FCPA Blueprint

Blueprint for FCPA Compliance 7 Steps for Creating an FCPA Compliance Program The Hiperos Blueprint for Foreign Corrupt Practices Act (FCPA) Compliance is an introductory guide to the essential steps an organization must take in order to ensure compliance with the FCPA. Contents Introduction to FCPA FCPA and Risks Associated with 3rd Parties Step 1 – Define Company Policies and Procedures Step 2 – Collect Data Step 3 – Assess and Segment 3rd Parties Step 4 – Determine How to Proceed Step 5 – Train Key Employees and 3rd Parties on FCPA Compliance Step 6 – Monitor and Review Step 7 – Seek Investigative, Forensic and Legal Services The Benefits of a 3rd Party Compliance System for FCPA About Hiperos

www.hiperos.com

An Introduction to FCPA The anti-bribery provisions of the U.S. Foreign Corrupt Practices Act (FCPA) make it unlawful for any U.S. company to make a direct or indirect payment to a foreign official or firm for the purposes of obtaining or retaining business. The FCPA also requires companies with securities traded on a U.S. exchange to keep books and records that accurately reflect business transactions and maintain effective internal controls. Increased focus on global corruption over the past four years has resulted in FCPA-related fines rise from less than $11 million in 2004 or almost $2 billion in fiscal 2009 and 2010. Boards of Directors are becoming more and more concerned over compliance with FCPA and the resulting reputational and fiscal risk for non-compliance. Organizations are increasingly considering how to leverage technology to implement a comprehensive, transparent and cost-effective program to review, manage, monitor and report on FCPA risk and compliance.

FCPA and Risks Associated with 3rd Parties Companies are increasingly dependent on contracted 3rd parties to facilitate an estimated 50% of business functions. These include subcontractors, brokers and channel partners who act on their behalf or provide materials and services to their supply chain. While 3rd parties represent tremendous business value, they also introduce substantially more risk of FCPA violations. Organizations, therefore, need a proactive, auditable approach to manage these partners. Companies at the center of recent Department of Justice FCPA enforcement are naturally in industries that rely the most heavily on 3rd parties: financial services, pharmaceutical, oil and gas, defense, retail, telecommunications, technology and services. However, any company that does business with foreign entities should consider implementing a FCPA compliance program.

90% of FCPA penalties are attributed to a 3rd party violation

7 Steps for Creating an FCPA Compliance Program Businesses need to implement their compliance process whenever they consider a new 3rd party relationship, review existing relationships, or learn of an event that raises the risk of non-compliance. With its unique understanding of corporate governance and regulations such as the FCPA, Hiperos has identified, and is sharing; the following key recommendations to help businesses make informed decisions to continuously assure 3rd party FCPA compliance and minimize exposure to fines and penalties. Step 1: Define Company Policies and Procedures Companies first need to define company-specific policies and procedures and specify data elements, controls and internal stakeholders to support those policies. To accomplish this, it is important that companies transition away from cumbersome, paperbased or spreadsheet-based systems to be more efficient as well as to implement a centralized, standardized and automated environment. Step 2: Collect Data Stakeholders must gain a thorough understanding of 3rd parties by gathering information from internal associates and 3rd parties themselves. The information should include the nature of the business relationship, details about the individuals involved, the products and services provided to the company, geographic location and payment arrangements. Next, those same stakeholders should initiate automated feeds from external data sources to complete all 3rd party profiles. Step 3: Assess and Segment 3rd Parties Companies must rank 3rd parties as representing low, moderate or high risk and perform the proper due diligence based upon the assigned risk level. At this stage, companies can now focus their compliance resources on the 3rd parties with the highest risk potential.

Step 4: Determine How to Proceed Drawing on all available data, including risk profiles, scoring, due diligence reports, investigation results and reported incidents, executive management can now review specific 3rd party relationships and determine whether to continue the relationship or terminate it. Step 5: Train Key Employees and 3rd Parties on FCPA Compliance Companies should implement comprehensive training programs and then require 3rd parties to attest to such compliance. Training can be tailored according to risk ranking – whether a 3rd party scored as low, medium or high risk. Additionally, companies should periodically remind 3rd parties and relationship managers about the company’s compliance policies and gather attestations to uphold those policies. Step 6: Monitor and Review In order to ensure continuous monitoring for FCPA compliance, companies need to establish a continuous process for ongoing management of 3rd parties. This includes tracking information, including whistle-blowing incidents, internal audits and controls and periodic profile updates. Step 7: Seek Investigative, Forensic and Legal Services In the case of known violations, a company should immediately seek expert services and guidance.

Benefits of a 3rd Party Compliance System for FCPA In addition to helping companies avoid FCPA infractions and fines, implementation of the above framework allows organizations to focus resources on only 3rd parties who represent the highest potential risk. This leads to greater efficiency and, potentially, significant cost savings. Improved oversight can also help businesses gain more visibility into payments for 3rd parties and enable them to better match their internal and external needs and resources. Finally, a 3rd party compliance system promotes transparency so that stakeholders, customers and others can understand how a company’s 3rd parties are meetings expectations for labor practices, sustainability and intellectual property. Using one flexible platform, organizations can not only manage their 3rd parties for FCPA compliance, but can manage additional regulatory and operational requirements as well.

A technology platform allows transparency of information among all stakeholders. This provides Executive Decision Support for stakeholders to make go/no-go decisions regarding potentially high-risk 3rd parties.

About Hiperos Hiperos simplifies the complexity of 3rd Party Management (3PM). Through its flagship SaaS (Software as a Service) software platform, Hiperos helps companies avoid a value shortfall and fully realize the benefits of using 3rd parties while maximizing the value and minimize the risk around brand reputation, achieve regulatory compliance and optimize customer experience. Hiperos’ clients include many of the world’s leading companies including Aetna, AON, Astra Zeneca, AXA, Bank of Montreal, CA Technologies, Charles Schwab, Huntington Bank, MasterCard, Microsoft, PNC Bank, State Street Bank, and United Technologies. To learn more about Hiperos’ 3rd Party Management Solution visit our website at www.hiperos.com. Contact us: Phone: +1 908-981-0080 E-mail: [email protected]

© 2012 Hiperos. All rights reserved.