Kicking off a third party due diligence programme can be a challenging and tedious undertaking due to various reasons including but not limited to lack of technical know-how, no management buy-in and budgeting among others. Below are some things to consider when kicking off your third party due diligence programme.
Task 1. Preparing your budget
Conducting a budget analysis is the first step in determining the appropriate amount of funding required to conduct a third party compliance programme. Determining the size of the budget for a programme can be very difficult, as:
- The number of third parties that could potentially be involved in the project may be unclear, or in many cases, simply unknown
- There may have not been an analysis performed of the type of due diligence required and the areas of risk that should be contemplated when determining the initial review.
It is quite common for a budget to be established based on a broad review of known third parties and countries in which a company operates. It is also quite often the case that when a budget is reassessed after six months of a programme, the money is allocated from a business unit budget, rather than that of legal and compliance. Legal and compliance teams, who often own the overall programme, use their budget to initiate the original third party due diligence; however, over time, the due diligence conducted on third parties becomes part of an overall business process and is therefore built into the everyday running costs of a business and therefore gets charged out to the local countries or regions for which a third party operates. When conducting a budget analysis, the costs associated with compliance broadly fall into three main categories:
- The development of the policies and procedures that give rise to the due diligence
- Conducting the due diligence itself
- A technology solution which enables the due diligence process to run as effectively as possible.
Task 2. Determining the scope of your third parties
One of the first tasks of anyone embarking on such a review is to try and assess the scope of the project, which often involves an understanding of the relevant third parties which will be subject to the due diligence process.
Most organisations have great difficulty in determining the scope of their third parties. In many cases, the information about these third parties are stored in multiple enterprise resource planning (ERP) systems that are often only accessible to a few people in the organisation. Even when this material is accessible it reveals information which is often old, outdated, simply incorrect or inconsistent across systems.
Before starting on this process, some basic questions could be asked:
- Do you have access to all suppliers at a corporate level?
- Are some suppliers local suppliers, and due diligence is therefore not conducted at a corporate level in the corporate accounting system?
- Are some suppliers multi-tiered, where they also sell through second-level or third-level suppliers which are not caught by the entity listed on the accounting system?
- What level of access do I need to access the information in these systems?
- Which group in the company has the best ability to help to access the information?
A good understanding of the scope of third parties may also involve the comparison of multiple lists from multiple accounting systems and other systems. It is often necessary to try and coordinate the efforts of multiple countries in order to understand the types of third parties that operate across multiple regions in your organisation, often in different names.
Task 3. Culling your list of third parties
Step 1 – Remove duplicates
The first and most obvious way to narrow your list is to remove duplicate entries. While this sounds very simple, it is much more complex when organisations operate with your company in multiple countries, and sometimes with different names for different branches. Removing duplicates is a very simple and effective way to cull companies that do not require due diligence from the third party lists.
Step 2 – Remove multiple country versions of the same third parties
The next consideration should be those companies that operate in multiple countries with your company. This might include, for example, a logistics or freight forwarder that operates in multiple jurisdictions. In many companies this entity may appear five to ten times in your due diligence request list.
It is good practice to remove those entities from your list and categorise them in a different area. This other area would require further analysis and a different approach at handling from an operational perspective. For example, it would not be appropriate to conduct a fill due diligence on every branch when the same entity exists in multiple countries. It is far more cost-effective and useful to review one combined report for that entity which covers all jurisdictions. A different approach that is often tailor-made for that particular company is required.
Step 3 – Removing very low-level categories
The third and most significant way of removing organisations is by organisational type. One of the most frustrating aspects for someone conducting third party due diligence in a particular country is to see his or her budget being spent on very small entities or those that only provide coffee or other disposables to the office. These companies are clearly not designed to have due diligence conducted on them; their risk profile is typically extremely small, and if any risk does exist then due diligence is generally not the answer to extinguish or manage that risk. It is important at this juncture to remove as many of those providers that you can from the lists and to treat them in a different category.
It may be that in some cases due diligence on these entities is ignored altogether (because the risk is so small), or in other cases a very light form of due diligence is done. Organisations that fall into this category are typically producers of office supplies, taxi providers, airlines, and other suppliers who render disposable or non-competitive products that are not involving any connection with government.
Step 4 – Removing the extremely small companies
The fourth category of list culling is removing those organisations which are extremely small.
Many organisations will have resellers or distributors that are one-off or extremely small in volume. While one-off distributors are generally represented as high-risk because they may have appeared out of nowhere and can be a conduit for a conflict of interest, in many cases these small one-off distributors or very small distributors have a very low risk of corruption or bribery. For example, if your distributors typically sell greater than $100,000 per year in sales, you might decide to exclude any distributors that purchase less than $5000 per year from the due diligence process.
Most organisations will have a large number of distributors or resellers which are extremely small and should not be included in the standard due diligence process simply because the costs of compliance are greater than the expected profit that would come from conducting due diligence. That is not to say that there is no risk in those small third parties; as has been proved through the cases, very small payments or bribes in very small transactions could give rise to significant liability for a company. However, it is important to take a commercial and risk-based approach to deciding how best to implement a programme in a way that is cost-effective and business-focused. In these circumstances it is up to the organisation to set their own risk profile and determine what level of revenue cut-off is acceptable, based on their appetite for risk. It might be perfectly acceptable to just conduct simple and automated watchlist/sanctions-lists checks through your accounting system for this category.
Step 5 – Inactive organisations
Another simple way of reducing the volume of the due diligence process and the companies which will be falling into the due diligence process is to exclude those organisations that have not conducted sales or have conducted supply operations with your company, say, for the last 12 months or two years. Although these entities may be listed in your accounting system or in your third party compliance system, the fact that they have not conducted business with your company may mean that they are not appropriate to conduct due diligence on. A better approach is to separate those organisations into a different category and put them “on hold” or “inactive”, only using them when necessary. If that organisation places another order they would then become an active supplier, reseller or distributor, and then go into the appropriate due diligence process. The organisations would not be subject to due diligence initially but would be once they became active again.
Task 4. Using a questionnaire system
You will need to decide whether or not your organisation will develop a questionnaire system as part of its due diligence process. It is not uncommon for organisations to use a questionnaire across some or all of its third parties in a project. It is of growing importance that a questionnaire is structured correctly and includes only those questions which are essential to an organisation and its process.
For example, if your organisation already sends out multiple questionnaires to its suppliers or its channel partners, it is important that you do not duplicate the information that has already been requested in those. Nothing annoys a third party more than filling out unnecessary forms from the organisation it is doing business with, particularly so when the same information has been requested multiple times from multiple places.
It is important at this juncture to determine what information you already have in your corporate records on a selected third party. It is always advisable to use the information you already have, rather than collecting that information again by use of a questionnaire.
If using a questionnaire process, you also need to consider the languages that the questionnaires will be in. It is common, particularly when there are small third parties used in emerging markets, to use a local-language questionnaire. This clearly assists the third party in completing that information and providing accurate data. Having a local-language questionnaire also means that the people from your organisation that are going to review it will also need to speak or read the language in which the questionnaire has been completed. It might be necessary in those cases to have the initial review of the questionnaire done at a local level, rather than at a corporate level where English is the predominant language.
Other considerations which need to be dealt with here include:
- Drafting the questionnaire in a way which is simple and provides a minimal number of options for the person completing it
- Drafting the questionnaire in simple, easy-to-understand language so it will not confuse the recipient
- Only including questions that are absolutely necessary; not simply asking questions because it is nice to know the answers.
The questionnaire process also needs to consider any red flags that may arise – if a person completing the questionnaire answers questions in a particular way, does that give rise to certain red flags, and how should those red flags be dealt with? In many cases, organisations will set some form of scoring methodology to try and determine a risk-based approach to the answers given on a questionnaire. The risk-scoring methodology can be integrated into the questionnaire to provide guidance to the receiver of the completed questionnaire as to what red flags there might be and what level of due diligence should therefore be conducted. It is worth noting here, however, that it is only a small proportion of completed questionnaires which give rise to significant red flags.
The questionnaire process is most effective when you do not have any knowledge on a third party other than perhaps their name, and you are seeking to obtain very basic information about them. This information often includes their operating address, their principal and contact information, and some disclosures as to whether or not they have made any illegal payments, bribes, or other corrupt activity in the course of doing their business.
The questionnaires are also useful to obtain privacy sign-offs (to allow you to use the information), and for the due diligence to continue. It is unusual for questionnaires to extend beyond 15 or 20 questions. It is always advisable to limit the number of documents which a company completing a questionnaire will be required to upload in order to complete the questionnaire, firstly because of the difficulty in doing so for them, and secondly because these documents should be reviewed and assessed because they form part of your corporate records in the organisation.
Common questions when considering the use of questionnaires:
- Who will be organising the due diligence?
- Who will be reviewing the due diligence?
- Who will be acting upon any red flags identified in the due diligence?
- Who will be recording the approvals and other workflow documents that are assessed as part of the due diligence?
- Will you be using a questionnaire as a means of collecting information from the third party?
- How will that questionnaire be reviewed and assessed?
- Will there be different types of questionnaires for different types of third parties?
- Will those questionnaires be in different languages?
- To whom will the questionnaires be sent?
- Do you have an accurate email address for the recipient of the questionnaires at the relevant third party?
When a questionnaire is assigned to a third party, it is important that you know the name and email address of the recipient in advance. Many organisations do not have this information in their corporate records, and it will need to be researched beforehand in order to assign the questionnaire to the right location.
Organisations will also need to consider what happens when completed questionnaires come back. For example, are they going to go back to whoever assigned them for review and analysis, or are they going to be sent to another person, such as a regional counsel or a regional finance person, or perhaps they will go to the corporate compliance office?
Some organisations will have multiple levels of assignors and reviewers of questionnaires. Most systems will enable you to have multiple levels and to have up to five approval systems to support the review and analysis of a questionnaire. This needs to be developed at the front end of the setup of any technology system in order to avoid complications down the track of tasks being incorrectly delegated back to the people who assigned the questionnaires, rather than those who are going to be the reviewers.
Our Compliance Managed Services helps clients to navigate the everyday compliance burden with a cost effective solution to run your compliance programme.
Find out more here
Task 5. Consideration of a pilot programme
At the start of this exercise consider whether or not you are going to have a pilot of the due diligence process in certain countries or regions. Having a pilot process is important because it gives the organisation an opportunity to get to know its own process and to see it work in action. This identifies any roadblocks, confusions or places where the process could be improved. It often involves a level of communication and training to any people involved in the due diligence process, so that they truly understand their roles.
Many organisations choose to roll out the pilot process in the certain countries or regions that are considered safer and low-risk, like the United Kingdom or Australia. However, it is more important that you conduct due diligence in the highest-risk areas as part of the pilot. It is those areas where you are most likely to find red flags or issues that will enable the pilot to grow and teach your organisation about the follow-up steps of the pilot process and how it can be improved. Rolling out a pilot to the safer countries typically does not generate the learnings required as part of a pilot programme.
Task 6. Deciding which level of due diligence should be completed on a third party
As part of the development of a third-party programme it is normal for organisations to have multiple types of due diligence available. These types are typically classified in various levels: from 1 to 5; or by naming them according to risk: high, medium, low, very low or basic. These are typically organised with the due diligence provider, who is able to provide you a mixture of levels which will reflect the risk that is associated with a third party. In many cases, there will be differing types of due diligence being conducted, which will allow the provider to obtain more data from the marketplace on which it, and you, can assess the third party’s integrity and compliance.
There are, of course, different costs associated with conducting different levels of due diligence. It is for this reason that you must carefully set out the different levels and the costs associated with them so as to determine how many third parties fall into each category. This will make up a significant amount of the budget that you have applied to a project.
Task 7. Reviewing due diligence report
Many organisations focus on requesting the due diligence and rapidly getting the project underway. While it is commendable for organisations to get the process moving quickly in the eyes of its attorneys or an outside regulator, it is important that the organisation properly thinks through how best to deal with the reports that are produced as part of that process.
It is common for due diligence to produce more questions than answers; due diligence reports usually contain further analysis steps, require further identification of people and companies, and simply raise red flags, which is the intent of the process.
Due diligence is not typically a simple check-the-box process. While this might be the case for very low-end watchlist or sanction-list searches, it is not the case for the higher-end searches that involve an analysis of a company’s integrity or their reputation in a marketplace.
It is also important to understand that the data which is collected internationally from emerging markets is typically inconsistent, broken or incomplete. It is a due diligence provider’s responsibility to collect the information, compile it in a way that makes sense, and produce to you a consolidated report that attempts to draw out the red flags and issues which have arisen in that data-collection process.
In many cases the data itself gives rise to issues, either because it is incomplete, inaccurate, or does not exist at all, or the third party has serious issues. In any case, it is important for the company to make an assessment on a report to determine what steps should be taken next. This is where most companies do not think through the process clearly enough at the outset of launching their programmes.
Many companies simply request the due diligence cases then get inundated with the amount of work before they have built a set of preferred approaches or directions on how to deal with issues that arise. In these cases, it is important at the end of the pilot process to develop a comprehensive guide to dealing with red flags. This guide may include the identification of red flags, who in the organisation should assess those red flags and under what assessment protocol, and how the organisation should react. This might include setting up a table or a spreadsheet which gives direction to those people reviewing the cases in the field and contains the necessary sets of instructions and directions to resolve any red flags identified in a report and take the next steps with a particular third party.
Irrespective of the steps taken, it is important that they are documented and that there is a level of consistency across the information. This information should then be reviewed and acted upon in the due diligence process. It is this consistency which will enable an organisation to understand its risk profile and document the way it deals with red flags, which is an essential part of its overall compliance programme.
Task 8. Reporting out on the programme
At the end of the due diligence process rollout, or at the end of the pilot programme, it will be important that you are able to report back to your stakeholders on how the due diligence process has continued. Your stakeholders have invested a large amount of their time, resources, and, no doubt, budget in order to have an effective programme. It is not unreasonable for them to want to see the reports from the due diligence process and, in particular, a relationship between the actual results and the metrics that you have set up at the start of the programme.
These metrics may include the number of third parties which have gone through the process, the number of third parties where red flags have been identified, the time taken to request a report, the time taken for the delivery of the report, the time taken to resolve any outstanding red flags, the number of red flags and the number of third parties who have been terminated from the process.
All of these indicators should be set as metrics in the third-party process and should be reported back to the stakeholders. It is also important that you assess the overall budget of the programme, and that you identify any opportunities to simplify the process or make it more efficient when rolled out more broadly than in the pilot programme.
Implementing a third-party due diligence programme has a series of steps, which, if followed, can enable the organisation to seamlessly interact with its business colleagues and develop a programme which is commercially-sensitive when it comes to costs. Respect the fact that third parties will be engaged by the organisation and the nature of partnership that many of those third parties have with your organisation.
A third-party compliance programme that has been well thought-out, well structured, and well implemented adds value to your organisation. However, programmes which are poorly executed and poorly implemented, and those which are under specced, under resourced and under budgeted often lead to a poor relationship between a compliance team and a business, which is unfortunate and unnecessary.