12. Managing Third Parties
Best Practice Guidelines
Integrate your approach: Develop and implement an integrated and consistent approach for managing third parties across the company’s operations. Clearly assign responsibilities for third party management and ensure a cross-functional working and risk-based approach.
Build trust and constructive relationships with third parties: Foster positive relationships with third parties and shared goals to enable better understanding and identification of risks.
Identify all your third parties: Identify and register all your third parties and collect, analyse and store relevant information about them, including their ownership, how they operate, their integrity and anti-corruption standards and any significant bribery and corruption risks.
Use a risk assessment process for addressing third party risks and ensure the level of resources provided is commensurate with the level of risk: Use a risk assessment process to identify, segment, mitigate and monitor the risks and risk factors attached to different types of third parties and use this information to design the criteria used in due diligence and to design and/or improve the overall anti-bribery programme.
Apply a systematic procedure for engaging third parties: Adopt a comprehensive and consistent approach to registering, screening and engaging third parties to ensure that engagements are made to desired standards and that procedures are tailored to the different types of identified risks.
Carry out an appropriate level of pre-engagement due diligence on third parties: Carry out due diligence proportionate to risks identified for different types of third parties, with a focus on those of highest risk. Use pre-defined risk criteria to assess individual third parties for inherent risk and vary the level of due diligence accordingly.
Use tailored communications and training, together with advice and reporting mechanisms, to manage third party relationships: Provide tailored communications and training to third party relationship managers and third party employees, commensurate with the level of risk. Provide third parties with access to confidential advice and speak-up channels and follow up any credible reports.
Implement rigorous monitoring procedures to deter and detect bribery incidents and breaches of the anti-bribery programme: Require high risk third parties to self-certify annually that they have complied with the anti-bribery programme. Repeat due diligence periodically for existing third parties. For high risk parties and where there is a significant bribery concern, exercise contractual audit rights.
Review and evaluate the effectiveness of the third party anti-bribery programme periodically: Report on the performance of the anti-bribery third party management programme to the board and senior management periodically, together with recommendations for improvements.
Report publicly on your anti-bribery management of third parties: Provide up-to-date information in an accessible manner to communicate to stakeholders your company’s anti-bribery commitment and anti-bribery measures related to third parties.
