Risk-based due diligence process
Because a comprehensive due diligence system is a key element of effective compliance, it should never be a “check-the-box” exercise. Due diligence reviews must be meaningful and effective to prevent violations or enforcement actions, or to establish a reduced sentence for the company.
But how do companies balance the need for thorough due diligence against time and budget constraints? The answer is risk-based due diligence. This approach will generally include the following elements:
Identify and rank third parties
As an initial matter, companies should understand the universe of their third parties and establish parameters regarding when to conduct due diligence. Keep in mind that it won’t always make sense to conduct the same level of due diligence on every third party that the organization engages. For example, if a company’s due diligence program is primarily aimed at assessing FCPA risk, it probably doesn’t make sense to conduct extensive due diligence on third parties located in the U.S. with no expected interaction with foreign officials.
Third-party risk assessment
Once an organization has defined which third parties justify a due diligence review, the next step is to categorize these third parties into low-, medium- and high-risk buckets. Determining whether a third party is low, medium, or high risk can be approached in various ways. Some companies use a scoring system that calculates a third party’s risk based on a prechosen formula that considers risk factors such as location, industry, government ties, services to be performed, anticipated annual spend, and compliance history. Other companies use a simple matrix that increases the due diligence level based on whether the company is expected to interact with foreign government officials and where the company is located. Thus, third parties located in low-risk countries (usually determined by consulting Transparency International’s Corruption Perceptions Index) with no government interaction will get a “Level I” review, while the opposite will get a higher-risk review.
Not all due diligence reviews should employ the same level of due diligence. For example, a paper supplier from Canada will generally pose less potential risk than a sales agent interacting with foreign officials in the Middle East and North Africa. Utilizing a tiered approach (i.e., Level I, Level II, Level III) where the high-risk third parties receive the most time, resources, and money creates a more strategic and effective contract management workflow.
After the organization decides on the scope and extent of the due diligence it will perform, the next step is to carry out the review. For most companies, this process includes data collection through internet searches and questionnaires. Then, the data should be analyzed and confirmed through independent sources like business registries and watch list databases. For higher-risk third parties, a company should consider engaging an external due diligence service to provide additional insight. Any inconsistencies or gaps in the information should be noted and, if possible, resolved with the third party. Reviewers should remain vigilant to identify any red flags that come up during the review – for instance, circumstances suggesting a strong compliance risk for corruption or other improprieties, like human rights abuses.
Documentation and approval
The final stage in risk-based due diligence is to document the results of the research (usually through a formal report), communicate the results to the business unit seeking to engage the third party, and recommend whether to move forward with the proposed contract or transaction. Documentation should be clear, succinct, and stored in a central location for safe recordkeeping, usually under the care of the legal or compliance departments. A single contract management platform can help legal departments more efficiently store, manage, and analyze contracts throughout their lifecycle.
Unless there is an outright prohibition on doing business with a third party (e.g., economic sanctions prohibitions), final approval is often left to the discretion of the nominating business unit. That said, the business unit and the department responsible for due diligence should work together to identify and mitigate any outstanding risk. At a minimum, companies should require the third parties they engage to sign compliance representations and warranties as part of their written contract. Additional efforts may be necessary for third parties that pose a higher compliance risk, including annual compliance certification renewals, compliance training, transaction monitoring, “refresher” due diligence reviews, and exercising audit rights.