A key challenge for most companies is finding qualified business partners with an understanding and acceptance of ethics and compliance best practice. The challenge is most acute in markets where the state dominates commerce or with stringent local content requirements.
So what should you do?
A valuable compliance and risk-measurement exercise is to ask some basic questions: Who do you deal with at each stage in your value chain? How likely are they to pose an ethical challenge? What impact would refusal of their demands have on your business?
To start this internal-to-external risk management approach, first:
Risk rank third parties. The nature of the transaction, sector, region and business model will impact the potential risk exposure. A few simple questions can help: who do you deal with, where, what do they do, how frequently do you interact, how much are they paid, and why use them.
Conduct risk-based due diligence. One size fits all due diligence may be ineffective. Making sure due diligence matches risk profile ensures that time and resources are deployed where they are needed most.
Plan exit strategies. Business needs change. Sometimes issues are identified with third parties. In each instance we strongly advise careful planning before action. All too frequently a decision to change or terminate a third party relationship causes an unexpected backlash. To avoid this, plan before action.
With a robust third party framework in place, build resilience into your management of the external environment. Unfortunately problems will still occur and business partners often manage complex relationships with public officials and local communities on your behalf, so make sure you:
- Qualify the threat: Just because someone has threatened you does not mean they have the intention to do as they say and have the capability to do so. Make an intelligence-led decision before responding.
- Stress-test your business: If you were a disgruntled local official or businessperson, how would you harm your business? Examine your project lifecycle and critical path. Do you have overreliance on one or more partners for a particular product, service or access? If so, what can you do to make them better disposed to your activities.
- Know your stakeholders: Map the stakeholders by both their disposition to your activities and their influence. What can be done to empower the positive (or neutral) stakeholders and manage those opposed?
- Develop risk-resistance and crisis management strategies: Having qualified threats, identified vulnerabilities and profiled your key stakeholders, now you have to manage them! Risk resistance is most effective when clear communication is paired with sincere efforts to deliver tangible benefit to the community.
Not all stakeholders — especially public officials — will welcome your more stringent management of interactions with them (directly or through business partners). Make sure you can answer these questions:
Do you know the rules? Do you fully understand every step in the process for each license and permit? Are you clear on the laws governing your sector — not what is written but what is enforced? Do you understand the tariffs and fees that should be incurred? If not, who does, and do they manage the process ethically? Ill-intentioned stakeholders will seek to exploit confusion and opacity, the more clarity you can bring the harder this becomes.
Where are you vulnerable? Having stepped through the rules, where are your choke-points? What are the time-sensitive and/or critical processes in your business? Where are controls most vulnerable or weakest?
How do you say no? Simply refusing, inferring illegality, may inflame the situation, leading to business interruption, delays and even security incidents. Do your people and business partners know how to say no the right way? Do you want to communicate further up the officials’ chain of command? If so, how will you do that?
What are the alternatives? If a particular process or interaction is problematic look for alternatives — alternate routes to market, alternate stakeholders, tweaks to the business model or simply build in more time.
Rupert Evill, pictured above, is a Principal at Control Risks based in Singapore. His areas of expertise include anti-bribery and corruption advice, political risk analysis, business intelligence, threat and risk assessments, problem-solving, crisis response, training and investigations. He can be contacted here.