A process well assimilated

Before the implementation of the Sapin II law, French companies lost markets abroad because they were unable to prove that they were irreproachable in the fight against corruption.

Today, although companies have assimilated this regulatory obligation, particularly on the evaluation of third parties, significant differences in maturity remain in the application of the procedures required by law.

 

Complex implementation

It is very difficult to ensure that third-party risk management is effective without blocking the business. In organisations, the different parties involved in risk management (finance, purchase, legal…) are sometimes distraught with the burden of the task. In some cases, the application of the law will be very rigorous, while in other entities with comparable profiles, prioritisation will be done for “à la carte” implementation.

Although understandable, this type of approach is not without risk, because it is based on an interpretation of the law which is therefore necessarily subjective. In the case of the evaluation of third parties, for example, the French Anti-Corruption Agency is intransigent on the obligation to evaluate all of them. However, given the size of certain customer and supplier portfolios, this work can quickly take on huge proportions that will discourage the best wishes (cost of implementation, workload, efficiency, etc.). Moreover, it is very difficult for multi-site and multi-country companies often using different information systems, to collect and centralize information about their third parties. The question of the practical organisation of the verification process is therefore fundamental.

 

A pragmatic approach

Although it represents a certain cost (determined by the number of third parties to be assessed and the level of due diligence*), outsourcing of third-party risk management, whether total, partial or ad hoc, ensures the reliability of the information and the ability to automate processes to the maximum extent possible.

Companies could then take the following steps:

  • simple checks of third party profiles which the risk mapping will have previously designated, according to criteria to be set up upstream by the company, that they do not represent a high risk of corruption (questionnaires, simple checks of identity and registration, the correct address of the head office, etc.),
  • extensive checks on third-party risk profiles, with the search for beneficial owners, the verification on penalty lists, and of course, the preservation of documentary evidence, while guaranteeing a periodic review.

This type of good practice will be increasingly developed by each company as processes become industrialised and become more efficient.

 

*Verification actions carried out on the third party prior to entering into contact

Read more

Our Compliance support

Discover now Ellisphere’s expertise on your compliance issues and master your due diligence…

Our Compliance Approach
Read more

Our Compliance support

Discover now Ellisphere’s expertise on your compliance issues and master your due diligence…

Our Compliance Approach