What constitutes a robust third party due diligence program in the Asia-Pacific region?

By Lisa van de Kamp

In recent years, the number of third parties that pharmaceutical, biotech and medical device companies engage with has steadily increased. In the Asia-Pacific region, third party intermediaries can include distributors, clinical research organizations, market access consultants, travel agencies and industry or medical societies.

These relationships do not come without risks as the behaviors of these parties can have an impact on a Life Sciences company’s reputation and present legal challenges.  Reduced oversight and the ability to audit and monitor third parties due to the limited resources available add to the challenges.

There is a trend for businesses to spend more with third parties as a shift from traditional sales and marketing tactics to distributors and contract sales organizations takes place. This shift increases the inherent risks as it is typically harder to control the actions of external parties.  It is therefore paramount for organizations to establish a process that helps them identify risks and introduces measures to mitigate them.

In emerging and hyper-growth markets, such as China and India, third parties are important business partners because they provide access to the market, however, they also carry significant exposure to corruption risk. The main focus of international regulation and enforcement actions by the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act (UKBA) thus far have been directed mainly toward interactions with third parties. A recent example of this is Bristol Meyers Squibb’s settlement with US authorities¹.

In the Asia-Pacific region, there is currently a growing emphasis on local regulations related to anti-bribery, such as ongoing reforms to China’s Anti-corruption laws, and South Korea’s Anti Bribery legislation, which was introduced in September 2016. In addition to reforms, enforcement actions, such as the 2014 GSK settlement in China² being one of the first settlements within the region, were a wake-up call for the industry. Andrew Ceresney from the SEC stated that “a healthy compliance program should also include third-party agent due diligence” ³.  Although there is a strong focus from legislators and enforcement agencies on third parties, the challenges in dealing with the relationships and the associated risks are still underdeveloped in compliance programs across some organizations.

Globally, organizations need to ensure they understand, and have access to, the way their third parties interact with customers.  This is because activities can be outsourced to a vendor or distributor, but the responsibility and associated risk still lies with the outsourcing organization. Understanding the relationship can help to properly address risk areas associated with certain types of third parties, but more checks and balances are needed to continuously and effectively minimize risks and costs related to any improper behavior done on the organization’s behalf.  Therefore, third party assessments, monitoring and auditing, as well as other related processes, are increasingly being used and made an integral part of the compliance framework.

At the outset, companies must focus on defining what types of third parties they deal with as well as building an effective program to assess the different risk levels associated with them.  Understanding the nature of the engagement, the business needs and conducting due diligence is a good place to start when looking to engage a third party.  Below are several criteria which need to be considered as part of the risk assessment and that can help to assess the relative risks related to the relationship:

  • Country – what is the overall risk level associated with the country related to this transaction? Does this country have any systems and programs in place related to third parties?
  • Vendor type – which type of vendor is used?
  • Value – keeping in mind the value of the agreement and is there a budget in place?
  • Government Involvement – is the third party (partially) owned by the government?
  • Corporate Executive Affiliations – is there any affiliation between the executives and the local/national government?
  • Litigations – has the vendor been involved in any fraudulent activities recently or in the past?

The third-party risk assessment proves its value only if all criteria are evaluated and an associated risk level is provided. When only focusing on a single or limited set of criteria, the probability of identifying the areas of risk or overall risk level correctly becomes lower, increasing risk for the organization. Also, being able to assign resources to act on this information is important from a business perspective as resources in the compliance area are often limited. Therefore, it is appropriate and more cost-effective to establish a clear methodology that can be easily implemented throughout the organization.

The method to assess the initial risk for new third party relations can also be leveraged to monitor the relationship on a regular basis. It is important to note that only assessing the risk at the start of the collaboration which mainly focuses on the behavior of the third parties in the past, does not guarantee its behavior in the present or future. Hence, it is important during this engagement phase to have a clear compliance program in place, that contracting is properly executed, Fair Market Value is setup & expense control are put in place. In addition, sharing the organization’s ethical policies and having the third party comply and uphold these policies needs to be part of the contracting process. This provides clear expectations upfront.

After the engagement phase, a regular monitoring program is needed, both as part of the overall compliance framework, and to ensure the right to audit the third parties. This enables the organization to periodically implement a mitigation plan during the relationship, thereby reducing the impact on an organization’s reputation as well as limiting possible legal challenges.

There are unique challenges in the Asia-Pacific region when it comes to implementing and properly executing a third party due diligence process. First, in certain countries, such as China and India, there is push-back to any risk assessment activities prior to, during, or at the end of the relationship. Even though this seems to increasingly be a point of discussion, research by the Singapore Management University has shown that only 29% of companies include audit rights in their contracts. Having sufficient resources is another matter, which leads to the second challenge, namely the ability to execute on the risk involved.

Compliance is becoming more visible on the agenda in the region, but often compliance officers have a small team and a vast number of countries to oversee. Therefore, decision-makers need to be educated in identifying compliance risks, and be supported in making appropriately balanced decisions. Compliance officers need to recognize the inherently risky business environment as well as the commercial risks of not engaging in the market. All balanced decision making should include some means of measuring risk exposure over the course of the engagement. This should thus be part of the vendor management program as well. A risk-based decision making framework can help compliance officers make balanced decisions and allocate resources accordingly. This is especially relevant in the Asia-Pacific region, where historically gift-giving and providing entertainment is part of the local business culture. Combining this with the ethical standards and behaviors set out by multinational organizations can result in a conflict. Nonetheless, the short-term gains should not be prioritized over the long-term risks. Keeping an open line of discussion with third parties in order to address potentially ambiguous situations is crucial in balancing between the standards set by the organization as well as the local business culture.

In summary, with the increasing number of third party engagements and the need to assess and identify the moderate to high risk relationships, establishing a solid third party risk assessment will be crucial. Improving the efficiency of the program across the organization can be done by automation in an online tool.

Polaris can help with both. The firm has a robust, proven methodology that can support organizations in setting up and running an efficient and effective Third Party Risk Assessment. Polaris’ Third Party Investigation (TPI) Portal provides an efficient, easy to use tool that allows structured evaluation and action planning for third parties. Contact Polaris’ experts to find out how our consulting and technology solutions can help you.

¹ October 6, 2015: Brisol-Meyers to pay SEC $14m to settle China bribery claim; Gabriel Wildau; www.ft.com
² September 19, 2014: GSK China Investigation Outcome; www.gsk.com
³March 3, 2015: FCPA, Disclosure, and Internal Controls Issues Arising in the Pharmaceutical Industry; www.sec.gov