Ethical fallout

ME PoV Spring 2019 issue

Ignore third parties at your own risk

As the regulation of global businesses moves into a new era, the compliance obligations of firms are becoming more extensive; the implication for acquisitions, joint ventures, and local distributorships/agencies are more serious than ever. Short-term thinking should never outweigh long-term brand considerations.

A company’s business relationships in high-risk emerging markets can have a direct and critical impact on the brand value, as well as the bottom line. Once a brand is tarnished, it takes a tremendous amount of effort to overcome the reputational impact, let alone the monetary penalties that occur with high-profile violations. As Warren Buffet once said: “If you lose money for the firm I will be understanding. If you lose reputation I will be ruthless.”

For many multinationals, the main risk concerns about their overseas operations used to be bribery and corruption, where local business practices might expose the parent company to risk of violations under the U.S. Foreign Corrupt Practices Act (FCPA). The FCPA set clear rules on bribery of foreign government officials in the pursuit of winning or maintaining business and has over the past decade yielded over US$11 billion in fines and settlements against companies across the globe. Companies that proactively established FCPA compliance programs, and focused on corporate culture, were ahead of the curve. These companies also identified the sales agents and third parties that the companies relied on, and incorporated them into their FCPA risk mitigation strategies. Their goal was to avoid potential complications, and to demonstrate that any FCPA violations that occurred were despite their best effort; violations were actions against the company, as opposed to by the company—a critical distinction when the authorities were levying fines.

While compliance with the FCPA is still a primary concern, there are numerous other business conduct violations that companies and their third parties can commit, and that can lead to equally dire reputational and monetary consequences. These include:

Trade sanctions – The U.S. government has greatly enhanced its trade sanctions/export controls enforcement program and the implications of a violation can be disastrous. In May 2018 ZTE was nearly driven out of business by a 7-year ban on access to U.S.-origin components, principally because it was found to have violated the prohibition on export of U.S.-origin products to Iran. The company agreed to a deal one month later, restoring access to U.S. components, in exchange for a US$1.2 billion fine. There have been dozens of other high-value trade sanctions fines issued in the last few years, with third parties often playing the role of conduit to restricted entities and customers.

Supply chain integrity – The ethical supply of labor is a growing concern for many internationally focused legislators (see the UK Modern Slavery Act of 2015). For example, following public scrutiny of its labor supply chain, Apple began training more than three million supplier employees on their rights, tracking the working hours of 1.3 million people on a weekly basis, and conducting integrity audits of over 750 suppliers. One situation that came to light in Apple’s review was a scheme involving 700 workers from the Philippines who had been extorted out of US$1 million by the staffing agency that had recruited them for the opportunity to work at an Apple supplier.

Environment – Many of the world’s largest corporate penalties involve environmental disasters. The Deepwater Horizon spill has cost BP over US$20 billion so far. Disasters can also be caused by third parties, which is exactly what happened in the 1990s to Total in one of France’s worst environmental disasters, the Erika spill. Despite the fact that the tanker was owned and operated by a third party, Total ended up paying over EUR 500 million in damages and cleanup costs for not properly vetting and monitoring the safety compliance of the ship’s operator. Stories of lingering effects can tarnish a company’s brand for years.

Cyber/personal data – Cyber breaches get headlines because they involve personal data that people entrust to companies. Third parties are considered the weak link in cyber defenses, it has been reported that one of the key potential contributors to the recent Marriott/Starwood breach has been the multiple layers of third-party vendor technologies within its systems. One often-quoted industry statistic is that 63 percent of reported cyber breaches involved third-party vendors. Considering the risks of a personal data breach under General Data Protection Regulation (where fines can be levied at 5 percent of global revenues), the risks can be enormous.

Intellectual property – Companies relying on third parties for product development might be unwittingly exposing themselves to liability or fines if they are subject to third-party IP violations. Is an online marketplace like Amazon, eBay, or Alibaba responsible for IP violations of the vendors selling on its platform? A recent lawsuit in Hollywood claimed that Disney is liable for trademark infringements of a third-party supplier—a digital company that had produced 3D images using allegedly stolen IP.

How can a company protect itself?

A good place to start is the ABAC risk/compliance assessment that many companies are already undertaking. These can be updated to incorporate the broader spectrum of business conduct risks and to ensure that they account for the behavior of third parties. A few suggestions to consider:

  • Holistic risk and compliance assessments – a critical assessment of how, and to what extent, a company may be subject to ethical violations (directly and through third parties). Many companies are familiar with the process of a fraud risk assessment—a similar approach focused on brand-affecting business conduct risks is a good way to start.
  • Distributor/ third party audits – a number of companies have rolled out formal, proactive and risk-based programs to assess the ABAC compliance of key third parties; consider expanding these to cover a broader set of business conduct risks.
  • Due diligence – it remains critically important to conduct thorough Integrity Due Diligence (IDD) on third parties before entering into relationships, or engaging in a transaction, especially those that operate in roles that could expose the parent company to the key business practices risks.
  • Awareness – training on codes of conduct and ethical business practices should be routine, and management should reinforce the appropriate “tone from the top” (think Buffet): that it does not condone violating the company’s ethical principles, for any reason. Some companies extend this to key third parties or require them to conduct and demonstrate their own awareness campaigns.
  • Monitoring – the monitoring of business conduct risks should be proactive and ongoing. The key risks can be identified in a risk assessment and the responsible function should be provided regularly with the information and data required to identify concerns as they arise.
  • Internal reporting lines and investigation capabilities – it is imperative that non-retaliation policies are clear and accompanied by well publicized and accessible reporting channels. Employees as well as third parties should know that concerns reported in good faith are kept confidential and acted upon, thereby reducing the probability of someone reporting concerns externally (i.e. directly to the press or authorities).


Even if a company purports to have an arms-length relationship with third parties, it is not protected from an ethical fallout if the third party is violating key business conduct rules. Compliance with ethical business practice norms requires constant attention and must extend to all of those entities that act on a company’s behalf. The implications are not just legal and monetary, the brand is at stake as well.


by Collin Keeney, Director, Financial Advisory, Deloitte Middle East


Did you find this useful?