Energy companies could face risks by using third parties
Integrity compliance and integrity due diligence are crucial to companies with international operations. David Lister and Gavin Proudly of EY look at the key issues, and at how oil and gas companies are tackling them
The risks are clear. Energy companies can face highly disruptive investigations into allegations of bribery and corruption as a result of the actions of third parties operating abroad on their behalf. The need to ensure compliance with integrity legislation and to carry out thorough integrity due diligence is pressing. Take the US, for example. Kara Brockmeyer, the head of the Foreign Corrupt Practices Act (FCPA) Unit at the US Securities and Exchange Commission (SEC), noted last year that over 60% of FCPA cases involved third-party intermediaries. In the past year alone, enforcement action in the oil and gas sector has focused on an agent with political connections, a company’s bank manager, joint venture partners, freight forwarding agents and distributors.
The respective Deferred Prosecution Agreements flowing from these enforcement actions, as well as those from earlier actions, have set out what businesses in the sector need to do to improve their compliance with anti-bribery and corruption legislation. A recurring theme is the need for businesses to have an effective integrity due diligence process.
Organisations need to know that the third parties they are associated with are acting with integrity, are not exposing the organisation to risk and are capable of delivering what it is engaged to deliver. They need to understand the relationships the third party has with any politically exposed persons or other public figures and they need to know that the third party shares their commitment to ethical business practices.
They need to know this because oil and gas businesses are operating in markets where the risks of bribery and corruption are high and show no signs of reduction. EY’s EMEIA Fraud Survey last year showed 35% of respondents from the extractive industries felt that it was common to use bribery to win contracts in their sector, compared to 25% across all sectors.
Oil and gas businesses themselves are clearly not inherently corrupt - the sector does not somehow attract more unethical executives than other sectors. But there are a number of factors that, together, create a higher risk environment: these include the jurisdictions many businesses operate in, the nature of their activities and the necessary interactions with public officials, and finally the sheer number of third parties that are dealt with as a result of the vertical disaggregation in the industry.
The regulatory and significant reputational risks come to bear amid a wide range of other pressures on the oil and gas sector, including the Dodd-Frank Wall Street Reform and Consumer Protection Act, publish what you pay legislation and other transparency initiatives.
Over the past few years, it is clear that the industry has taken significant action to address the risk and integrity due diligence is becoming a well-developed and embedded process. According to EY’s global fraud survey, 60% of companies in the oil and gas sector have a background checking process for third parties which is 7% higher than average. In some ways, businesses in the oil and gas sector are setting the standard.
Today, if you type “oil gas third party risk” into any search engine, the thousands of hits will include conferences being promoted, articles published, information on enforcement actions from regulators and websites of integrity diligence providers describing the benefits of their services.
There is also no shortage of guidance from regulators, such as the UK Department of Justice guidance on the Bribery Act, industry bodies and others, such as the latest OECD guidance on bribery and corruption. Although this guidance is rarely contradictory, it does not collectively offer an obvious best in class model that businesses can adopt.
Instead, businesses across the sector are at various stages of maturity and are left having to work out for themselves what good looks like and what the most effective model is for them and their risk profile. In doing so, they are addressing challenges of risk profiling, insourcing/outsourcing debates, and wondering how many providers are required, what type of information they need, how to keep it current and how to best use technology.
All the guidance highlights the need for an integrity due diligence process to be risk-based. Unfortunately, the advice doesn’t go further in explaining what this means in practice. In reality, it means different things to different businesses, but risk profiling third parties is an essential first step in the process. Arguably, it is the most significant challenge businesses face in building their effective integrity due diligence process – whom of the thousands of third parties do we need to conduct integrity due diligence on, and at what level of detail?
Most businesses apply some kind of filter so that a large, well established, Aberdeen-based organisation providing professional services may not undergo the same level of integrity due diligence as a small business run by a former oil minister in a high-risk jurisdiction providing market entry consultancy services.
So the risk profiling might include the jurisdiction of the entity (although no matter how incorrupt a country is according to Transparency International’s indices, they are never immune to corrupt individuals registering companies there). It must also include the nature of the services provided and the likelihood of interactions with government or other public officials.
The output of this risk profiling should be a clear decision on which third parties will be subject to what level of integrity diligence and why. Many businesses – including those with long-established processes – still go through this profiling phase in a relatively unstructured way. This can work well, until an investigation team asks why a decision was reached and requests the documentation behind the decision. At that point, the robustness of the whole process is brought into question.
Having decided which third parties will be subjected to what checks, businesses face the decision of whether to outsource the process or conduct it in-house.
There is no consensus across the industry on whether integrity due diligence research is best conducted in-house or outsourced. The decision appears to be driven as much by the culture of the organisation as by the volume of third-party checks required.
For example, some smaller businesses with a limited geographic footprint and mainly low-risk third-party relationships have trained a handful of individuals on compliance databases and basic desk-top research and do the necessary checks in-house. They don’t feel the need for yet another contract with yet another external provider. Equally, some of the majors with a larger number of higher-risk relationships have decided that creating their own integrity due diligence team (usually in a lower-cost location) is the best approach. It is under their control and gives them what they want. They can also redeploy their scarce internal resources on other compliance or investigation issues as required.
Many other organisations, however, continue to use external providers, and the fact that new providers regularly emerge suggests the market for these services remains buoyant. Using an external provider obviously removes the need for investment in the technology and people necessary to build up a capability. It also provides a scalable solution, giving businesses the ability to manage sudden surges in requirements. External providers deliver anything from only basic reports through to a full third-party risk management system that is integrated with an organisation’s own technology platforms.
If they chose to outsource, organisations need to choose providers. Oil and gas businesses are becoming increasingly sophisticated in this, recognising that providers have different strengths in different jurisdictions. This often results in businesses having a panel of providers who are used depending on the circumstances.
The benefit to the business is the specialisation and skills of the provider in the respective market. The limitation is that the provider is less able to give a holistic view of the organisation’s risks and less able to offer insight across a broad range of third-party relationships. This monitoring of the overall risk – if it is to occur – would likely fall to compliance teams.
In most organisations with a developed integrity due diligence process, the question of whether the third party is alerted to the process is no longer considered: it is explicitly stated to the third party that they will be subject to integrity due diligence and, in many cases, they will be actively involved in it.
In some cases, particularly in the context of acquisitions or new market entry, there will be a benefit to conducting discreet integrity due diligence in advance of a more overt process. This can support strategic business decisions providing early indicators of potential red flags.
An overt process demonstrates the commitment of the business to ethical conduct; it protects against the risk of the third party finding out that discreet research was being conducted (which can damage potentially important relationships), and it provides a mechanism to obtain important information from the third party themselves.
Companies providing services to the oil and gas sector are becoming very familiar with the anti-bribery due diligence questionnaire that they are often asked to complete in advance of signing contracts. This is no longer restricted to smaller organisations providing services; larger organisations also have to complete such questionnaires as they partner with others that mandate this step.
An emerging trend – in effect, an extension of the questionnaire – is the requirement for organisations to certify their own compliance with anti-corruption standards. Third parties submit themselves to audits by external parties who then certify that the third party complies with various standards.
For this to be effective, the process usually requires that the third party is re-certified on a periodic basis. The costs of the certification are often borne by the third party, which is obviously an attractive option for organisations with a large number of third-party relationships. The risk is that this process could be viewed more as a tick-the-box exercise, where the business is not being seen to do enough to undertake its own independent integrity due diligence.
The purpose of an integrity due diligence programme for an organisation is clear: to build confidence that the third parties it is associated with will act with integrity and will not expose it to unknown risks. So if the information gathered does not generate this confidence, it’s not enough.
In some jurisdictions, though, reliable publicly available information can be very difficult to obtain, or is just not available. Businesses facing this challenge have often relied on providers to conduct source enquiries to gain additional information, using what some describe as human intelligence. These enquiries provide sometimes subjective and yet sometimes very insightful comment on the integrity of third parties. But the information can also be difficult to verify and can lead to more questions than answers.
Taking a risk-based approach will mean not getting all the information in some cases, and the decision that enough is enough will be determined by the initial risk assessment of the relationship, the significance of any red flags identified during the research, information gaps identified, and – critically – the risk appetite of the business itself. But when reaching this decision, businesses in the oil and gas sector may want to keep in mind the judgement recently issued by the Financial Conduct Authority (FCA) in relation to an insurance business.
The FCA described the gap between the organisation’s use of an online screening tool and its requirement to “check comprehensively” whether the third party was connected to the client and/or any public officials. Words such as “comprehensive” often make general counsel nervous when it comes to determining when enough has been done.
Just like the companies contracting with them, third parties change. They deliver new services, they enter new markets, and they change their owners and executives. And the external environment changes too. Governments put new individuals and entities on sanctions lists, for example.
So overnight the risk profile of a third party can go from pretty low (Western Europe-registered organisation providing standard services with a standard commission structure) to very high (that entity is controlled by an individual on sanctions lists). Financial services organisations often have well-developed monitoring systems to assess the risks profile of their customers on an ongoing basis, driven partly by the clear regulatory requirements around money laundering and sanctions. Corporates, on the other hand, tend to have less mature systems in place to monitor risk on an ongoing basis.
But this is changing. Large organisations that have a mature third-party integrity diligence process in place are now turning their attention to the ongoing monitoring of these relationships and entities and using technology to enable these reviews.
The UK Bribery Act led businesses to ask themselves again whether they had adequate procedures in place. The legal definition of adequate will only emerge over time, if ever – but there is a clear consensus that it includes an effective third-party integrity diligence programme. Leading practices have emerged across the sector and organisations wishing to benchmark themselves should consider how easily they can answer the following questions:
• Do you have a view of your third party “universe”?;
• Are you able to categorise these third parties by the risks they may expose you to – and is this consistently applied?;
• Have you considered the costs/benefits of different approaches to integrity due diligence, such as building an internal team or using external providers?;
• Are you engaging with the third party as part of the process to obtain information, and have you considered what more could be done to ensure their commitment to your anti-bribery policies?; and
• Are you using technology appropriately to maximise the effectiveness of this programme?
Above all, an effective integrity due diligence programme will not be designed simply to satisfy a legal interpretation of what is adequate, and it should not be designed around the lowest cost option to get a box ticked.
Instead, it will be designed to help the business reach the best decisions based on the right information. Oil and gas companies know the cost of reaching decisions without knowing the risks – that is why some of them are setting the benchmark for effective integrity due diligence programmes.