Global Third Party Due Diligence

PCC 2017

28 April 2017 Presented by Darren Jones, Cory LaBarge and Michael Clarke

2© Polaris 2017

Key questions to be addressed

1. Central risks associated with Third Party interactions

2. How to effectively manage high-risk Third Parties where there are limited ex-ante

risk mitigation options

3. Factors to consider when enhancing third party due diligence process

4. Examine best practices for the verification, monitoring and auditing of third party

entities

5. How to make KPIs=KRIs for your monitoring and auditing plans

6. Evaluate best practices for using third party auditors (opposed to internal

auditors)

7. How to manage third party due diligence and alliance management for M&A and

Product Licensing deals

3© Polaris 2017

Why is Third Party management and oversight challenging?

Less control and visibility into their work, records, organization

May not have internal controls and/or compliance program

Potentially divergent business interests

They may delegate work to a sub-contractor (without consent or

knowledge)

Direct interactions with government officials (especially outside the U.S.)

Easier to disclaim knowledge of wrongdoing

Limited options for vendors in risky countries or in specialized markets/for

specialized services

4© Polaris 2017

Bribery and corruption happen in various ways through Third Parties

Forms of bribery Risky Third parties

• Facilitation payments

• Discounts

• Vacations

• Gifts

• Medical Education Grants

• Charitable Contributions

• Meals

• Employment/Internship

• Product samples

• Free or discounted equipment

• Distributors

• Suppliers (other vendors along supply chain)

• Travel agencies

• Market access consultants

• Event & meeting management vendors

• HCP/Public officials engagements

• Customs agents

• Market Authorization Holders

• Contract sales organizations

• Contract research organizations

• Medical society / association

• Patient advocacy organizations

Third Parties interaction with HCPs, HCOs, or government

officials is high risk…due diligence is key

5© Polaris 2017

The development of systematic anti-corruption laws enhances the need for Third party (TP) monitoring

North America

USA Foreign Corrupt Practices Act (1977)

Europe

UK Bribery Act (2010)

German Act on Fighting Corruption in the Healthcare Sector (2016)

France Sapin 2 (2016)

APAC

China Anti-bribery laws (1979, amended in 2011)

South Korea The Act on the Prohibition of Improper Solicitation and Provision/Receipt of Money and Valuables (2016)

UAE Penal Code (1987)

South America

Brazil Clean Company Act (2014)

Colombian Transnational Corruption Act (2016)

Mexican National Anti-Corruption system (2016)

Africa

South African Prevention and Combating of Corrupt Activities Act (2004)

North

America

South

America

Africa

Europe

APAC

Note: this is a non-exhaustive list of laws in place to fight corruption

6© Polaris 2017

U.S. focuses on pharmaceutical companies and new DOJ compliance guidance

• “a healthy compliance program should also include third-party agent due diligence

• … risk that the distributor will use their margin or spread to create a slush fund of cash that will be used to pay bribes

• … a compliance program must thoroughly vet its third-party agents to include an understanding of the business rationale

• … appropriate expense controls must also be in place to ensure that payments to third-parties are legitimate business

expenses and not being used to funnel bribes to foreign officials”

– Andrew Ceresney, Director, Division of Enforcement

Elements of Risk

Management

DOJ Evaluation Guidance

1. Policies • Policies

2. Processes • Procedures

• Risk Assessment

• Third Party Management

• Mergers and Acquisitions

3. People & Organization • Senior and Middle Management

• Autonomy and Resources

• Training and Communications

4. Systems & Data • Books & Records

5. Management Reporting • Confidential Reporting and Investigations

• Incentives and Disciplinary Measures

• Continuous Improvement, Periodic Testing and Review

• Analysis and Remediation of Underlying Misconduct

DOJ Evaluation Guidance provides guidance and benchmarking for best practices in

the US and Globally. This aligns in with the Five Elements of Risk Management:

7© Polaris 2017

Third party oversight and management: 5 key objectives

As with all compliance programs, having consistent policies and procedures is essential to ensure

program effectiveness. Consistency in areas such as initial screening/risk rating criteria, risk-

based due diligence and approval/denial criteria are particularly important for TP oversight.

The volume and diversity of TP engagements makes it challenging to gain visibility into key TP

compliance data points such as: how many TPs are we actually engaged with? What do they do

for us? Who vetted and approved the engagement? Business and approval rationale?

Efficiency in execution is vital given the geographic diversity and high volume of TP vendor

engagements. For this reason, having tight and scalable policies and processes and/or some

form of automation is important.

Shared or diffused responsibility among various stakeholders (compliance, finance, business, etc.)

is common in TP management. This potential liability can be alleviated by a clear governance

model with clear lines of review and approval, as well as structured policies and SOPs.

Maintaining accurate records and documentation of all TP arrangements and decision-making

processes is an essential component of the TP program – both for internal tracking and analytics

as well as for regulatory compliance purposes.

Reliability

Transparency

Efficiency

Responsibility

Organization

8© Polaris 2017

Stages of Third Party Management & Oversight Life Cycle

• Business

needs/rationale

• Initial screening

• Contracting

• Business

stakeholder

training

• Vendor training

(as required)

• Risk-based &

Purposeful

• Criteria to decide

which vendors to

monitor

• Exercise auditing

rights

• Consideration:

Who conducts

the audit – legal,

compliance,

internal audit

department

• Risk-based due

diligence

renewal

(periodic)

o Risk

o Internal

resources

• Factors for

termination

• Opportunities to

correct

• Document

conversations

with business

Identification

Engagement

&

contracting

Monitoring

& auditing

Renewal/exit

strategy

Pareto Principle – 80% of corruption risk comes from

20% of vendors

• Vendor

questionnaire

• Vendor FMV or

benchmarking

analysis

• Risk-based due

diligence

Qualification

9© Polaris 2017

Sample factors that can drive risk

• Geographic location (High corruption index; Advanced regulation/enforcement)

• Industry

• Distribution to Government Officials/Agencies (direct/indirect/high percentage)

• Sales Through Sub-Distributors

• Value of Contract (high dollar amount)

• Proposed Compensation Structure (fee-for-service, commission, salary)

• Financial Irregularities (Typical? Cash vs. Pre-Pay? Higher than usual? Transfer to a

third party accounts or different country)

• Adverse Media Reports/Prior History (prior corruption, scandal, civil/criminal

prosecutions, media search)

• Unwillingness to include contract protections (audit rights; indemnity; certifications;

ABAC provisions)

• Strength of Third Party’s Ethics & Compliance Program

10© Polaris 2017

Due Diligence for M&A and Licensing – Important Considerations

Alliance Management View

• Focused on alliance or

partnership considerations

• Mid to longer term relationship

• Distribution Contract can

become more complex and

involved

• More monitoring and auditing

may be required

• Partnership and Alliance

Management must be

considered and managed

Contract Administration

View

• One time transaction

• Short to mid term profit

maximization

• Straightforward contract

provisions and clean hand off

• Upfront evaluation of risks and

due diligence requirements

• Manage to the contract

agreement

• Little interest/investment in a

relationship