Due Diligence and Risk: Why is Due Diligence Needed in the Modern Era?
In a global market, with the advent of the digital marketplace and international chains of supply and distribution, due diligence can be of paramount importance to companies and clients around the world. There are two key reasons why firms and individuals may want to conduct effective due diligence on their suppliers, partners or clients. These are for the protection of their financial interests, and to limit liability. When dealing with a partner, a company would want to ensure that the other entity is reliable enough not to run off with their money. A bank letter of credit, or similar procedure can alleviate concerns in some transactions, however, for repetitive and continuous long term business, due diligence is warranted.
Then there are other risks associated with liability. These are reputational, or even legal risks. For example, a subcontractor who gives bribes to government authorities or is involved in illicit activity could cause the hiring contractor to be found vicariously liable for their actions.
As such, this article highlights some of the risks posed in the modern market place, as well as a due diligence solution to help alleviate these risks.
A. Regulatory and Compliance Risks
Regulatory and compliance risks pose broad challenges to corporations in the global economy, and ultimately warrant appropriate due diligence and precaution by the hiring party when dealing with third party vendors.
Regulatory and compliance issues can take a number of forms, as there are a plethora of laws in effect which regulate the behavior of corporations, and hold them liable for the actions of their third party vendors. Examples of such laws are the Foreign Account Tax Compliance Act (FATCA), The Foreign Corrupt Practices Act (FCPA), The Alien Tort Statute, the Conflict Minerals Rule (Dodd-Frank Section 1502), (US Laws) and a whole host of foreign laws which link the actions of third parties to corporate actors. Under such laws, the improper vetting of a vendor, or the vendor’s acts while representing or acting on behalf of the corporation and hiring party, can create liability for the principal or hiring party, by association. For example, under the FCPA, if a US company is determined to have failed to conduct adequate due diligence with a corrupt vendor making payments to government officials abroad, the corporation may be found negligent and liable by association, becoming subject to huge fines. Under the Alien Tort Statute, a corporation may be found liable if the vendor is committing human rights abuses, or engaging in reckless or malicious acts, for failing to exercise due diligence, take action or for willful disregard.
There are also countless regulations and laws in other countries as well, such as the UK Anti Bribery Act, which vary in certain details from US law, and which affect global companies. For example, under the UK Anti Bribery Act, commercial bribery, namely offering payments to private companies and individuals in exchange for improper acts in their role or business (such as favoritism), is also penalized.
Therefore, a global corporation, or any individual working with foreign and even local vendors has to be on the lookout for liability by association. It may be possible that a global 3PL Logistics Provider hires a trucker in West Africa, which also engages in the transportation of conflict diamonds. By association, and the failure to conduct adequate due diligence, the corporation may be held liable under a number of laws, such as the Alien Tort Statute, the Conflict Minerals Rule and a number of other foreign and domestic legislation. A causal and associative link could be established, whereby the corporation, by supporting the recalcitrant vendor through channeling business and funds for services, may be interpreted to have violated various laws, by indirectly supporting human rights violations. More than 90 percent of the FCPA actions brought by the US Department of Justice, for example, involve misconduct by a company’s third party, according to a global fraud survey [1]conducted by Ernst & Young in 2012.
These risks, though uncommon on a daily basis, are significant and real in the global supply chain network, and require attention and consideration by any corporate actor.
For companies based in the UAE, even a presence in the US or UK could leave the company vulnerable to liability under anti-corruption laws in effect under those jurisdictions. In addition, the UAE and other GCC countries also offer similar provisions to combat corrupt practices through their penal codes.
B.Reputational Risks
Warren Buffet once said “It takes 20 years to build a reputation, and five minutes to lose it.”[2]
An Oxford Metrica study suggests that a company that experiences an “extreme reputation event” has an 80% chance of losing at least 20% of its value (over and above the market) in any single month, in a given five-year period.[3] A key example was the depreciation of the stock value of Uber, after numerous scandals involving the CEO and management’s abusive conduct towards drivers and employees.[4] Some studies estimated that these reputational damages could have cost the company billions of dollars.
Reputational damage, by its very nature is difficult to quantify. The reality is, however, that it’s magnitude can be significantly large, and extremely difficult to manage. For private companies, this can mean loss of business, and a thinner customer base. For public corporations this can equate to lower stock value. Ultimately, the humanitarian cost from which the reputational damage may arise can be far more severe. Having one bad link in the supply chain, to a vendor operating in a country complicit in human rights abuses, or involved in some other form of illicit activity or trafficking, can create tremendous ripple effects across the supply chain, impacting and soiling the reputation of the vendor’s business partners.
Therefore, reputation, though abstract in nature, is something of vital importance to the survival of a company. Through association, reputational damage is a real possibility when dealing with vendors.
C. Data Protection Breaches
Data protection is often an underestimated and misunderstood risk in the global supply chain, which deserves attention for a number of reasons.
Under the European Data Protection Regulations to be implemented this year, Data controllers and processors, namely those handling sensitive data belonging to other individuals, such as customers, are liable for the protection and control of this data. Many businesses with European operations are unaware of the implications of this reality. For example, they may provide information to a local trucker, who does not operate any sophisticated data storage or management system. One breach or hack of the system in place by the local trucker could create violations and liability for the business. Oftentimes, in some regions, truckers or third party vendors may not even have systems beyond the use of regular emails, in place for the management of sensitive data. Meanwhile, these truckers could be moving hazardous or extremely valuable goods, which by their nature require the communication of sensitive data across the supply chain.
These risks are not to be underestimated, as they have proved to be detrimental for US corporations and government agencies, because of the use of third party vendors. For example, in 2013, Target experienced the theft of over 110 million customer’s data, including information related to 40 million payment cards. During the course of investigations, it was found that Target’s data security breach came about via a connection established through their HVAC vendor, Fazio Mechanical Services.[5] Government agencies are also not immune from data protection breaches. In 2015, US Office of Personnel Management revealed a massive breach of 22 million records, including sensitive data tied to numerous federal employees, contractors and military personnel. This breach like many others originated from a third party, a background check provider, Keypoint Government Solutions.[6]
It is therefore abundantly clear that data security risks pose significant reputational and financial risks to corporations in the global economy.
D. Financial, Political and Systemic Risk
Dependence on a single vendor, without a strong enough partnership or in situations where there are instability, can expose companies to financial shocks.
A prime example of this is the Hanjin bankruptcy in the shipping industry. This event led to an increase in global shipping prices, as the collapse of Hanjin saw the number of competitors in the market reduce significantly, leading to a global price increase. Furthermore, many Hanjin customers were left stranded, with their goods seized at various global ports across the globe. Systemic and political risks to which the vendor is exposed also creates vulnerability to shocks. For example, if the vendor operates in a region laden with political crisis, the hiring contractor or corporation will have their supply chain disrupted, whenever such shocks present themselves, even when the corporation itself remains unaffected.
What is clear is that vendor selection needs to be carefully planned and managed. A company should avoid a situation where they could become overly dependent on a particular vendor, or set of vendors, without adequate measures or controls in place, to manage supply chain shocks. This dependency could be established on a regional or global basis. For example, if the company becomes dependent on a vendor of convenience, where they do not have significant operational roots. Overreliance can expose the supply chain to conditions where political, financial, or systemic disruptions, such as the vendor’s inability to effectively manage volume or an IT breach, could disrupt the companies’ entire supply chain and business model. Perhaps this could occur because the company suddenly wins a lucrative project in an unexplored and unfamiliar region, and rushes to put things in place, without adequately accounting for such contingencies.
However such disruptions come about, they have the potential to significantly disrupt and interrupt the supply chain.
What Can Companies do?
Effective pre-emptive due diligence can go a long way towards mitigating risk. At the very least, evidence of effective due diligence will mitigate legal risk in the court of law, where a due diligence report procured, can show that the company made reasonable efforts to ensure the reliability of a vendor. This can prevent vicarious liability, as the company shows that they have taken all the necessary precautions to ensure that they were doing business with a legitimate partner. Many firms offer services using specialized software, which allows them to conduct this kind of due diligence with ease.
In addition, many risks can be secured via sound structuring and contract policies. Liabilities can be disclaimed by contract in certain situations, and vendors/business partners can be contractually required to disclose certain information, prior to any deal being finalized. In addition, a contract can be made contingent on a satisfactory due diligence outcome as well.
So if you want us to help you manage your due diligence program better, feel free to get in touch with us at: info@borderlesscounsel.com.
[1] David Shackleford, Combatting Cyber Risks in the Supply Chain, 6, Sans Institute White Paper, September 2015, available at: https://www.sans.org/reading-room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252
[2] Brad Tuttle, Warren Buffet’s Boring, Brilliant Wisdom, Time Magazine, March 1 2010.
[3] Reputation Review, Oxford Metrica Aon Reputational Review 2012, 2012, available at: http://www.aon.com/attachments/risk-services/Aon-OM-Reputation-Review-2012.pdf
[4] Anita Balakrishnan, Scandals May Have Knocked $10 Billion of Uber’s Value a Report Says, CNBC News, April 25 2017.
[5] Id. at 3
[6] id.
[7] The Companies you Keep: Five Steps to Managing Third Party Risk, Baker and Mckenzie, 7, Last Accessed: 8.23.2017, available at: http://www.bakermckenzie.com/-/media/files/insight/publications/2015/12/br_tc_supplychainmngt_oct14.pdf?la=en
[8] Id. at 11