Corporate Guidance for a Risk-Based Approach to Due Diligence

Adapted from Corporate Practice Portfolio Series No. 103, Corporate Compliance: Building a World-Class Borderless Ethics Compliance Program, by Jack Quinn, partner, Manatt, Phelps & Phillips, LLP; and Suzanne Rich Folsom, senior vice president and general counsel, Philip Morris International Inc.; et al. Bloomberg Law subscribers can access the portfolio here. Not a subscriber? Request a demo to learn more.

Companies interact with myriad entities and individuals, including suppliers, business partners, and consultants. It’s important to keep track of these relationships and understand the compliance risks that they might pose. Due diligence is a cornerstone of an effective contract management process because it provides a way for corporations to independently and objectively assess the many risks associated with entering a legal contract with a third party. In addition, organizations facing criminal liability can receive a reduced sentence under the U.S. Sentencing Guidelines if they are able to demonstrate an effective compliance and ethics program that uses due diligence to help prevent and detect criminal conduct.

But how does a corporation determine what level of due diligence is necessary? What constitutes a “meaningful” due diligence review? And how does a corporation effectively incorporate due diligence into its compliance program?

Due diligence for effective compliance

Due diligence is the process whereby companies collect and analyze information about others with the goal of ensuring compliance with applicable laws (e.g., anti-corruption and sanctions laws). For some organizations, due diligence is mandatory. For example, the USA PATRIOT Act requires that financial institutions conduct due diligence on clients with the aim to prevent money laundering. But even if not required, reasonable due diligence helps protect a company and its reputation by seeking to confirm that it is doing business with others that share its values.

Given the heightened enforcement of the Foreign Corrupt Practices Act (FCPA) in recent years, due diligence is particularly important for companies operating or looking to do business outside the U.S. Under the FCPA, companies can be held accountable for improper payments made by third parties – such as agents, consultants, or joint venture partners – acting on their behalf.

Risk-based due diligence process

Because a comprehensive due diligence system is a key element of effective compliance, it should never be a “check-the-box” exercise. Due diligence reviews must be meaningful and effective to prevent violations or enforcement actions, or to establish a reduced sentence for the company.

But how do companies balance the need for thorough due diligence against time and budget constraints? The answer is risk-based due diligence. This approach will generally include the following elements:

Identify and rank third parties

As an initial matter, companies should understand the universe of their third parties and establish parameters regarding when to conduct due diligence. Keep in mind that it won’t always make sense to conduct the same level of due diligence on every third party that the organization engages. For example, if a company’s due diligence program is primarily aimed at assessing FCPA risk, it probably doesn’t make sense to conduct extensive due diligence on third parties located in the U.S. with no expected interaction with foreign officials.

Third-party risk assessment

Once an organization has defined which third parties justify a due diligence review, the next step is to categorize these third parties into low-, medium- and high-risk buckets. Determining whether a third party is low, medium, or high risk can be approached in various ways. Some companies use a scoring system that calculates a third party’s risk based on a prechosen formula that considers risk factors such as location, industry, government ties, services to be performed, anticipated annual spend, and compliance history. Other companies use a simple matrix that increases the due diligence level based on whether the company is expected to interact with foreign government officials and where the company is located. Thus, third parties located in low-risk countries (usually determined by consulting Transparency International’s Corruption Perceptions Index) with no government interaction will get a “Level I” review, while the opposite will get a higher-risk review.

Not all due diligence reviews should employ the same level of due diligence. For example, a paper supplier from Canada will generally pose less potential risk than a sales agent interacting with foreign officials in the Middle East and North Africa. Utilizing a tiered approach (i.e., Level I, Level II, Level III) where the high-risk third parties receive the most time, resources, and money creates a more strategic and effective contract management workflow.

Due diligence

After the organization decides on the scope and extent of the due diligence it will perform, the next step is to carry out the review. For most companies, this process includes data collection through internet searches and questionnaires. Then, the data should be analyzed and confirmed through independent sources like business registries and watch list databases. For higher-risk third parties, a company should consider engaging an external due diligence service to provide additional insight. Any inconsistencies or gaps in the information should be noted and, if possible, resolved with the third party. Reviewers should remain vigilant to identify any red flags that come up during the review – for instance, circumstances suggesting a strong compliance risk for corruption or other improprieties, like human rights abuses.

Documentation and approval

The final stage in risk-based due diligence is to document the results of the research (usually through a formal report), communicate the results to the business unit seeking to engage the third party, and recommend whether to move forward with the proposed contract or transaction. Documentation should be clear, succinct, and stored in a central location for safe recordkeeping, usually under the care of the legal or compliance departments. A single contract management platform can help legal departments more efficiently store, manage, and analyze contracts throughout their lifecycle.

Unless there is an outright prohibition on doing business with a third party (e.g., economic sanctions prohibitions), final approval is often left to the discretion of the nominating business unit. That said, the business unit and the department responsible for due diligence should work together to identify and mitigate any outstanding risk. At a minimum, companies should require the third parties they engage to sign compliance representations and warranties as part of their written contract. Additional efforts may be necessary for third parties that pose a higher compliance risk, including annual compliance certification renewals, compliance training, transaction monitoring, “refresher” due diligence reviews, and exercising audit rights.

Implementing a risk-based due diligence program

The approach outlined above is considered best practice for risk-based due diligence. However, every company must independently determine the extent of due diligence that its organization requires based in its own risk profile. Many companies also speculate about whether due diligence should be handled in-house or outsourced to one of the many external providers that specialize in this area. Again, this is a question of budgeting and company resources.

Many large corporations will find that it’s more cost-efficient to conduct the reviews in-house, while those with smaller compliance departments may not have the staff or resources to handle due diligence. Others use a combination, with in-house staff completing Level I and Level II due diligence reviews, and outsourcing Level III reviews to outside vendors that are highly experienced in deep-dive due diligence.

Pre-transaction due diligence

Due diligence is particularly important in a situation where a company is considering entering into a joint venture or acquiring another company in whole or in part. Organizations should use their due diligence process to conduct a thorough review of the potential partner or target entity.

Pre-transaction due diligence may include, without limitation:

• Review of corporate structure.
• Review of books and records.
• Reputational due diligence.
• Targeted interviews.
• Transaction testing for select compliance-sensitive accounts.
• Review of any regulatory, criminal, or civil proceedings.
• Review of key contracts and business dealings.
• Review of any key organizational compliance policies and procedures.

A company’s due diligence efforts shouldn’t stop with third parties. Under the Federal Sentencing Guidelines, organizations must also use reasonable efforts to avoid delegating substantial authority to personnel who the company knows – or should have known through the exercise of due diligence – have engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program. For this reason, many companies conduct due diligence before hiring senior-level employees as well.

Bloomberg Law Contract Solutions helps you comply with confidence

With the ever-expanding globalization of business, due diligence has become increasingly important to guard against corruption-related legal liability and reputational risks. Download our GC Guide to Navigating 2024: Transactions and Contracts for insightful analysis and practical guidance to help you prepare for key transactions and contract developments impacting in-house legal teams in the year ahead, including new export controls for global trade and a new approach to M&A due diligence.

Automating parts of the contract management process can take the research burden off attorneys, save them time, and help ensure compliance. Software solutions can make contract workflows more efficient, but more than half of all contract workflow technology survey respondents aren’t using a single platform or use general document systems to manage contracts – and of those who are, 3 out of 4 in-house counsel are dissatisfied with their existing contract workflow technology.

Bloomberg Law Contract Solutions is designed to solve the most pressing workflow challenges for in-house counsel, with minimal time and resources needed to onboard, implement, and use. Request a demo how Contract Solutions can help you more efficiently store, manage, draft, negotiate, and analyze contracts.