Risk & Compliance Management
When considering a relationship with a third-party, you might have already gone the extra mile by conducting an enhanced due diligence program, identifying your risks, and ranking your red-flags. But what should your next step be? What happens if your in-depth due diligence reports are not followed by risk-based contract clauses? Due diligence programs are designed to identify and mitigate potential risks associated with beginning relationships with third-parties. There is no beneficial investment however, if the program’s findings are not integrated with tailor-made contractual protections.
The contracting process is where you should comprehensively benefit from due diligence, by mitigating and managing your risks. Your agreement should be structured in accordance with the scope and nature of the third-party relationship. The provisions regarding parties’ rights and responsibilities, performance standards, contract value, qualifications of the goods/services, timeframe, insurance, non-disclosure and privacy, intellectual property and personal data protection, governing law and jurisdiction, commitment to compliance with all applicable regulations, and international standards, as well as your company’s business ethics and compliance program, and all the other terms of a contract should be loud and clear, and set forth in a way that leaves no doubt.
Even though some specific transaction-based terms and the comprehensiveness of a contract will be designed to reflect the unique dynamics of each relationship, there are some “sine qua non” clauses that you should have regardless.
Your company has been through an exhaustive and expensive procedure in order to analyse and manage third-party risks to get to the contracting process. One of the fatal mistakes in a contract is giving prior consent to a third-party to assign its responsibilities and liabilities to a total stranger, who your company may never have heard of much less assessed. You may think that you already have strong indemnity and penal clauses for service failures and defaults, however, such provisions may not be adequately dissuasive to prevent the designation of a fourth-party who might expose your company to various damages that may not be possible to remedy with monetary compensations, such as loss of reputation and administrative sanctions. Therefore, you should ensure that a clause prohibits any kind of assignment or subcontracting of a third-party’s rights, responsibilities and liabilities completely or partially without your company’s valid prior written consent.
Your contract should certainly provide a clause regarding a third-party’s responsibility to file periodic and on-demand reports, including how often and to what extent these reports are prepared. Periodic reports should represent a third-party’s performance levels, and its compliance with undertaken service standards, as well as its financial statements, and information regarding extant prosecutions and lawsuits or administrative fines imposed against the third-party. Any major changes in its business organization, such as change of control, if any, should also be included.
On-demand reports should be prepared upon your company’s request within a limited period of time. They should include in-depth information on specific matters that may pose a risk to your company or affect the future of your third-party relationship. In either case, you should periodically validate your risk ranking and apply your management plan by considering any newly identified risk zones.
It should be ensured that reports are prepared by authorized and certificated independent audit firms. However, audit firms may not be familiar enough with your company’s red-flags and may focus disproportionately on unnecessary examinations. This is why, you should ensure that there is a clause giving your company the right to audit the third-party. The right to audit may sound quite repressive, but administrative investigations are, too. Your risk management program requires an ongoing monitoring and assessment of third-party relationships, and the right to audit clause is indisputably “sine qua non”.
Termination clauses are essential to provide your company with an emergency exit should your potential risks get out of your direct control, or your risk/reward balance becomes reversed and a relationship is no longer in your company’s best interests. A termination clause should clearly state the circumstances that give you the right to terminate the contract immediately, or within a reasonable time after an advance notice, without any liability for compensation, as waiting until the end of a contract term may sometimes be too late. Circumstances that may trigger a termination clause include defaults, failure to meet contractual standards, violation of contractual obligations, change of control, noncompliance with applicable regulations and international standards, bankruptcy, insolvency, or a final court order sentencing a third-party’s stakeholder or authorized person with egregious crimes. The use of termination rights may vary in accordance with each case, for example, a prior “warning notice” may be sought and a “redemption period” to terminate the contract in cases of default and failure. The termination clause or the relevant material provisions should clearly define what a default is, what a failure is, and what actions are deemed as breach of contract.
Another thing to highlight in termination clauses is extension of the contract. Automatic renewal clauses should be avoided, however, you may still want to protect your right to renew the contract upon your own request. The economy, politics, technology, benchmark standards, and regulations change so fast, as do a businesses’ financial conditions, economic value, their places in the market and compliance with regulations. At the end of a contract period, your due diligence report may no longer reflect a third-party’s current situation or transparently highlight your risks. This is why, your renewal clause should be designed to provide your company with the right to update due diligence which allows your company to identify and assess new risks, before renewing the contract upon your request.
It should be stressed that even though you have an absolute termination clause, to what extent you will enjoy this right is directly related to the fourth step of your risk management plan; ongoing oversight. As well as a third-party’s commitment to its obligations and performance standards, any material change in a third-party relationship, including its effectiveness, and particular changes in the organization and operations of a third-party, should be directly assessed and approved by your company. It is common behaviour for many companies to hesitate in conducting end-of-period due-diligence, and to take the easy way out, preferring to trust their historical relationship with their suppliers or business partners. However, it is worth noting that you cannot control risks that you don’t know about.
Applying a risk-based approach throughout the process helps your company to estimate the financial reflections of failure and to prevent the realization of a particular risk. Indemnification clauses provide you with the right to hold a third-party responsible for all the damages, losses and claims that arise directly or indirectly from its negligence or failure to fulfil its contractual obligations. An indemnification clause should especially provide that the third-party shall be liable for all the administrative and regulatory fines, implementations, lawsuits, and investigations that arise as a result of third-party negligence. However, such clauses does not always protect you from the accusations and charges your company may be exposed to in the event of particular breaches that can occur in regulated areas, such as data protection and competition regulations.
While indemnification clauses ensure you compensate losses arising from third-party negligence, penal clauses provide you with the right to claim a predetermined penalty fine as a result of specific third-party behaviour. Thus, a penal clause can be enforced at any time regardless of whether any damages or losses have arisen, as its only prerequisite is a third-party breach of a particular provision of a contract. While specifying an extortionate penal clause and implementing it universally for all breaches may be quite unjust and disproportionate, your risk-based plan should lead you to focus on and provide adequate protections for the right provisions. The amount of a penal clause should dissuade a third-party from any such breaching activity and it should prevent an improper third-party approach of “breach and pay”.
“Compliance” is not only the backbone of third-party relationships, but also the cornerstone of companies’ sustainability and existence. A compliance clause is exactly where you can represent your company’s commitment to stick with its business ethics and compliance program, how your company considers compliance in its every new business operation, and your company’s expectations from a third-party’s unconditional compliance, too. Informing a third-party about your company’s business ethics and compliance program, codes of conduct, procedures and principles is your company’s responsibility. Therefore, besides providing the necessary written documentation to a third-party as an inseparable whole of your master agreement, you should inform a third-party’s authorized body and personnel verbally. The nature of a relationship may require your company to give business ethics and compliance standards training courses to a third-party’s personnel, especially in terms of agency and subcontract appointment agreements where your company may be directly responsible for such third-party activities.
Your compliance clause should ensure a third-party’s commitment to comply with all applicable regulations and international acts and standards. This commitment should include compliance with all local laws and regulations, as well as the binding laws of jurisdictions that your company is in any way related to. This clause becomes more of an issue when your company’s operations are in regulated areas, such as healthcare and life sciences.
The rationale of third-party risk management planning is to provide your company with the necessary information about your business partners in order to help you to identify and mitigate your risks. The most effective and beneficial way of implementing your risk management plan is identifying the right issues and preventing risk before it is realized. With this understanding, you should be able to reflect in your contracts what you have deduced from your due diligence to make sure that it fully serves your company’s best interests. Contractual shortcomings will mean devoting inefficacious effort, time and money and the failure to profit from your risk assessment and due diligence program as required. It could also mean the possibility of being exposed to various losses and damages as a result of an inadequate level of contractual protection.