Glencore, Part III: Third-Party Agents

Today we have another exploration of Glencore’s recent compliance progress report, this time looking at how the trading giant handles third-party risk management. Glencore’s report does offer extensive detail into how it runs its compliance program and third-party risk drives everyone nuts, so let’s see what lessons we can learn.

For those unfamiliar with the history here, Glencore struck a massive anti-corruption settlement with numerous countries in 2022, which resulted in a guilty plea, more than $1 billion in criminal penalties, and two compliance monitors (which were discontinued earlier this year). The company also had to overhaul its compliance program operations, and began publishing annual progress reports on that work last year.

Glencore published its progress report for 2024 several weeks ago, and we’ve been poking through the contents ever since. Our first post about the report looked at the structure and personnel of the compliance program, as well as how Glencore redesigned and rolled out a new Code of Conduct. Another post examined how Glencore manages its many risk assessments. 

So how does Glencore, a firm with 150,000 employees around the world, tackle third-party risk? 

For starters, Glencore puts third-party risk management within a larger “business partner management framework” that also includes suppliers, customers, and joint ventures or merger targets. In this larger context, “third parties” specifically refers to sales agents, distributors, lobbyists, consulting firms, and similar outfits that provide an ongoing service on behalf of Glencore. 

The framework organizes all those relationships into four tiers, each one more risky than the last and warranting more scrutiny. Third-party agents rank third out of four. See Figure 1. 

We’re going to skip the first two tiers that deal with customers or suppliers and move directly to third-party agents since they’re the ones that can bring so much misconduct grief.

A Lifecycle of Third-Party Risk

Glencore spells out a six-step “third party due diligence and management procedure,” which governs the entire lifecycle of a third-party relationship from onboarding through training, monitoring, and eventual termination. 

This is a good approach because it helps to defuse the threat of siloed third-party oversight, where one function (usually compliance) might onboard the third party, others handle monitoring and payments (say, accounting), and everyone forgets about the end of the third-party relationship. A defined, disciplined, soup-to-nuts “lifecycle management procedure” is a smart way to make sure no step goes overlooked.

We should also note that Glencore has made a concerted effort to move away from sales and marketing agents entirely. Yes, the company does still use agents when necessary, but as Glencore says in its report: “We only engage marketing sales and purchase agents who provide a clear, tangible service that would otherwise need to be provided by our employees, and where we have no office or on-the-ground presence.”

I like that idea, and a company would do no wrong to adopt it as policy: a declaration that the company will only use third-party agents when those agents (a) provide a specific service, that (b) company employees cannot do themselves, and (c) the company has no facilities in that location either. A policy like that plants a flag about how the company will use third-party agents, which helps to make inappropriately engaged third-party agents stick out like a sore thumb.

Then we come to the third-party management process itself. To no surprise, Glencore devotes the most time to explaining its onboarding and due diligence process.

When an employee first wants to use a third party, that party is first logged into Glencore’s third-party management tool (Diligent 3PM, which I don’t know too well). The Diligent tool then spits out an internal questionnaire to the employee, who must explain why the company needs to use the agent; as well as an external questionnaire to the outside party, which must reply with the requisite due diligence information.

The Diligent tool then generates a risk score for the third party based on that questionnaire data and other criteria: the country corruption risk for where the party will work, the dollar size of the engagement, and so forth. The higher the score, the more due diligence the Glencore compliance team will perform. 

That due diligence work can include background reports from external vendors, a review of the party’s own compliance program, interviews with the sponsoring employee and the party’s management, confirmation of bank accounts, verification that payment terms meet industry standards, and so forth. All steps that should be familiar to any compliance officer. 

Ultimately all that work is boiled into a report, which then gets final approval or rejection by the local compliance team and the local business unit. If compliance and the business unit disagree on how to proceed, they can escalate the issue to Glencore’s head of compliance at the corporate offices. 

The Rest of the Lifecycle

Once a third-party agent does pass Step 1, it cycles through the rest of Glencore’s third-party management process.

Contract terms. No engagement can start without a signed contract in place. Compliance works with the employee and the legal team to include compliance clauses in the written agreement; for high-risk intermediaries and for charitable donations, Glencore uses specific templates that include tailored compliance clauses. 

Training. All third parties receive at least some compliance training, although the exact amount, frequency, and format (digital versus in-person) vary according to the party’s risk score generated during the onboarding step.

Monitoring. Again, the amount of monitoring is determined by the third party’s risk score. For high-risk parties, the business-side employee must maintain records of communications and services provided by the third party, and inform compliance of any material changes to the way the third party provides services to Glencore. Any time someone wants to make a change to payment terms (such as commission structure), Glencore’s anti-bribery compliance team must first pre-approve the change.

Payments. Speaking of payments: Glencore’s group compliance team must review and approve in advance the invoices of and payments to all severe and high-risk business-generating intermediaries, to confirm that the payment matches contract terms and the invoice includes sufficient detail (another chronic complaint in past anti-bribery enforcement actions around the world). 

Another gem: “There is a hard control in our systems blocking payments to severe-risk and high-risk business-generating intermediaries unless approved by group compliance.” Rock on!

Contract renewal. Also determined by the third-party agent’s overall risk score. For agents with higher scores, the renewal process can include completing updated questionnaires, rescreening and repeat background checks, and a re-assessment of the business purpose of the agent in the first place. 

Termination. Whenever a high-risk third party engagement ends, the compliance team coordinates with the business-side employee and the legal team to send a formal termination letter. The Glencore business-side employee is also responsible for confirming that the third party is deactivated from the relevant accounting or finance systems. (I do applaud how Glencore assigns responsibility to the business since “the business owns the risk,” but can’t that be automated?) 

If the engagement ends because of some compliance concern, the compliance team adds the third party to a “Declined Party & Red Flag List” and that defunct status gets logged into the Diligent 3PM tool. Any reactivation of declined third parties must be approved by the head of compliance. 

A solid system. Now let’s just hope Glencore maintains it even as the United States retreats from anti-corruption enforcement.