global third party due diligence - cbinet.com1).pdf · global third party due diligence pcc 2017 28...
TRANSCRIPT
Global Third Party Due Diligence
PCC 2017
28 April 2017 Presented by Darren Jones, Cory LaBarge and Michael Clarke
2© Polaris 2017
Key questions to be addressed
1. Central risks associated with Third Party interactions
2. How to effectively manage high-risk Third Parties where there are limited ex-ante
risk mitigation options
3. Factors to consider when enhancing third party due diligence process
4. Examine best practices for the verification, monitoring and auditing of third party
entities
5. How to make KPIs=KRIs for your monitoring and auditing plans
6. Evaluate best practices for using third party auditors (opposed to internal
auditors)
7. How to manage third party due diligence and alliance management for M&A and
Product Licensing deals
3© Polaris 2017
Why is Third Party management and oversight challenging?
Less control and visibility into their work, records, organization
May not have internal controls and/or compliance program
Potentially divergent business interests
They may delegate work to a sub-contractor (without consent or
knowledge)
Direct interactions with government officials (especially outside the U.S.)
Easier to disclaim knowledge of wrongdoing
Limited options for vendors in risky countries or in specialized markets/for
specialized services
4© Polaris 2017
Bribery and corruption happen in various ways through Third Parties
Forms of bribery Risky Third parties
• Facilitation payments
• Discounts
• Vacations
• Gifts
• Medical Education Grants
• Charitable Contributions
• Meals
• Employment/Internship
• Product samples
• Free or discounted equipment
• Distributors
• Suppliers (other vendors along supply chain)
• Travel agencies
• Market access consultants
• Event & meeting management vendors
• HCP/Public officials engagements
• Customs agents
• Market Authorization Holders
• Contract sales organizations
• Contract research organizations
• Medical society / association
• Patient advocacy organizations
Third Parties interaction with HCPs, HCOs, or government
officials is high risk…due diligence is key
5© Polaris 2017
The development of systematic anti-corruption laws enhances the need for Third party (TP) monitoring
North America
USA Foreign Corrupt Practices Act (1977)
Europe
UK Bribery Act (2010)
German Act on Fighting Corruption in the Healthcare Sector (2016)
France Sapin 2 (2016)
APAC
China Anti-bribery laws (1979, amended in 2011)
South Korea The Act on the Prohibition of Improper Solicitation and Provision/Receipt of Money and Valuables (2016)
UAE Penal Code (1987)
South America
Brazil Clean Company Act (2014)
Colombian Transnational Corruption Act (2016)
Mexican National Anti-Corruption system (2016)
Africa
South African Prevention and Combating of Corrupt Activities Act (2004)
North
America
South
America
Africa
Europe
APAC
Note: this is a non-exhaustive list of laws in place to fight corruption
6© Polaris 2017
U.S. focuses on pharmaceutical companies and new DOJ compliance guidance
• “a healthy compliance program should also include third-party agent due diligence
• … risk that the distributor will use their margin or spread to create a slush fund of cash that will be used to pay bribes
• … a compliance program must thoroughly vet its third-party agents to include an understanding of the business rationale
• … appropriate expense controls must also be in place to ensure that payments to third-parties are legitimate business
expenses and not being used to funnel bribes to foreign officials”
– Andrew Ceresney, Director, Division of Enforcement
Elements of Risk
Management
DOJ Evaluation Guidance
1. Policies • Policies
2. Processes • Procedures
• Risk Assessment
• Third Party Management
• Mergers and Acquisitions
3. People & Organization • Senior and Middle Management
• Autonomy and Resources
• Training and Communications
4. Systems & Data • Books & Records
5. Management Reporting • Confidential Reporting and Investigations
• Incentives and Disciplinary Measures
• Continuous Improvement, Periodic Testing and Review
• Analysis and Remediation of Underlying Misconduct
DOJ Evaluation Guidance provides guidance and benchmarking for best practices in
the US and Globally. This aligns in with the Five Elements of Risk Management:
7© Polaris 2017
Third party oversight and management: 5 key objectives
As with all compliance programs, having consistent policies and procedures is essential to ensure
program effectiveness. Consistency in areas such as initial screening/risk rating criteria, risk-
based due diligence and approval/denial criteria are particularly important for TP oversight.
The volume and diversity of TP engagements makes it challenging to gain visibility into key TP
compliance data points such as: how many TPs are we actually engaged with? What do they do
for us? Who vetted and approved the engagement? Business and approval rationale?
Efficiency in execution is vital given the geographic diversity and high volume of TP vendor
engagements. For this reason, having tight and scalable policies and processes and/or some
form of automation is important.
Shared or diffused responsibility among various stakeholders (compliance, finance, business, etc.)
is common in TP management. This potential liability can be alleviated by a clear governance
model with clear lines of review and approval, as well as structured policies and SOPs.
Maintaining accurate records and documentation of all TP arrangements and decision-making
processes is an essential component of the TP program – both for internal tracking and analytics
as well as for regulatory compliance purposes.
Reliability
Transparency
Efficiency
Responsibility
Organization
8© Polaris 2017
Stages of Third Party Management & Oversight Life Cycle
• Business
needs/rationale
• Initial screening
• Contracting
• Business
stakeholder
training
• Vendor training
(as required)
• Risk-based &
Purposeful
• Criteria to decide
which vendors to
monitor
• Exercise auditing
rights
• Consideration:
Who conducts
the audit – legal,
compliance,
internal audit
department
• Risk-based due
diligence
renewal
(periodic)
o Risk
o Internal
resources
• Factors for
termination
• Opportunities to
correct
• Document
conversations
with business
Identification
Engagement
&
contracting
Monitoring
& auditing
Renewal/exit
strategy
Pareto Principle – 80% of corruption risk comes from
20% of vendors
• Vendor
questionnaire
• Vendor FMV or
benchmarking
analysis
• Risk-based due
diligence
Qualification
9© Polaris 2017
Sample factors that can drive risk
• Geographic location (High corruption index; Advanced regulation/enforcement)
• Industry
• Distribution to Government Officials/Agencies (direct/indirect/high percentage)
• Sales Through Sub-Distributors
• Value of Contract (high dollar amount)
• Proposed Compensation Structure (fee-for-service, commission, salary)
• Financial Irregularities (Typical? Cash vs. Pre-Pay? Higher than usual? Transfer to a
third party accounts or different country)
• Adverse Media Reports/Prior History (prior corruption, scandal, civil/criminal
prosecutions, media search)
• Unwillingness to include contract protections (audit rights; indemnity; certifications;
ABAC provisions)
• Strength of Third Party’s Ethics & Compliance Program
10© Polaris 2017
Due Diligence for M&A and Licensing – Important Considerations
Alliance Management View
• Focused on alliance or
partnership considerations
• Mid to longer term relationship
• Distribution Contract can
become more complex and
involved
• More monitoring and auditing
may be required
• Partnership and Alliance
Management must be
considered and managed
Contract Administration
View
• One time transaction
• Short to mid term profit
maximization
• Straightforward contract
provisions and clean hand off
• Upfront evaluation of risks and
due diligence requirements
• Manage to the contract
agreement
• Little interest/investment in a
relationship