Howard, thought he’d rammed a stake through the heart of Due Diligence in his magnus opus on case study 6.  But he was wrong.  Like a bad horror flick, due diligence and agents are back in 9.

Howard deploys a real world approach to what’s required when it comes to Adequate Procedures.  It’s recommended reading.  And do yourself a favour, keep an eye on Howard’s blog too.  It’s good.

By Howard Sklar

I’m having a bad case of vu-ja-day. Not deja-vu, Vuja-day. It’s the feeling that you really didn’t want this to happen again.

Case study #9 is a return to due diligence of agents. I’ll go through it point by point, but let me give away the ending: it’s really, really bad. Bad in the sense that if you actually do what it says—everything it says—you’re going to get yourself in a ton of trouble.

This is going to be painful, so I’ll try to be quick.

Case Study #9 posits a small UK company which relies on agents in Bribe-istan from which it imports perishable produce and to which it exports finished goods. The company is offered a new opportunity in Bribe-istan through a new agent, but it’s a rush deal.

The Guidance again provides a list of controls that the small UK company can consider, any or a combination.

* Conducting due diligence and background checks on the new agent that are proportionate to the risk before engaging the agent that can include (a) making inquiries through existing business contacts, local chambers of commerce, or business associations, and internet searches; and (b) seeking business references and a financial statement from the agent and reviewing the agent’s CV
* Considering how best to structure the relationship with the agent, including how the agent gets paid and how to ensure the agent’s compliance with relevant laws
* Making the contract with the agent renewable annually or periodically
* Traveling to bribe-istan every once in a while to review the agency situation

That’s it?

The best thing I can say about this list is the last one. I completely agree that on-site visits are an essential part of effective due diligence. But I’m getting ahead of myself.

Here’s the problem: risk isn’t determined by size. Just because it’s a small company doesn’t mean the risk is small. There’s an essential difference here: when I’m the compliance officer for the company, I don’t want an affirmative defense, I want to avoid the crime. Avoiding the crime involves significant due diligence.

What is it about this situation that makes it risky? The fact that it’s in Bribe-istan is a problem, obviously. But what sets off the flashing red lights in this situation is the rush. The worst situations always present as must-do-quickly deals. You have salespeople screaming at you that you’re delaying the deal, everyone wants this done. I’ve had situations where the deal had to get done in a weekend. We did the deal, and then the costs starting rising. We had remediation costs up the wazoo. It’s the rush jobs that are going to bite you in the behind.

What also makes this riskier is that the small UK company makes perishable goods. That gives customs officials and others in a position to delay shipments a considerable amount of leverage. While computers sitting on a palette in port is bad, fruit sitting on the palette is a disaster.

If the small company wants “adequate procedures,” that’s one thing; if it wants to avoid the violation, that’s something different. Telling small companies they have to do less makes sense on the one hand, but on the other, it’s going to get them into trouble.

Let’s go through the points though, shall we?

Conducting due diligence is important. So the question is whether doing what the Guidance suggests is sufficient due diligence. The one thing that’s right is that the Guidance says that the diligence needs to be “proportionate to the risk.” Not to the size of company, the size of the risk. Here, the risk is very high. Should the procedures be reduced to match the size of the company?

The last due diligence case study (#6) has a medium to large company doing a questionnaire and lots of other things. How does the smaller company justify doing less, when the risk is just as high, if not higher. I know that adequate procedures for smaller companies should be less, but is this the place to cut?

The diligence here involves, according to the Guidance, making inquiries through business contacts and conducing Internet research, plus getting references and a CV. These are good. Do these. But you have to do more.

Does a small company need a questionnaire? Yes. It does. Maybe the back-end procedures can be reduced, but if you’re going into a high risk market in a high risk venture, running a Google search just ain’t gonna cut it.

Payment is an easier question. I can tell you, given everything, if the agent gives me screwy payment instructions—payments into a third country, or via some other corporate identity—I’m putting the kibosh on the whole deal. What I want to ensure here is that the agent is charging me a reasonable amount for what I’m getting. If he tells me anything other than “send me the check when I invoice you,” I’m out.

I’m frankly not sure what considering how best to “seek to ensure the agent’s compliance with relevant laws and codes applying to foreign public officials” even means. I’m not sold on the ability to affect how your agent does business. You can find out, with effort, how they’re going to do business. But I don’t think you can change it. Certainly not with the blunt tools you have to work with, which are contract provisions, maybe a little training, maybe audit rights. None of those, even reps and warranties, or undertakings, are going to get the job done. All you can do is figure out what kind of situation you’re getting into. Go in with open eyes and structure some rudimentary monitoring to protect yourself.

In fact, here’s my prescription for smaller companies:

1. Have decent contract provisions. I’m not a huge believer in the efficacy of contract provisions, but some are better than others.
a. Most important? Termination rights. And make sure your partner knows that keeping your business means keeping clean. Let them know that if you even think there’s an issue, you’re going to exercise your right to walk away.
b. Next? A clear statement in the contract that you don’t want them to bribe.
c. Rather than have them agree not to bribe, I would suggest having them agree to some monitoring requirements. What you need to monitor is fact-specific, but can be things like monthly spend variations kept within a certain amount; double-checks on the value of what’s being delivered, regular discussions about how they’re achieving their results, specific itemization of invoices (the more specific the better), including no “miscellaneous” entries, and no expenditures that are outside of the specific needs of the SOW.
2. Have the right to audit their books in the event you believe they’ve committed a violation
3. Do a site visit, even if done by a third party
4. Ask for and check references
5. Do an internet search

The key thing here is not to overdo the up front diligence. The key is to figure out the monitoring piece, and do that religiously.

6. I would also suggest that your highest risk third parties be reviewed regularly by a risk committee formed for that purpose.

I agree with the last two points from the guidance: the contract should be renewable annually, not evergreen. And do at least some of this in person. In my experience, nothing beats looking a person in the eye and telling them what’s unacceptable to you.