Ethics Resource
Corporate Resilience:
Managing ThirdParty Risks Bombman Turned Conman: International Fraud Case Demonstrates Collusion On Both Sides of High-Dollar Transaction Pg. 6 Europe’s Horse Meat Scandal Raises Questions About Integrity of the Corporate Supply Chain PG. 12 Third-Party Risk Management: Does Shaking Hands with a ThirdParty Partner Make You Shaky? PG. 24
Published by
ISSUE 1, 2013 CRIgroup.com
Ethics Resource
Ethics Resource is created for business leaders, directors, investors and professionals who need the latest information and best practices for protecting their assets from fraud. Presenting practical tools, case studies, and articles focused on fraud prevention and detection, Ethics Resource provides an insightful look at the issues impacting businesses worldwide. Ethics Resource is published by Corporate Research and Investigations, LLC.
WORLDWIDE LOCATIONS Middle East & North Africa CRI Group Headquarters – Dubai, UAE Level 9, #904, Liberty House, DIFC P.O. Box 111794 Dubai, UAE Tel: +971-4-3589884 Fax: +971 4 3589094 Email: crimena@CRIgroup.com Web: www.CRIgroup.com CRI Group ME – Doha, Qatar Level 22, Tornado Tower Al-Funduq Street PO Box 27774 Doha, Qatar Tel: +974 44292434 Email: doha@CRIgroup.com Web: www.CRIgroup.com Europe CRI Group EMEA – London, UK Level 33 25 Canada Square London E14 5LQ United Kingdom Tel: +44 207 038 8366 Email: info@CRIgroup.co.uk Web: www.CRIgroup.co.uk
Asia CRI Group Asia – Pakistan Level 12, #1210, 1211 55-B, Islamabad Stock Exchange (ISE) Towers Jinnah Avenue, Blue Area Islamabad, Pakistan PO Box 2144 Tel: +92 51 111 888 400 Toll Free : 0800 00 CRI (274) Email: admin@CRIgroup.com Web: www.CRIgroup.com CRI Group Asia Pacific – Singapore 1 Raffles Place, #19-07, Tower 2 One Raffles Place, Singapore 048616 Tel: +65 6808 5634 (35-36) Fax: +65 6808 5800 Email: admin@crigroup.asia Web: www.CRIgroup.asia
CRI Group is a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations. A Licensed and Incorporated entity of the Dubai International Financial Centre-DIFC, CRI Group safeguards businesses by establishing the legal compliance, financial viability and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business.
Implemented and Certified ISO 9001:2008 (Quality Management Systems) ISO27001:2005 (Information Security Management Systems)
2
Ethics Resource
1st Quarter 2013
Contents Ethics Resource
|
Issue 1, 2013
16
12
Europe’s Horse Meat Scandal Raises Questions About Integrity of the Corporate Supply Chain
24 Corporate Resilience: Managing Third-Party Risks Corruption, bribery and a lack of due diligence harm business interests worldwide. Learn what the experts are doing to combat these and other threats.
6
Bombman Turned Conman: International Fraud Case Demonstrates Collusion On Both Sides of High-Dollar Transaction
Third-Party Risk Management: Does Shaking Hands with a Third-Party Partner Make You Shaky?
6
In a bizarre international fraud case, a simple $20 plastic golf novelty item was re-sold to security forces around the world as a high-tech $40,000 bomb detector, which may have contributed to the deaths of scores of civilians and security personnel. CRIgroup.com
3
Letter from the CEO With Ethics Risks, Knowledge is Your Best Weapon In today’s international business world, where do you turn to stay informed on ethics issues that affect your organisation? How do you stay on the cutting edge of due diligence and compliance best practices that are essential to protecting a successful business model? Welcome to the first edition of Ethics Resource, created by CRI Group to address critical ethics and due diligence challenges facing businesses worldwide. Our cover feature, “Corporate Resilience: Managing Third-Party Risks” (pg. 16) provides an in-depth look at the risks confronting any business engaged in dealings with other organisations — a landscape in which the old saying “what you don’t know can hurt you” is an unfortunate truth. There are potential threats involved with any dealings with third-party providers: we run them down, and tell you what your organisation can do to be better protected. As part of our effort to help you be better informed, we’ve detailed our third-party risk management fundamentals, which we represent in four important phases in an easy-to-review graphic (pg. 21). Would you pay $40,000 for a “bomb detector” that was actually a golf novelty item worth $20? Military forces and police departments around the world did just that. Read the incredible story of the “Bombman Turned Conman” (pg. 6) and learn about oversight and due diligence checking gone wrong. We also probe a more well-known case — the infamous horse meat scandal affecting consumers in the UK and other European countries. The article’s title says it all: “Europe’s Horse Meat Scandal Raises Questions About Integrity of the Corporate Supply Chain,” (pg. 12). Finally, we round-out our coverage of ethics and due diligence with some additional insight on dealing with outside organisations in “Third Party Risk Management: Does Shaking Hands with a Third-Party Partner Make you Shaky?” (pg. 24). Learn more about the different risks that accompany any dealings with third parties, including operational, reputational, compliance, strategic and other key risk areas. Thank you for reading this first edition of Ethics Resource. I hope you find it to be an informative and useful tool in your continued business success.
Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI Chief Executive Officer of CRI Group 4
Ethics Resource
1st Quarter 2013
Today’s global markets are constantly changing.
Is your company at risk?
CRI Group can help.
CRI Group provides clients comprehensive tools to mitigate risk in international business transactions, mergers and other growth opportunities. CRI Group offers: » Risk Management Consulting
» Business Intelligence and Investigations
» Investigative Due Diligence
» Forensic Accounting and Investigations
» Fraud Risk Investigations
» Intellectual Property Investigations
» Fraud and White-collar Crime Prevention
» AML Consulting Services
» Insurance Fraud Investigations
» Employment Screening and Background Investigations
» Corporate Security Consulting and Investigations
Contact Us Today MIddlE EAST
ASIA
Qatar +974 44292434 doha@CRIgroup.com www.CRIgroup.com
Singapore +65 6808 5634 (35-36) admin@crigroup.asia www.CRIgroup.asia
dubai +971-4-3589884 crimena@CRIgroup.com www.CRIgroup.com
Pakistan +92 51 111 888 400 admin@CRIgroup.com www.CRIgroup.com
EUROPE
+44 207 038 8366 investigations@CRIgroup.co.uk www.CRIgroup.co.uk
VISIT OUR MObIlE wEbSITE
AMERICAS
+1 (646) 513-4266 newyork@crigroup.com www.CRIgroup.com
CRIgroup.com
5
bombman turned conman International Fraud Case Demonstrates Collusion On Both Sides of High-Dollar Transaction By Zafar I. Anjum, CFE, CIS, MICA
6
Ethics Resource
1st Quarter 2013
I
n a bizarre international fraud case that recently unfolded in the British court system, a simple $20 plastic golf novelty item was re-sold to security forces around the world as a high-tech $40,000 bomb detector, and may have contributed to the deaths of scores of civilians and security personnel in Iraq. The parties involved included a British businessman with a security background who made millions of dollars selling the fake bomb detectors to prominent security forces worldwide, and several high-ranking Iraqi officials convicted of taking massive bribes from the businessman to authorize purchase contracts. James McCormick, 57, president of security products company ATSC (UK) Ltd., recreated a novelty golf ball finder which sold for $20 in the United States, and re-labeled the items as the “ADE 651,” a sophisticated device for detecting explosives. The ADE 651 was marketed and sold to military forces and police departments around the world including such volatile regions as Iraq, Syria, Lebanon, Niger, Kenya, Georgia, Saudi Arabia, Hong Kong and Mexico. The fake devices, which the company expertly claimed could detect explosives, drugs and even currency, had no functioning mechanical or electronic parts
and featured a simple retractable antenna that the company said operated similar to a dowsing rod, which intuitively swiveled in the direction of the desired “programmemed” item once that item was detected. In the most egregious case, McCormick sold the devices for up to $8,000 each, but excessively padded the final purchase orders in order to kick back millions of dollars in payments to several officials in the Iraqi Interior Ministry. In 2009, Iraq’s Police Service and the Iraqi Army purchased 1,500 of the devices through a no-bid contract with ATSC, paying more than $87 million and bringing the price of each unit to nearly $60,000 which, according to McCormick, included fees associated with training and middlemen. The devices were widely used at security checkpoints throughout Iraq, clearly giving a false sense of security to the personnel wielding them. Because they were fake and useless, the devices failed to detect explosives that would ultimately be used to kill or maim countless people in Iraq. The scam began to unravel after a whistle-blower who worked with McCormick went to the British authorities. In subsequent interviews with the media, the worker (who had previously sold the device alongside McCormick) once
CRIgroup.com
7
challenged his boss over the device’s effectiveness. McCormick was said to have answered that the device did “exactly what it’s meant to...it makes money.” As a result of a two-year British investigation of ATSC, McCormick was found guilty on three counts of fraud in April 2013 and sentenced to seven years in prison. His counterpart in Iraq, General Jihad al-Jabiri (a senior Iraqi official who approved the ADE 651 procurement contracts, claiming that the devices had reduced bombings throughout the country by 90%) was arrested on corruption charges. He was subsequently convicted of taking millions of dollars in bribes from McCormick and was imprisoned along with two other Iraqi officials. Up to 15 Iraqis are said to have been on McCormick’s payroll, receiving money through a bank in Beirut. A Complete Breakdown in Oversight Amazingly over the past decade, several government security agencies and security experts from around the world became very vocal about the viability of the ADE 651, with one skeptic going as far as to offer a million dollars to anyone who could prove that the device wasn’t “a fake, a scam, a swindle, and a blatant fraud.” Worldwide, allegations that the device was fake (which stemmed from a host of independent tests) were well published. Germany officially “kicked the ADE 651 out of the country” in 2008, while an Israeli explosives expert was quoted in Der Spiegel magazine as saying, “The thing has absolutely nothing to do with the detection of explosives.” Further, an explosives expert visiting an arms and security fair in Beirut in 2009 described the device as “one big fraud.”
8
Ethics Resource
1st Quarter 2013
As a result of a U.S. Army study conducted on the device in 2009, the U.S. military notified all military and civilian personnel in Iraq that the bomb detection device was “ineffective and should not be relied upon as a means of ensuring the safety of any personnel.” The product, in fact, was banned from export to Iraq and Afghanistan by the UK “Export Control Act of 2002” after studies verified the ineffectiveness of the device. Iraq had its fair share of skeptics as well. In 2008 an Iraqi investigation concluded that the devices were too costly and didn’t live up to the performance that was originally desired. But a source close to the investigation went on to state that, “there were senior officials involved in these transactions,” which, after calculating the costs involved and the financial losses, should have been a red flag that something was amiss. Moreover, as early as 2009, Iraq’s prime minister order an investigation into the effectiveness of the devices after a series of bombings in and around the capital. The report and investigation were later suppressed, and it has been alleged that corruption was the reason, as 75% of the value of the contract “went to kickbacks received by [Iraqi] officials.” How Could This Have Happened? According to the London Times, “Iraqi officials reacted with fury to the news,
Why didn’t anyone from the various security forces come forward to voice concerns over the ineffectiveness of the device?
Case Facts A British security products business sold phony bomb detectors to security forces around the world, making tens of millions of dollars in the process while being potentially responsible for bomb attacks that killed scores of innocent civilians throughout Iraq.
Persons of Interest • The owner of the company that sold the phony bomb detectors was arrested and convicted of fraud.
The ADE (Advanced Detection Equipment) 651 sold by ATSC (Advanced Tactical Security & Communications)
• Several senior Iraqi government officials were arrested and tried for accepting bribes associated with no-bid contracts to purchase the fake bomb detectors.
noting a series of horrific bombings in the past six months despite the widespread use of the bomb detectors at hundreds of checkpoints in the capital.” One official, a member of the Iraqi Parliament’s Security and Defense Committee, was quoted as saying, “This company (ATSC) not only caused grave and massive losses of funds, but it has caused grave and massive losses of the lives of innocent Iraqi civilians, by the hundreds and thousands, from attacks that we thought we were immune to because we had this device.” On paper, the facts of this case simply seem too bizarre to comprehend, and beg several key questions:
Breaches in Security • Lack of oversight in the procurement process. • Lack of due diligence in examining the background of the supplier or its principles.
Impact Of Breach Scores of Iraqi citizens have been killed or seriously wounded as a result of bomb attacks, which may have been averted had the security forces utilised detection devices that worked.
CRI Solutions • Perform due diligence checks on the company and its key principles prior to making major purchases. • Conduct background research into the viability of the products being procured. • Execute a risk assessment strategy to provide oversight when transactions involving such highly sensitive international deals. • Establish an effective whistleblower policy that focuses solely on the concerns of employees.
• Why didn’t anyone from the various security forces come forward to voice concerns over the ineffectiveness of the device? • How could credible and knowledgeable security personnel continue to use a product that had, for several years, been deemed junk by the international community and completely incapable of detecting explosives? • Why didn’t procurement personnel see red flags in the discrepancies between the per-unit price and the total inflated contracts?
CRIgroup.com
9
• Why did it take so long for an ATSC employee to come forward? The fact that ATSC continued to market and sell its phony bomb detection devices years after scores of independent tests proved that they were ineffective has security experts scratching their heads (as does the astonishing account that many countries today continue to utilise the ADE 651 to detect bombs, in light of the international media frenzy surrounding the case). That said, the case presents many insights into the varying degrees of security breaches that enabled McCormick to reap millions of dollars while continuing to perpetrate his scam around the world. Those breaches, when presented on a general basis, include:
It should be noted that, to a varying degree, human perception also played an important role in the success of this scheme. The company had fabricated seemingly credible and documented accounts of the ADE 651’s effectiveness in detecting explosives in varying applications. Statements from soldiers and security personnel were used by the company (through printed sales collateral and through the company website) as testimonies of the device’s effectiveness. Further, there was no reason to believe that the devices were fake, given the amount of money being spent by government agencies to procure them. And surely no one could imagine that such an important piece of security equip-
• A lack of appropriate due-diligence investigations on ATSC, its product line, and its key officials. • An unwillingness to validate (or an ignorance of relevant information about) the negative test results of the company’s product line which included the ADE 651. • A lack of personnel oversight on the buyers’ side (or an intimidation of relevant personnel responsible for monitoring and auditing the procurement contracts). • An inability of users to voice their concerns over the effectiveness of the product. • A lack of a whistle-blower policy on the users’ end to identify improprieties of the transactions and ineffectiveness of the device. • A lack of oversight into the high-level chain of command responsible for authorizing the purchases.
10
Ethics Resource
1st Quarter 2013
From his false profits, McCormick bought a $301,900 holiday home in Florida, a $483,000 villa in Cyprus and a $950,985 Sunseeker Portofino cruiser named ‘Aesthete.’
ment procured by such high-ranking officials would turn out to be completely fraudulent. In hindsight, the “massive losses in money and lives” suffered through this tragic story may well have been averted had proper levels of due diligence been conducted, and the appropriate corporate security watchdogs been put in place. Recommended Solutions To Guard Against Such Breaches This case clearly demonstrates that there are often at least two colluding parties in an international fraud operation. With regard to the fake bomb detector scheme, on one side stood a wealthy con man who was extremely convincing in selling his contraption and
went to great lengths to tell his story worldwide, eventually bribing government officials with huge amounts of cash to get them to sign off on multi-milliondollar purchase agreements for thousands of the useless devices. On the other side stood high-ranking government officials who raked in millions in personal gain while spending the government’s cash to purchase the worthless devices. Who’s responsible for the horrendous lapses in security? It’s hard to answer that question given the nature, intricacies and politics of the Iraqi military. But from a corporate standpoint, there are several actions one can take away from this case to ensure that these security breaches don’t occur in your business: • Run a thorough background check on your company’s primary vendors and third-party suppliers. Although McCormick had experience as a police officer, he had no technical or scientific background or training. And don’t always place trust in the professional and trade associations with which the vendor is affiliated. ATSC had falsely claimed to be a member in good standing with the International Association of Bomb Technicians and Investigators, and used the organisation’s logo in their sales material to add credibility to their product line. • Conduct a risk assessment on the vendor to identify any potential vulnerabilities. If you’re going to spend millions on a product, make sure you know the origin of manufacture and the background of the company from whom you’re buying. A thorough risk assessment will ascertain whether the vendor has the proper policies and procedures in place to address such ongoing risks as quality control, testing, performance criteria, reporting
processes and product integrity while verifying that the company has the wherewithal to meet your quantity requirements over the long run. • Conduct due diligence on the various claims being put forth by the vendor. Contact supplied and developed references to get firsthand accounts of the product’s performance and drawbacks. Research news sources, industry groups and trade organisations for any derogatory information or test results related to the product. Contact other users of the product to get their feedback on the viability of the product. • Establish purchase benchmarks internally (based on price and/or quantity levels) which trigger alarms when those levels are met or exceeded. Never give any single individual authorization to procure products that exceed a pre-established level. Sometimes, all it takes is an international case such as this to open an organisation’s eyes to how it is conducting its own business affairs. Utilising effective measures that verify vendor and product claims will help to mitigate the risks involved in such transactions, and keep your organisation out of the headlines. EDITOR'S NOTE In May 2013, McCormick was sentenced to 10 years in prison for his bomb detector fraud. According to media reports, the judge proclaimed that McCormick “has blood on his hands” from the “callous confidence trick.”
ABOUT THE AUTHOR Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI, is chief executive officer of CRI Group (CRIgroup.com), a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations. Email Zafar at zanjum@crigroup.com.
CRIgroup.com
11
RUMP
TORSOE
LEG
?
sirloin flank
rib
?
? rib
NECK
?
FORE
thick
brisket SHIN
Europe’s Horse Meat Scandal Raises Questions About Integrity of the Corporate Supply Chain By Zafar I. Anjum, CFE, CIS, MICA
T
he recent scandal in Europe over the inclusion of horse meat in food products that were purchased by consumers who believed they were 100 percent beef has turned a spotlight on the importance of oversight in the corporate supply chain. The scandal began in January 2013 when Irish authorities found traces of horse DNA in “value based” frozen beef burgers made by processors in Ireland and Britain and sold in Tesco, Aldi and
12
Ethics Resource
1st Quarter 2013
other major supermarkets across Europe. Further testing of also showed the presence of pig DNA in the beef burger samples. According to reports, the food products originated from Liffey Meats and Silvercrest Foods in Ireland, and the Dalepak Hambleton food processing plant in the United Kingdom. Trace amounts of horse DNA were also found in raw ingredients imported from Spain and the Netherlands.
Ironically, the scandal posed no real threat to human health. But it breached many cultural taboos related to eating horse and eating pork, and has raised a firestorm of questions and concerns over the integrity of the food system on the Continent and the security of food supply chains. The ensuing media storm coming from the scandal has supermarket chains across Europe facing a wave of criticism. As a result, those operators were forced to pull millions of beef products from their shelves that were thought to contain horse meat. With politicians, food standards agency officials and the public demanding protection against food fraud and food adulteration, the industry’s meat retailers, suppliers and supermarkets have all suffered reputational harm and widespread financial losses. Tesco, the UK’s largest retailer and a leading international retailer, saw its market value plunge more than one percent, or £300m, in one day after it removed 21 lines of its frozen burgers from 3,000 British supermarkets. The operator of more than 6,000 stores worldwide has since worked feverishly to repair its damaged image by heavily promoting measures that will allow it to better track its supply chain and ensure quality in its food products.
Impact On The Industry The scandal revealed a major breakdown in the traceability of the food supply chain, and exposed a web of fraud practiced by several food processors that took advantage of the intricacies of the supply chain for their own financial gain.
According to sources close to this scandal, a growing global economy has enabled the food industry to source its products worldwide, which has added to the sophistication of the industry and increased the complexity of the supply chain. Because of these factors, it’s becoming increasingly more difficult to monitor what goes into a product. Moreover, a stressed worldwide economy has forced organisations to take extreme measures and look beyond borders for cheap labour and more effective ways to preserve the bottom line. According to one source familiar with the food industry, “Supermarkets are pressing the supplier, the supplier is pressing the sub-supplier, the sub-suppliers’ workers are cheating because they are paid poverty wages, being from the third world and imported as cheap labour.” Because the supply chain has so many layers, it’s become increasingly difficult for even cash-rich companies such as Tesco to identify, monitor and secure their sources. Foreign suppliers are being blamed by experts who claim that those third-party suppliers have caused the contamination scare in a deliberate swindle to save money in supplying products to the value supermarket chains. Silvercrest, one of Tesco’s meat producers, defended itself by commenting, “Silvercrest has never purchased or traded in equine product and has launched a full-scale investigation into two continental European third party suppliers who are the suspected source of the product in question.” Tesco has since dropped Silvercrest as a meat supplier. That move was closely followed by several well-known food retailers and wholesalers through Europe, and even fast-food giant Burger King,
CRIgroup.com
13
which owns more than 500 fast food restaurants throughout Ireland and the UK.
“An Alarming Breach In Controls” Fraud has always been a mitigating factor in the corporate supply chain. And it’s no different in the food industry. It is estimated that fraud accounts for as much as 10% of food sales, with common examples including Vietnamese catfish being passed off as cod, ordinary olive oil as extra virgin and vegetable fat as mozzarella cheese. While the blame for the horse meat crisis may lie in part with lower-level suppliers and mislabeling fraud, the scandal has nonetheless shone an unflattering light on the food industry’s supply chains, and the alarming breach in controls that has been publicly exposed, especially those controls utilised by the major supermarkets. For their part, the retailers are owning up to the fact that they may not be as diligent in monitoring suppliers as was once thought. Tesco, for one, admitted to its lack of knowledge that one of its suppliers had been purchasing meat over the past year from an unapproved third-party Polish supplier. According to a statement made by one of Tesco’s technical directors, “It was impossible to check the supplier in Poland, as we didn’t know it existed.” That lack of knowledge of the processes being used by the companies to which the products are being sourced has led to the overriding issue that now plagues the food industry. With an everexpanding global supply chain, it has become increasingly vital that retailers be made responsible for what they sell, how it’s made and where it comes from.
Managing Your Supply Chain Short of a business launching its own in-house production or manufacturing
14
Ethics Resource
1st Quarter 2013
facility to meet all of its component needs, the only economically viable way for companies to stay competitive in this global marketplace is to rely on its supply chain network. And it’s the responsibility of the organisation to ensure that its web of suppliers is reliable and trustworthy. To ensure your suppliers’ values are in line with those of your business, it’s vital that you put in place an effective supply chain management system. Such a system will become a watchdog over the processes, controls and communications to mitigate the inherent risks associated with outsourcing the products that define your brand in the marketplace. Here are several recommendations to support your supply chain management system. Review Your Supply Chain. Launch a traceability audit with suppliers to document where your products are coming from. Every level of your supply chain (going well beyond your first-tier suppliers) should be reviewed, scrutinized and accredited. With that review in hand, ask yourself if your suppliers are conducting business in a way that conforms with your core values, and producing product that meets your requirements. A long supply chain means limited control over what you are producing, so consider the alternatives to your present suppliers and look into simpler ways to product your product. Conduct Your Own Quality Tests. Conduct factory audits on all suppliers in your supply chain before placing that first order. Ensure that every supplier conforms to your quality levels and are adhering to strict product specifications. Those audits will come in handy should any risk issues arise down the road. Additionally, require your suppliers to conduct and produce self-administered
case facts Several major supermarket chains throughout Europe have come under intense scrutiny after horse DNA was discovered in products they claimed were made entirely of beef. The ensuing crisis has eroded consumer confidence over the method in which supermarkets purchase their food products.
Persons of Interest • Several food processors in Europe are being investigated for using horse meat in the beef products they sold to supermarkets. • Major retailers, including Tesco, Aldi and others, are under the microscope for not properly monitoring and managing their food supply chain.
Breaches in Security The complexity of the food supply chain has made monitoring of food processors increasingly difficult. Further, some processors are turning to fraudulent adulteration methods to reduce costs and compete on a “value” level.
Impact of Breach Supermarkets have taken a beating financially, as shoppers are turning away from “value” foods which they believe contain products not mentioned on the labels. Retailers, in turn, are investing millions to restore trust and bring back that consumer confidence.
CRI Solutions Establish systems that enable the business to know who its suppliers are and ensure that those suppliers are complying with benchmarks, requirements and other indexes that define the corporation’s core values.
Updates • Tesco has pledged to shorten its supply chains and source meat from inside the country wherever it can. • Tesco has promised to spend millions of pounds annually on DNA testing, to make sure its suppliers are delivering the ingredients listed on its food products.
audit reports that show the reviews were conducted by independent (and credible) industry auditors. Maintain a Policy of Transparency. To instill confidence within your customer base, be as transparent as possible about your suppliers, producers and production operations (without divulging trade secrets, of course). This could vastly reduce the potential for a public relations crisis down the road. The more information your customers have, and the more transparency there is in the your corporate supply chain, the harder it will be to be taken by an unscrupulous supplier. Get Legal Involved. Make sure every supplier you’re working with knows the boundaries of your business relationship. Employ legal contracts that spell out required benchmarks related to quality, materials, delivery, sub-contracting and other production facets. Communication is Key. Do you have an internal communications system that engages with your workers (and perhaps your suppliers’ workers)? Workers typically have first-hand knowledge of production issues, and a communications system that enables them to provide input and feedback generally gives employees a chance to voice their concerns before the situation builds to crisis proportions. Look to the Industry for Support. As a result of the horse meat scandal, supermarket retailers across Europe were all impacted by the acts of a few third-party meat processors. Therefore, it’s important that trade partners share information on suppliers and utilise industry-sourced databases for the latest information and updates, so that red flags can be raised to identify continued on pg. 23
CRIgroup.com
15
C orporate
R esilience :
Managing Third-Party Risks By Zafar I. Anjum, CFE, CIS, MICA
It goes without saying
partnering with invest-
attract new business or
that forging strong rela-
ment banks in Dubai,
service existing customer
tionships with outside
successful businesses
relationships.
service providers, manu-
rely on an oftentimes
facturers, and supply-
complex web of alliances
third-party partnerships
chain and distribution
with third-party provid-
involve a multi-tiered
partners will strengthen
ers to reduce operational
risk management process
a company’s ability to
and labour costs, en-
that begins at the com-
broaden its markets,
hance capabilities and
pany level well before
expand its product and
boost the bottom line.
any outside provider ever
service offerings, re-
enters into the organisa-
spond more aggressively
of factors impairs the
tion’s business model,
to ever-changing market
ability of a third-party
and ensures that the or-
demands, and poten-
affiliate to adequately
ganisation itself has the
tially boost bottom-line
fulfill its contractual
ability to be fully resilient
performance.
obligations, a business
in the face of crises ema-
can suddenly become
nating from a third-party
centers in Mumbai and
exposed to myriad crises
catastrophe.
granting retail franchises
that could ultimately lead
in Seoul, to outsourcing
to revenue loss, interna-
circuit boards to manu-
tional litigation, reputa-
The Risk of Third-Party Partnerships
facturers in Shenzhen,
tion damage and regula-
It is highly probable that,
fulfilling orders from
tory action — all while
at some point, organisa-
massive distribution
potentially affecting the
tions that affiliate with
centers in California, and
organisation’s ability to
outside providers will
From utilising call
16
But when any number
The most effective
Ethics Resource
1st Quarter 2013
CRIgroup.com
17
eventually have to deal
will show that a vast ma-
with an operational
jority of those organisa-
interruption resulting
tions have suffered some
from a third-party related
type of harm from the
issue. The risks involved
actions (or inactions) of
in partnering with out-
a third-party affiliate. The
siders haven’t changed
harm includes:
over the centuries. It is the potential liability that has been ratcheted up several notches. Interna-
• Experiencing financial loss when a third-party provider failed
• Being exposed to litigation because of relationships with an outside provider that significantly violated contractual terms, potentially resulting in regulatory exposure The most successful organisations around the
tional borders have been ripped down. Technology has improved the way businesses communicate. Easy access to data and information enables the media to report on business news before a business can properly respond. And the markets are quick to form opinions based on a 24/7 on-demand news cycle. The result of this increased liability is problematic. Business litigation has skyrocketed.
The most successful organisations around the globe are the ones that can rise above the scrutiny and demonstrate an aversion to risk and a resiliency to crisis.
Corporate reputations are constantly being assaulted. Business strategies are forever shifting. Board members are becoming increasingly subjected to intense scrutiny from outside critics. And a highly educated market responds immediately with their pocketbooks. A simple poll of any large or small business
18
Ethics Resource
1st Quarter 2013
• Losing customers because of poor-quality service from a thirdparty • Exposing breaches to data systems because of poor security practices by a third-party • Experiencing supply chain issues due to poor disaster recovery procedures by the third-party
globe are the ones that can rise above the scrutiny and demonstrate an aversion to risk and a resiliency to crisis. These are the organisations that go to great lengths to establish strong risk management systems designed to: 1. Identify and weed out unqualified or
unscrupulous thirdparty providers in the pre-contract bidding phase 2. Ensure that the provider is adhering to every provision of the contract while it is in effect 3. Provide viable outlets in the event that a third-party provider falters A strong risk management programme helps companies effectively identify and mitigate risks posed by third-party providers in critical risk areas such as information security, service delivery, supply chain processing, financial processing, reputation management and regulatory compliance.
The Fundamentals of a Third-Party Risk Management Programme By taking a proactive approach to address the risks involved in working with third-party providers, an organisation can greatly decrease its susceptibility to liability, business interruption and brand damage. This planned approach incorporates several
phases and demands buyin that starts at the top of the organisation an trickles right down to the staff members to ensure that the mechanics of the plan are closely followed. PHASE 1: Identify Vulnerabilities Through Risk Assessment Third-party risk assessments are used to ascertain whether an organisation has the proper policies and procedures in place to address all potential risks at the management, operations and financial levels, and takes into account the likelihood of those risks actually occurring. Certain aspects of a risk assessment may include a review of internal auditing procedures, compliance guidelines, performance criteria, internal controls, reporting processes and contractual requirements that are vital to foster a long-term positive return with the third-party provider when looking at the relationship from a cost-benefit standpoint. Specific areas addressed in a third-party risk assessment could include:
• Audit and supervision functions that assign clearly defined responsibilities throughout the organisation • Business continuity plans that take into account natural disasters and third-party business closures • Supply-chain alternatives that respond to every possible scenario, from regional events to currency fluctuations • Jurisdictional considerations and affiliations with potential partners located in regions that may be prohibited by law • Data and Intellectual Property protection which includes customer privacy and information security considerations • Anti-corruption and whistle-blower policies that start at the staff education level and extend to safe internal and external reporting mechanisms which are easily accessible to management and staff Such assessments ensure that there are tight controls in place to mitigate key risks, and assign specific responsibility for maintaining
CRIgroup.com
19
the control to designated
contracts which outline
management and staff
specific duties, obliga-
members. Any gaps that
tions and responsibilities
are detected in these
of both parties involved
internal controls are also
in the contract.
addressed during the asFurther, a third-party risk assessment plan will also help determine whether the proposed third-party relationship is consistent with the company’s stated strategic plan and overall
• Data ownership
address such funda-
• Service level agreements
mental factors as qual-
• Response time
ity, price, reliability and financial viability when
• Productivity benchmarks
assessing potential part-
• Customer service
ners. They should also stipulate security of infor-
• Business continuity plans
mation and information
• Disaster recovery plans
Third-party contracts
sessment phase.
• Confidentiality clauses, including customer lists and information security
systems as a factor in the
business strategy.
contracting process. Here are other provi-
Properly written third-party contracts
PHASE 2: Contracting Requirements
sions to consider, depend-
ensure that the organ-
Contract requirements
ing on the breadth and
isation’s compliance
related to third-party business relationships essentially begin in the pre-bid phase, with the use of stan-
Third-party contracts address such fundamental factors as quality, price, reliability and financial viability when assessing potential partners.
dard integrity language in bidding docu-
scope of the relationship,
management system is
ments to alert bidders
and the resulting contract:
adapted to effectively
that documents submitted in support of organisation’s original bid proposals are subject to independent verification by an outside source in order to authenticate the qualifications and claims made by the bidder. Once selected, the organisation’s legal department is charged with drafting written
20
Ethics Resource
1st Quarter 2013
• Responsibilities of each party • Reporting procedures and availability • Performance standards • Scope of work • Compliance with laws,
address the third-party relationship and appropriately respond to any issues or compliance deficiencies. Any significant contract with a third-party should guard against assignment, transfer or
regulations, safety,
subcontracting by the
labour laws, etc.
third party of its obliga-
• Permissibility to subcontract
tions to another outside entity, unless the
• Reference checks, in-
organisation determines
following items:
that such an action
• A thorough investigation of the provider’s business and operations
would be consistent with the scope of work or the goals of the organisation. PHASE 3: Conducting Due Diligence Due diligence on potential third party providers is critical to confirm legitimacy and reduce the risks associated with such business relationships. The due diligence process provides management with the information needed in making the determination that working with a potential third-party would ultimately help achieve the organisation’s strategic and financial goals. A comprehensive due
cluding peer businesses and industry groups • Review of local and regional government
• A comprehensive review of the provider’s
PHASE 1:
Risk assessment should evaluate the following areas:
Identify Vulnerabilities
PHASE 2:
• Audit and supervision functions • Business continuity plans • Supply chain alternatives
• Jurisdictional considerations • Data and IP protection • Whistleblower policies
1
Third-party contracts should address the following:
Contracting Requirements
2
• Financial viability • Quality • Security of information • Price • Reliability • Other details within the scope of the contract
Evaluation of potential business partners should include:
PHASE 3: Conducting Due Diligence
PHASE 4:
• Business and operations • Financial condition and reputation • Experience, culture, vision and business style
• References and government records • Background checks • Insurance and certifications
3
The key elements of a successful business relationship:
Management Oversight
4
records to identify any
• MANAGE
• MONITOR
• MAINTAIN
Third-Party Risk Management Programme Fundamentals
diligence investigation involves a review of all
Figure 1: Third-party risk management programme fundamentals
available information about a potential third party, focusing on the provider’s specific relevant experience, its financial condition, knowledge of applicable laws and regulations, reputation, and the scope and effectiveness of its operations and controls. The evaluation of a thirdparty may include the
financial condition and reputation • Evaluation of the provider’s experience in implementing and delivering on the proposed scope of services • Review of the provider’s culture, vision and business style to ensure cohesiveness with those of the organisation
past or present litigation involving the provider • Background checks of the provider’s key principals • Reviewing the provider’s internal controls, information systems, security, confidentiality and contingency planning documents
CRIgroup.com
21
NOTE: Not only should
• Review any existing working relationships to gauge the reliance on subcontractors
due diligence be con-
third-party risk management process.
ducted prior to selecting
An organisation’s
a third-party provider, it
senior management is
• Ensure adequacy of insurance coverage
should also be performed
ultimately responsible
periodically during the
for managing activities
• Review of marketing and customer service practices
course of the relation-
conducted through third-
ship, particularly when
party relationships, and
considering a renewal of
identifying and control-
a contract.
ling the risks arising
• Review of certifications, quality controls and continuous improvement initiatives In general, due diligence will lead the organisation’s management to consider some basic questions prior to dealing with a thirdparty provider. Pending a review of the provider’s operations, reputation and financial position, those questions include: • Would our organisation offer products or services to the provider on credit? • Is the provider accessible and approachable? • Does the provider clearly understand the organisation’s business goals? • What are our options for terminating the contract with the provider (if needed) and how will this affect the organisation’s operations?
22
Ethics Resource
1st Quarter 2013
from such relationships, PHASE 4: Management Oversight
to the same extent as
Successful organisations
were being provided
that effectively engage in
from within the organisa-
third-party business rela-
tion. Therefore, senior
tionships rank the areas
management is charged
of “culture and leader-
with ensuring that the
ship” on the same level of
business relationships
importance as “policies
with third-party sources
and procedures” when it
remain strong, produc-
comes to being resilient.
tive and free of risk.
Therefore, management oversight is critical to the
if the scope of services
To accomplish this, management should
adopt a “manage, monitor, maintain” posture that clearly defines the key elements of a successful business relationship: • Manage — Bid proposals, contracts, licensing, registrations, certifications, training levels; review third-party contract provisions at least annually. • Monitor — Production standards, output benchmarks, quality and compliance. While it is vital to ensure these standards are in line with the provisions of the contract, management should also strive for and demand continuous improvement in these areas.
• Maintain — Regular contact with third-party providers, including open communications and regular site visits to review operations and ensure compliance with the provisions of the contract. The organisation should be vigilant at maintaining an updated database of debarred and questionable thirdparty providers, which will simplify the due diligence process before contracts are awarded and prevent contracts from inadvertently being awarded to such providers in the future. While partnerships with third-party providers can be beneficial to
the organisation on so many levels, such alliances can expose the organisation to many unknowns, and those unknowns will undoubtedly increase the level of risk. The key, then, is properly managing the infrastructure, systems, staff and outside support to adequately manage that risk. about the Author Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI, is chief executive officer of CRI Group (CRIgroup.com), a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations. Email Zafar at zanjum@crigroup.com.
continued from pg. 15
undesirable suppliers. It’s also vital to monitor communications coming from the trade groups that cater to your industry to keep abreast of issues related to your market. Employ Independent Consultants. Using outside advisers who are impartial to the industry, your customers and your suppliers will add a degree of credibility and transparency to your supply chain management programme. Such advisers are knowledgeable at
conducting thorough due diligence investigations that can expose undetected risks in third-party supplier relationships, while acting as an outside set of eyes to review your policies and procedures and detect any security breaches that could potentially harm your organisation. Any viable supply chain relies on a certain degree of trust between all parties involved. And it’s only through the use of a well designed
supply chain management system that the level of trust shared between parties will mature and grow stronger. ABOUT THE AUTHOR Zafar I. Anjum, CFE, CIS, MICA, Int. Dip. (Fin. Crime), MBCI, is chief executive officer of CRI Group (CRIgroup.com), a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations. Email Zafar at zanjum@crigroup.com. CRIgroup.com
23
Third-Party Risk Management Does Shaking Hands with a Third-Party Partner Make You Shaky? By Aniqa Bukhari
I
n this era of globalisation, organisations are increasingly focused on their main objectives and core competencies. Shaking hands with thirdparty investors/vendors for a broader business prospective is becoming more
24
Ethics Resource
1st Quarter 2013
important than trying to build a one-man show, especially when facing competition in a rapid growth market. Therefore, outsourcing becomes a major tool for minimizing the cost of production and engaging employees on competent work.
By focusing on compliance guidelines to the mark of health standards will not and discussing major challenges, busionly pose health problems for consumness leaders can identify the right ways ers, but it will also create reputational to mitigate risks. damage and regulatory problems — leadCompetitive advantage is a key to ing to financial loss. success in the race to build reputation Compliance Risk: Compliance risk and meet deadlines regardless of the results from violations of a company’s business type — whether a manufacturstandard procedures, internal policies, er, service provider or other business. laws, rules and regulations, and ethThird parties in the form of vendors, ics. For example: a third-party marketsuppliers, consultants or general outing company advertises products for sourcing partners can help create an an enterprise, but doesn’t follow the efficient environment for work, reduce standard procedures and privacy policy the cost of production, increase effecof the enterprise — this can lead to tiveness of other chain processes, and charges for breaching the Federal Trade increase revenues. Yet, engaging third Commission Act. parties also creates risks and vulnerOperational Risk: Operational risk abilities for an organisation. Third-party derives from inadequate procedures, relationships should be transparent internal system errors or external events — like a reflection in of your business in a mirror. Working closely with your partners will The purpose of this article is reduce time, risk and overall administrato provide a basic understanding tive involvement. of the risks that can affect any entity that enters into a business beyond an organisation’s control. For relationship with another institution, example: an organisation uses an exorganisation or company. Third parties change company to transfer funds to can hardware or software companies, their material suppliers before shipping financial or non-financial institutions, and dispatch. Due to an earthquake, the manufacturers or service providers, system fails within the exchange comparegulatory or non-regulatory entities, ny and they are unable to transfer funds and local or overseas corporations, just on time, will resulting in late receipt of to name a few. the shipment — and the late manufacNot all of the following risks are apturing of certain goods. plicable for every third-party relationBusiness Risk: Business risk develops ship; however, these definitions cover from a third party’s system failures, huthis complex and significant topic in all man mistakes, fraud or the incapability important areas. of to provide services on time. ImReputational Risk: Reputational risk proper due diligence and no appropriemerges from adverse effects and negaate contingency plan for selecting third tive opinions that can damage the orparties leads directly to a heightened ganisation. The third-party relationship business risk. For example: a leading might result in disappointed clients, regulatory organisation makes a thirdloss of trust, and consequently, finanparty contract with a software house to cial loss. For example: a third party that provide a system for highly confidential manufactures a product which is not up
CRIgroup.com
25
situation that may harm the organisation. For example: a food manufacturer may use ingredients that are prohibited by another culture or religion — if they enter a third-party contract, their business practices can negatively affect an organisation, legally and/or ethically, within their own country. Other Risk: Understanding of the third party agreement is very important. If any party misunderstands the agreement or even a clause, then personal interests might change or delivery of services might be affected. This can include any of the above risks, which are already described as potential risks in terms of liquidity, interest rate, currency conversion rate, legal issues or target market selection. With so many risks of failure involved with third parties, and the Planning, risk assessment, and due completion or execution of thirddiligence are fundamental to third-party party projects, a competent and agreements. reputable method for third-party selection is critically important. Is your company adhering to the following Credit Risk: Credit risk rises from the proven procedures? financial conditions of the third party itPre-screening: Selecting a third-party self. Sometimes a third party runs short vendor/investor using pre-screening is on the funds needed to perform certain the first main in conducting proper due tasks they had agreed to perform — crediligence for jurisdictional and inherited ating a default situation for the organrisks. It includes: isation. For example: a company issues TFCs Pre-IPO and IPO in the public and • Establishing that the third party is private sector for their factory establishentering into the contract for mutual ment, and make a third party contract benefits, and not simply their own with an investment bank to buy remainadvantage or growth. ing TFCs — but the investment bank • Knowing the third party’s business runs short on the funds needed to buy capabilities, legal status, knowledge total remaining TFCs. and experience, capacity in terms of Country Risk: Country risk refers to employees and in term or resources, a third party located in a foreign counand expertise. try having different cultural values and beliefs. The social, political or cultural • Defining any potential problems and values could adversely affect activities addressing any inappropriate situaof the foreign-based third-party service tions that could develop through a providers and creates a challenging partnership with the third party. information which cannot be hacked by criminals or anti-country elements — but the system does not fulfill these requirements, fails, and is hacked — which not only creates a transactional failure but also a country solvency issue. Strategic Risk: Strategic risk results from poor business decisions or incorrect implementation of any business policy or procedure, leading to detrimental effects on organisational strategic goals. For example: an organisation selects a bank for assigning an investment from which they could generate adequate return to establish a new factory wing. Due to a change in monetary policy, the bank decreases the rate of return, directly affecting the potential strategic goal of the organisation.
26
Ethics Resource
1st Quarter 2013
thoroughly describe to each other the scope of the assignment and how it is to be performed. It includes: • Detailed agreement description • Organisational interest and requirements • Third-party boundaries and structural procedural limitations
Assessment: A screening process that provides a complete and comprehensive risk review for the enterprise in terms of governance, reputation, finance, and regulatory analysis. This is the part of the assessment phase where the ultimate risk is defined. It includes: • Audited financial review and analysis of financial condition • Past achievements and problemsolving skills used in certain situations
• Organisational policies, legal and ethical rules and regulations • Political, geographical, and social scenario • Religion or country values in the case of overseas partnership • Currency and pricing details and conversion rates • And any other factor which could create any kind of risk in future
• Management capability and past background of individuals from where they got expertise, whatever is it from educational or practical
Monitor: Periodic screening to understand the current requirements, entity’s performance, checking for changes in policies and safety of organisational risk in terms of compliance and regulations is a final step for thirdparty risk management. To maximize benefits from thirdparty relationships, your organisation should have an effective process for managing the associated risks. Don’t be fearful that you might lose your third party vendor/relationship if you follow these steps — as it is your duty, as a responsible third-party partner, to seek a stable, long term professional relationship… rather than face unknown future risks.
Mitigation: Mitigation or alleviation is the step where both parties, the organisation and the selected third party,
About the Author Aniqa Bukhari can be reached at +971 4 3589884.
• Width and length of business operations in which third party is engaged • Reputation of the third party within the consumer forum and in the business industry • Goals, philosophy and expertise, in terms of employee and management • Security and privacy policy tools and system effectiveness in terms of software, hardware and human intelligence • Insurance coverage in terms of accidental cases and natural events

CRIgroup.com
27
You secure their future.
We’ll secure their past.
Global hiring is on the rise. Are you confident your candidates truly have the skills, credentials, knowledge and experience they claim on their résumé, or during an interview? How can you be certain of the integrity, background and personal history of potential hires? CRI Group can help. Address checks and physical verifications
Education and credential verifications
International criminal record checks
Reference verifications
Integrity due diligence checking Compliance and regulatory checks Verify identity documentation
Litigation record checks
Local-language media/public domain searches
Immigration status verifications
Employment verifications
Verify credit and financial histories
Bankruptcy research
Contact Us Today VIsIT oUR mobIle WebsITe
+44 207 038 8366 investigations@CRIgroup.co.uk www.CRIgroup.co.uk
UAE | Qatar | United Kingdom | Pakistan | Singapore