1

Risky Business: How to HandleDue Diligence Renewals

Live Webinar: May 9, 2017

2

Presenters

About The Red Flag GroupThe Red Flag Group is a global professional services firm specializing in integrity and compliance risk. We have completed over 500,000 due diligence reports for thousands of companies in the past 10 years and work with many Fortune 500 companies.

Susan MurrNon-Executive Director

The Red Flag Group

Tim FahertyGeneral Manager, Americas

The Red Flag Group

Denis JacobDirector – Global

Commercial Compliance

Becton Dickinson

3

Agenda

1 Introduction and overview

2 What are the regulatory expectations for due diligence renewals?

3 Practical tips for a risk-based renewal programme

4 A view from the trenches – how to develop, implement and manage a due diligence renewal programme

4

Overview

Due DiligenceWhen the time comes to renew, what do you do?

WHAT GUIDANCE IS OUT THERE FOR A DUE DILIGENCE RENEWALPROGRAM?

Practical considerations for your programme

A view from the trenches – lessons learned from developing, implementing and managing a due diligence renewal programme

55

Poll

We have a risk-based process that works well

Our process, like most processes, could use some improvement

What renewal process?

A

B

C

What is the state of your current renewal of low level due diligence process?

6

What are the regulatory expectations for due diligence renewals?

7

Some regulatory expectations

T H E B A S I C R E Q U I R E M E N T S

1

2

3

Well-designed

Applied in good faith

Working

8

Some regulatory expectations

DOJ/SEC Resource Guide to the FCPA

Recognizes the need to update due diligence periodically

Due diligence level should be commensurate with Risk-based due diligence should include

Acknowledgement that programme may not prevent an infraction in low risk area because greater resources and attention devoted to higher risks

Understanding qualifications and associations of 3rd parties

Business reputation

Relationship with government officials

Business rationale for needing the third party

Reasonableness of payment terms

Confirmation that work is actually being done

Overall risk for FCPA violations

Country

Size and nature of particular party/transaction

9

Some regulatory expectations

Root cause analysis and examination of prior indications

Comparison of compliance resources to other departments

Policy design – input and business consultation

Evolving updates – need to review practices

Information analysis – metrics

Continuous improvement, testing and review

Third party management– risk-based, review of incentives, red flags

D OJ E VA LUAT I O N O F C O R P O R AT E C O M P L I A N C E P R O G R A M S ( 2 0 1 7 ) C H E C K L I S T I N C LU D E S :

10

Some regulatory expectations

U K S E R I O U S F R A U D O F F I C E B R I B E R Y A C T G U I D A N C E

Periodic review of nature/extent of bribery exposure

Risk assessment

To include due diligence inquiries

Due diligenceProportionate, risk-based

Greater due diligence for higher risks

Continued monitoring may also be required

11

Establish a risk-based renewal due diligence program

Identify, prevent and mitigate risks relating to • The market in which the third party operates

• Any specific activities the third party performs

OTHER RESOURCES

JOINT GUIDANCE FOR MEDICAL DEVICE AND DIAGNOSTICS COMPANIES ON ETHICAL THIRD PARTY SALES AND MARKETING INTERMEDIARY [“SMI”] RELATIONSHIPS, DEVELOPED BY ADVAMED AND MEDTECH EUROPE

Some regulatory expectations

Risk assessment of third partiesCountry/geography

Local market legal requirements

More information if arrangement is unusual

Information from public sources, employees

Diligence Program

12

Know your risks beyond bribery

• Human rights, labor requirements, environmental requirements, etc.

Not all renewals are equal

• Riskier renewals = greater diligence

Some regulatory expectationsCommon threads

Risk-based means understanding

• Geographic risk• Business risk• Particular third party risk

Ongoing risk assessment + need for due diligence = due diligence renewal program

13

Practical tips for a risk-based renewal programme

14

Practical tips for a risk-based renewal programme

Where to start?

Your company’s risk profile

Your company’s geographic risk

Your company’s business risk

Changes since the initial process

Business needs Any other factors?

15

Practical tips for a risk-based renewal programme

Who to involve? Find the risk data

Compliance Sales IT

Internal Audit Investigations The business

16

A

B

C

16

Poll

Yes

No

Don’t have a renewal process in place

Does your due diligence process differentiate high, medium and low risk third parties to determine the frequency of renewal?

17

Practical tips for a risk-based renewal programme

By risk, by geography or other considerations

Continual renewals or finite periodic process

Where to start

T I M I N G I S E V E R Y T H I N G

How often

18

What’s expected vs. actual risk profile?

• Need to look at your data

How to update company information

• Questionnaires or no questionnaires

Practical tips for a risk-based renewal programmeOther considerations

Other company processes

• Any efficiencies?

How to engage the business

19

Practical tips for a risk-based renewal programmeBest practices

1 2 3

4 5 6

Find synergies with business and functions

Develop internal champions Don’t forget to publicize what is being done and why

Leverage technology as much as possible

Continually monitor results Considerations for high risk third parties

20

A view from the trenches –how to develop, implement and manage a due

diligence renewal programme

21

Developing the renewal programme

1 2 3

A view from the trenches How to develop, implement and manage a due diligence renewal programme

You’ve got to start somewhere Advance planning How to communicate

22

Who to involve

1 2 3

A view from the trenches How to develop, implement and manage a due diligence renewal programme

Home office vs. regions Business vs. functions How to find allies and

drive engagement

23

How to develop renewal criteria

A view from the trenches How to develop, implement and manage a due diligence renewal programme

1

What to think about

2

Risk-based factors

3

Practical considerations

24

Implementation

1 2 3

A view from the trenches How to develop, implement and manage a due diligence renewal programme

Don’t forget efficiency

Engaging hearts and minds Measuring progress

25

Managing the process

1 2 3

A view from the trenches How to develop, implement and manage a due diligence renewal programme

Best practices in communication

Effective use of metrics

Challenges and solutions

26

Reviewing results

2

A view from the trenches How to develop, implement and manage a due diligence renewal programme

What your renewal metrics might tell you Lessons learned

1

27

Some concluding thoughts

Renewal programmes are necessary, according to regulators

Efficiency is always important

Look at your data

• Leveraging regulatory expectations can help acquire budget money

• Check if risk identification is working

• Review what your renewal risk profile tells you about overall risk

Risks change and renewal programmes must account for change

28

Integrity due diligence reports

Compliance screening

Investigations

Proactive monitoring

Professional services

Compliance technology solutions

Supply-chain risk management

Compliance training

Compliance outsourcing

29

Please select any topics that you would like us to provide more information on.

29

More information?

Custom renewals roadmap and recommendations

Conducting due diligence renewals A

B

C

D

Due diligence reports

3rd party risk management

30

Questions?

31

Connect

Websitewww.redflaggroup.com

31

Emailinfo@redflaggroup.comsusan.murr@redflaggroup.comtim.faherty@redflaggroup.com

Webinar schedule and recordingswww.redflaggroup.com/webinars

Follow usTwitter: @redflaggroupLinkedIn: The Red Flag Group