current health. In a compliance context, this would involve some form of mapping and documenting of the current state. For example, which checks are done when a partner is signed on to the system? How is that handled? By whom?
Integrity risk roundtable
Having looked at the patient, you now have to identify the key risk areas that are likely to relate to them. Not all health issues will affect all people. Many risks can be identified through the tests completed above. For example, if the patient has elevated blood pressure, high cholesterol or is overweight, they will have a high propensity for heart disease. This is the same in the compliance world in that not every channel partner will pose the same risks. While partners in China might be more associated with risks such as channel stuffing or bribery to government officials, those in Scandinavia might be more likely to sell outside their jurisdiction to areas that may be subject to sanctions, such as Russia. One size does certainly not fit all in compliance – just like it doesn’t for a health check. You need an experienced practitioner to look at the results and consider which risks might lay in what areas and regions. If you need help understanding the risks, you might also consider some benchmarking with peers, buying access to country compliance risk reports, or generally getting advice on how to identify and manage compliance risks.
Genetic testing has changed the way that the healthcare industry looks at patients and their propensity to acquire a disease or sickness. Likewise, in compliance you can predict certain compliance issues with predictive analytics. While the approach is still fairly new, there is a wealth of information that can be earned from looking at historical issues and predicting future issues. Predictive analytics can also be used in transaction monitoring and can add significant value. Just like genetics have changed the scope of treating disease, transaction monitoring and predictive analytics will change the way that we focus on compliance.
Integrity due diligence
As stated above, conducting a background check is an essential aspect of managing some of the possible channel partner risks; however, it is unlikely that you will identify any issues that have not already been made public. Therefore, much value will be derived from media references, and the history of infringements or clear ‘noise’ in the market or industry where the company has engaged in illegal or suspect transactions. What you will not be able to assess through background checks and media references, though, is whether the company is likely to be involved in future illegal dealings. At best they will highlight known issues that have happened in the past. To make integrity due diligence more effective you need to think about how to add an ongoing element, such as constant monitoring for any signs of trouble. This is now relatively standard from most providers. It is also important that you manage the red flags that arise from the due diligence. Having a process to manage the due diligence, working out the approval process and escalation paths, and deciding what is important to follow up and what is not are all parts of a holistic approach to due diligence.
Training is essential for many channel partners because they don’t have the focus on improving their own compliance systems unless mandated to do so. Training needs to be more than just attending a one-hour speech by compliance at the annual reseller forum. Likewise, training content needs to be broader than just anti-bribery training that recites the legislation in the relevant languages. Training needs to be on all risks associated with the channel partner, and look at all aspects, including legislation (such as the FCPA), anti-bribery, corruption, kickbacks, side letters, channel stuffing, advanced orders, export controls and selling outside regions.
Some of the risks identified are associated with margin and how that margin is used by the channel partner. It is essential that margins are controlled. Most compliance officers know that this is an area where controls are necessary, but many leave that up to the business to implement and it is never actually done. Standard controls should be in place for discounts, discount approvals and the use of rebates and special deals for specific clients or transactions. There should also be systems in place to manage marketing development funds, joint advertising funds or any form of shared cost associated with doing business. Ideally, technology systems should be in place to manage these funds and enable them to be web-based and easily auditable. To not focus on margin but focus entirely on due diligence is certainly not taking a holistic approach to compliance. It would be like a patient not taking any steps to control their diet going forward when they know that a failed diet could lead to heart disease and they have been identified as a prime candidate for that disease.
Once a channel partner has been assessed through the due diligence process and approved, you must then control the money paid to that channel partner. There are often payments made in addition to rebates and funding for marketing, such as flow-through commissions for fulfilment deals and commissions for achieving certain goals or for subcontracting agreements. These payments are often uncontrolled, fall out of the scope of legal or compliance (as they are often existing contracts with new schedules added) and give rise to additional funds being given to the channel partner without justification, so they need special focus and controls.
Building monitoring systems
Signing up a channel partner is not the end of the process; you need to keep monitoring them regularly. Just like a patient goes for an annual check-up, a channel partner in a holistic approach to compliance should also be monitored and assessed. This monitoring can be in several forms, including questionnaires, interviews or renewed due diligence, and you can use technology to do some automatic monitoring. Electronic communications with the partner should preferably be through a partner portal, not through email; however, in situations where email communication between the partner and the sales team is normal, email monitoring should be standard practice. Intelligent keyword monitoring in real time is ideal. The keywords need to be put together in a way that captures the likely non-compliant issues but allows the vast majority of filtering to process without hindering the flow.
Conducting audits of channel partners is an essential part of a successful compliance programme. Yet most companies do not audit, or if they do they are typically reactive and used as an investigation-type audit. The development of an audit programme is essential in building a holistic approach to compliance. Unfortunately, like most things, the likelihood of an audit happening increases the likelihood of compliance. The more audits, the more likely the channel partner will actually look to comply with their obligations. We have seen this in the area of tax compliance, with taxpayers increasing compliance and being less aggressive in their taxes when they are aware that there is a chance they will be audited and the consequences of failing an audit are severe. While audits are taking place in some companies, the focus is often too financial and not enough time is spent on compliance and underlying commercial issues.
Conducting due diligence background checks can be a useful means of addressing basic risk areas, but they often only tackle the symptoms of a risk rather than the cause. A more sophisticated compliance system is required in order to manage such risks holistically and derive the necessary dividends. The adoption of a holistic approach to compliance should therefore give consideration to the above areas.