If the Sapin 2 law was born out of the need to adapt our business practices to avoid the application of foreign regulations with unfortunate consequences, getting into the habit of evaluating third parties as part of the implementation of a corruption prevention and detection system has become a fine and noble cause.
For the company, this means protecting it!
It is imperative to give a new sense of purpose to all those responsible for carrying out due diligence on third parties.
Their mission is to protect their company from the risks incurred by working with third parties. While today, it is mainly the Sapin 2 law and its famous Article 17 that require companies subject to the law (over 100 million in sales and 500 employees) to assess their third parties for corruption risks, tomorrow it will be all ESG risks that need to be identified and minimized, or even ruled out.
Indeed, this is the spirit of the 2017 French law and the recent "duty of care" directive, in which due diligence covers risks in terms of human rights, workplace safety and environmental protection.
Let's go back to the three ESG letters: while corruption risk management is in the "G" for "Governance", due diligence requirements are linked to the "E" for "Environmental" and "S" for "Social" criteria.
Will your relationship with this third party lead you to engage in prohibited commercial practices? Does this third party use child labor? Is it responsible for pollution? Do its employees work in sufficiently safe conditions? etc. Your company can no longer hide behind what it controls directly; it is responsible for its entire value chain, as specified in the CS3D*, which was published in the OJEU on July 5, 2024.
For society, it means making the world virtuous
Do you want a more ethical economy? You can take action by assessing the ESG impact of your company's partners and supporting them in their improvement process.
A company's power vis-à-vis a supplier is linked to the size of its order book. The more it invests, the greater the proportion of its sales it represents, the more it can influence its behavior. The principle is the same as for a financial investor or bank.
Regulations are thus pushing major companies to "clean up" the economic world by improving the way they operate. To win a tender, even a non-regulated company will have to demonstrate that it is implementing a CSR action plan worthy of the name, especially if it is a material link in the value chain of a large regulated company.
So, by working with each supplier and monitoring the actions implemented, you protect your company and at the same time contribute to making the companies in your ecosystem more virtuous.
Yes, but how do you do it?
To identify the risk induced by a relationship with a third party, we first need to find out about the third party, gather all the useful knowledge held internally (there is often a lot of information internally), and then cross-reference it with information from external sources.
This work enables us to map the risks specific to each type of risk, which in turn gives us several GTRs (Groupe de Tiers à Risque).
The extent of the due diligence to be carried out will depend on this work.
In the fight against corruption, the French Anti-Corruption Agency (AFA) recommends that the third party, its directors and beneficial owners be included on sanction lists, as well as Politically Exposed Persons (PEPs) and those close to them, and that the press be checked to see whether the related Legal Person (MP) or Physical Persons (PP) have been involved in any business dealings. If the result of the search is ambiguous, it is advisable to check that the subject of the search and the result are indeed one and the same person, which is known as the treatment of false positives.
If there is no doubt about the person identified, and the results of the searches confirm that there is a risk of working with this third party, it is then up to you to put in place measures or an action plan to limit the risk (mitigation exercise), or to take the decision based on internal expertise or your hierarchy (escalation recommendation).
Have you finalized your assessment? All that remains is to decide on the next date for reviewing the assessment to ensure that the measures have been put in place with the third party and that the risk has not changed for the worse.
Having a tool to do this verification work can help a lot.
This tool is designed to gather known information, cross-reference it with external sources to qualify the individualized risk on the third party, guide the user through the process thanks to a workflow designed to ensure that no step is missed, and act scrupulously in compliance with regulations and AFA recommendations, automate non-value-added tasks, keep track of the actions carried out for the assessment, put a third party under surveillance so as to be informed at all times of changes in risk, compile a complete integrity report, archive assessments and report using activity dashboards.
The tool helps to secure, train and simplify processes, as well as making the mission entrusted to them acceptable and achievable for operational staff.
Sidebar: two case studies
You want to work with a third party in a high-risk country according to the Transparency International corruption index.
You see that the executive is close to the president of the country in question. And you also know that the third party's business is notorious for corruption.
Is it useful information? Would you like to know?
You have a subcontractor who has just been caught in a corruption scandal. Is it making the headlines?
Is it useful information? Would you like to know?