Unpacking the DOJ's ECCP: Part 4 – Third-Party Management

In previous editions of this series on the September 2024 update to the US DOJ’s Evaluation of Corporation Compliance Programs (ECCP), we explored Risk Assessments (Part 1), the synergy between Policies, Procedures, Training, and Communication (Part 2), and Confidential Reporting Structures and Investigations (Part 3). Now it’s time to dive into Third-Party Management—an area I know well, having spent much of my recent career building teams, processes, and controls in this space.

Before she left SAP in early 2018 (and right after a public scandal related to its South African business dealings), I was asked by the best leader and Chief Compliance Officer I’ve ever encountered— Melissa Lea —to create a team focused on mitigating third-party bribery and corruption risks for the company. At the time, SAP was still recovering from a 2016 regulatory settlement over a Panamanian reseller’s misuse of sales discounts that funded bribes and kickbacks. Then came the South Africa concerns, which centered on commission payments and travel-related corruption involving local partners in the region.

The requirements of my new role:?

1. Establish regionally based shared service teams to perform two key partner-related activities:? (A) partner due diligence reviews and approvals, and (B) validate that partners met their performance obligations to justify commission payments under new models.
2. Build a second complementary team to understand SAP’s partner models and incentives while mitigating compliance risks in collaboration with the business.

It felt like a “Mission: Impossible” assignment, but we rose to the challenge. ?I ended up establishing and leading a brilliant global team that worked closely with SAP’s channel business. That journey in mitigating third-party risks aligns closely with what the DOJ emphasizes today—comprehensive, risk-based due diligence.

What the DOJ Wants to See

The DOJ’s ECCP highlights that “…a well-designed compliance program should apply risk-based due diligence to its third-party relationships.”? We’re back to the fundamentals and base of risk assessment.

When evaluating third-party management, prosecutors will focus on:

• Risk-Based and Integrated Processes
• Appropriate Controls
• Management of Relationships
• Real Actions and Consequences

So, how did I apply these principles in my SAP days? Keep reading.

Top 5 Tips for Third-Party Management

1. Not All Third Parties Pose the Same Risk With hundreds—or even thousands—of partners and suppliers, compliance risks across numerous partner models at SAP varied. For instance, in the go-to-market space, the company used resellers, distributors, commission agents, service providers, etc.?

Your corporate compliance program does not need any type of due diligence on third-parties who are just exploring potential future business relationships with your company, and who are not exchanging any funds with you.? But due diligence and entity vetting is very important for a potential reseller supporting deep discount leveraging transactions for public entities in high-risk regions.

When setting up my “Partner Compliance Officer” team, I gave them a risk assessment template packed with targeted questions. Over time, they refined it, making it more effective with every iteration.

2. Move Beyond Basic Due Diligence: Leverage Data Analytics & AI Corporate compliance programs, up until just a few years ago, would see due diligence activities performed by companies on their third-parties based on established time frequencies (e.g. yearly, every 3 years, etc).? The due diligence would check various points, including, but not limited to, validating the existence and legitimacy of the third-party, value-add to the business, recent and past compliance concerns found in adverse media, and ultimate beneficial ownership structures.? In this day and age though, that’s simply not enough.?

The largest and most sophisticated global companies have periodically had compliance issues, and a compliance issue can stem from a single poorly controlled, high-risk transaction with even a reputable third-party.? (SAP’s 2016 FCPA settlement was related to collusion with the partner and circumvention of controls by a rogue employee.)? We must now leverage data analytics and artificial intelligence from information systems (e.g. customer relationship management system/sales pipeline, supplier relationship management/procurement transactions) to identify unusual and risky transactions for review.?

You’re taking on dangerous levels of risk if you assume that a large multinational partner or supplier, just because it is subject to the same laws and regulations as your company, will not create compliance concerns for you.

3. Don’t Just Gather Information—Act On It Collecting compliance data just to check a box is a common pitfall, but you'll get yourself in trouble if the collected data is not reviewed, or red flags are not acted upon. María Virginia Marotte (she/her) and Annie Alexander, CFE, CIA brilliant colleagues I hired, led SAP's improvement of its partner due diligence form a few years ago. Initially, we almost expanded it from one page to six.? (Yikes!) After careful review, we settled on four pages, adding questions only when a review team agreed that they’d add true value and would be actionable. ?Today, some systems may even be able to leverage AI to auto-review compliance data before human intervention is needed.

4. Ensure Audit Rights Are Real and Enforced Many companies include audit rights in contracts but rarely enforce them due to costs or collaboration challenges. A brilliant compliance colleague of mine, Maria Casablanca , designed a great third-party audit program and then handed over to an excellent audit colleague, Joachim Koopsingraven , to execute and establish the team.

To ensure success of such functions, companies need to:

• Staff the audit function with experts, and pull from the subject matter expertise from the business whenever needed.?
• Adjust the scope of each audit to focus on the specific relationship or transaction risks so that costs/resources are effectively managed, and no one is "boiling the ocean".?
• Leverage compliance consulting firms to perform work where conflict of interest concerns are raised.
• Establish cooperation expectation timelines and communicate consequences for non-cooperation clearly—and enforce them.

5. Make Compliance Consequences Real When I launched my partner compliance organization, I aligned four key goals with the business. The last but most critical? ?Shutting down high-risk partner models where cost-effective mitigation efforts could not be established and aligned.

Thanks to the up-front executive support in the business, we executed this plan when necessary—ending relationships and programs as needed to protect the company from new compliance risks.

Pitfalls to Avoid & Pro-Tips for Success

• Prioritize Risk Assessments: If you have many of them, you can’t tackle all partner models at once. We ranked our efforts at SAP based on various criteria, including revenue size, third-party count, high-risk geography presence, public sector engagement, and governance strength to address the biggest risks first.
• Avoid Over-Reliance on Outside Firms: External auditors are useful, but expensive. As is the case for excessive external counsel use on investigations, relying too heavily on them will inflate costs that could be better used for other purposes, and worse, stunt your team’s needed development and growth as the work is being outsourced.
• Know When to Say No: Saying “no” to the business is tough but necessary in some instances. I once had to halt a new partner model in a part of the world because local finance were unaware and were not performing controls the business had promised were assigned to them. Once I learnt of the missing execution, I gave the business a week to rectify the situation, but they couldn’t.? So I had to suspend the model, and only after booking stopped did another independent team take ownership, allowing us to restart the program.

Why This Matters

Despite what we’re reading in the news these days, the FCPA isn’t going away, nor are other global bribery and corruption laws. Over 90% of historic FCPA settlements involve third-party risks, and with so much at stake, companies must get third-party management right. By focusing on risk, action, and accountability, you can build a program that stands up to scrutiny—no matter who’s asking the questions.

Looking Ahead

Next time, we’ll tackle Mergers & Acquisitions. I’ll share insights from my experience handling compliance integration for a handful of small and large acquisitions over the years. Stay tuned!