A well-understood process

Prior to the implementation of the Sapin II law, French companies were losing business abroad because they were unable to prove that they were blameless in the fight against corruption.

Today, although companies have assimilated this regulatory obligation, particularly with regard to the evaluation of third parties, significant differences in maturity remain with regard to the application of the procedures required by the law.

A complex implementation

It is indeed very difficult to ensure that third-party risk management is effective without being a hindrance to the business. In organizations, the various parties involved in risk management (finance, purchasing, legal, etc.) are sometimes at a loss when faced with the complexity of the task. In some cases, the application of the law will be very rigorous, while in other entities with similar profiles, a prioritization work will be done for an "à la carte" implementation.

While understandable, this type of approach is not without risk, as it is based on an interpretation of the law that is therefore necessarily subjective. In the case of third party assessments, for example, the French Anti-Corruption Agency is adamant that all third parties must be assessed. However, given the size of certain client and supplier portfolios, this work can quickly take on gigantic proportions that will discourage the best of wills (cost of implementation, workload, efficiency, etc.). In addition, it is very difficult for multi-site and multi-country companies, often using different information systems, to collect and centralize information on their third parties. The question of the practical organization of the verification process is therefore fundamental.

A pragmatic approach

Although representing a certain cost (determined according to the number of third parties to be evaluated and the level of due diligence*), the outsourcing, whether total, partial or ad hoc, of third party risk management makes it possible to guarantee the reliability of the information and the possibility of automating the processes to the maximum.

Companies could then adopt the following approaches:

simple verifications of the profiles of third parties that the risk mapping will have previously designated, according to criteria to be set up beforehand by the company, that they do not represent a strong risk of corruption (questionnaires, simple verifications of identity and registration, of the correct address of the registered office, etc.)
in-depth checks on the profiles of third parties at risk, with the search for beneficial owners, checks on sanction lists, and of course, the conservation of documentary evidence, while guaranteeing a periodic review.

This type of best practice will be developed more and more by each company as processes become more industrialized and efficient.

*Verification actions conducted on the third party prior to entering into a relationship