The Red Flag Group®
due diligence on suppliers

Due diligence on suppliers


How to succeed in supply chain risk management

Supply chain risk management programmes need to be updated as the risks presented by suppliers have drastically changed in recent years. Risk areas that have not previously been considered now need to be high on the agenda for compliance and procurement professionals.

The types of risks presented by suppliers have expanded to include environmental risks, human rights, diversity, cybersecurity, intellectual property and the handling of personal information. The Red Flag Group has identified 30 risk areas across four different categories that must be considered in any risk management programme:

  • antitrust and corruption
  • employment, safety and reputation
  • cybersecurity and business stability
  • environment and governance

Every supplier poses a unique set of risks depending on the nature of their business, their location and their industry. With awareness of the connection between a supplier’s issues and their impact on the business, a risk-based approach is the best way to manage a supply chain.

The Red Flag Group recently covered this topic in a webinar hosted by director of content Christopher Sindik, compliance ambassador Tom Fox, and manager of the Firm’s Supplier Ecosystem Initiative™ Jared Connors. Here are the key takeaways from the presentation:

How to build a programme

In a poll conducted during the webinar, the majority of respondents (52 percent) voted for antitrust and corruption risks as having the greatest potential to cause reputational operational damage. While these risk areas have traditionally led to serious consequences, in terms of government fines and penalties, the webinar participants contended that these results would change if a more holistic view of supply chain risk management was taken. Additionally, the compliance department has historically focused on the operational risks of suppliers while other departments, such as procurement, view risks around business continuity as being a higher priority.

The biggest roadblock to effectively managing suppliers is not understanding the variety of risks presented and how they can negatively impact the business. The first step in adopting a risk-based approach to supply chain risk management is to identify and get to know your network of vendors and contractors. Companies might have 10,000 suppliers in their supplier database but they are actually only doing business with a small portion of them. It is important to focus on the suppliers that are actively working for the company, as conducting in-depth research on a long list of potential suppliers can be an inefficient use of resources. The basic steps of building a quality programme include:

  • Identify
    • what risks are in your supply chain
    • which suppliers represent the biggest potential for risk
  • Collect
    • media reports and public filings of the target business
    • gather questionnaires and supporting policies and procedures
  • Evaluate
    • analyse the data collected and compare against expectations
    • assess the potential impact on the company
    • assign risk levels
  • Mitigate
    • document findings and keep an audit trail
    • communicate corrective actions to suppliers

It is essential that suppliers are involved from the beginning of the risk management process and that communication lines are open and frequently used.

After the initial assessment, the next step is to use questionnaires, reports, surveys and polls to gather information from your suppliers. This is a great opportunity time to learn whether or not compliance is visible or of importance to your suppliers. The right questions must be asked and these must be applicable to each third party in your supply chain.

After data is collected, it must be expertly examined and processed if companies are to mitigate the identified risks.

Evaluate and mitigate

Once the data has been compiled, the compliance team must analyse and aggregate the information. It is important to remember the mantra ‘trust but verify’. Information and responses should not be taken at face value; they need to be validated and substantiated.

Given the information obtained, it is then the duty of companies to formulate corrective measures to minimise liabilities that could potentially lead to enforcement action or reputational damage. It is vital that these are understood by the supplier and communicated to them so that the necessary actions can be carried out.

Communication is essential during the whole process and should be fostered early on in the risk management of supply chains. Companies are likely to get more useful and thorough data if they use a collaborative approach with suppliers where their intentions are clear. If companies try to force or threaten suppliers, it can often lead to greater push-back and less forthcoming information. Documentation and creating an audit trail should also be taken into account during the entire process to anticipate possible investigations that regulatory authorities may conduct.

Robust risk management

An effective risk management programme typically involves many different groups within a company including Procurement, Corporate Social Responsibility, Compliance, Corporate Affair, Audit and Legal. There are typically two models of risk management – centralised and decentralised – and each has its own strengths and weaknesses.


In a centralised model, the risk management programme is run and owned within a single group. This promotes consistent messaging with suppliers and allows for other departments to focus on other tasks. However, some drawbacks to this approach include internal strife over relationship ownership and suppliers feeling disconnected from the company.


With a decentralised approach, elements of the risk management programme are owned by different stakeholders within the organisation. This model promotes collaboration and benefits from the unique strengths of different functions within the company. However, suppliers can sometimes feel that they are being pulled in different directions if the messaging is not consistent, and it requires all of the relationship owners to coordinate in order to stay up-to-date on the status of the programme.


Almost half of the webinar participants confirmed that they have implemented a hybrid model for risk management that incorporates elements of both the centralised and decentralised approach. In the hybrid model, each department can make their own contributions to the supply chain risk management programme:

  • procurement – supplier prioritisation and understanding the risks associated with specific commodities
  • corporate affairs – understanding regulatory changes and communication with stakeholders
  • corporate social responsibility – Code of conduct requirements and supplier engagement
  • compliance – training, questionnaires, risk scoring and responding to reports of misconduct

In addition, having technology support the risk management programme is essential to ensuring that procedures are being properly implemented. This is because it allows for activities to be automatically monitored and coordinated between the company and supplier.

While 47 percent of webinar participants said that they did not yet have a technological solution in place to support their supply chain risk management efforts, many confirmed that they are currently reconsidering this.

Software is just one part of the supplier risk management programme. A company team with the right capabilities must use technology in a way that complements the human element of the programme – for example via communication, on-the-ground audits, or regular interactions with suppliers. Specialists need to analyse the potential impact of risks and determine the necessary mitigating actions. Technology can remove some of the more tedious tasks of supplier risk management and allow staff to focus on the more critical elements of the programme.


It is vital that processes are proactive and predictive, so that issues do not fall through the cracks and red flags are spotted as soon as possible. The assessment of supplier risks should also not be a one-time occurrence but an ongoing process throughout the lifecycle of a supplier relationship. Companies have to evaluate suppliers against a wider scope of risks over a long period of time, and adapt to changing business processes and legal and compliance environments.

By enlisting the different skillsets of multiple departments within an organisation, a company can more effectively manage supplier risks. The risk universe is rapidly expanding and companies need to take a modern and holistic approach to supply chain risk management in order to effectively mitigate reputational risk.


Who needs due diligence?

Anyone trading, regardless of the size, should carry out due diligence on suppliers. This is to ensure that their business profile and reputation aren’t damaged by being associated with a bad business partner or supplier.

For European companies, it is a way of enabling businesses to understand whom they are dealing with and whether any trading partners are compatible ethically.

If the third party is based in the UK, it can be comparatively easy to check their records and to conduct a search on them. Further references can also be obtained from competitors and by means of their quality assurance accreditations. On the other hand, international third-party risk can be extremely difficult to monitor and assess.

Effective third-party due diligence on suppliers

Due diligence on suppliers should take into account the strategic, financial, legal and reputational risks the company may be exposed to. This step by step guide outlines how to create a due diligence process:

Stage 1 - Research and investigation

The following information should be obtained wherever possible:

  • Company structure and incorporation documents
  • Key shareholders, board members and beneficiaries
  • Disclosures on any political connections
  • Certified proof of any industry standards and compliance with health and safety legislation
  • The financial stability of the business
  • Quality and environmental management systems and documentation to verify it
  • Any Corporate Social Responsibility or Ethical Sourcing policies
  • Trading terms

The due diligence process should include verification of the data presented, e.g. by credit checks, competitor references, public records, online data bases and media reports.

Stage 2 - Watchlist screening

All parties (including associated trading partners and key personnel) should be screened against watchlists of criminal entities, political affiliation, disqualified companies and global sanctions.

Stage 3 - Risk assessment

The risk assessment evaluates the data collected and should take into account specific country and sector risks which may expose the business to money laundering risks. It should also consider the risks which may occur as the result of employees, either in terms of training, skills and knowledge, excessive risk taking, hospitality expenditure or political donations.

Stage 4 – Review

In order to be able to justify the actions taken as the result of due diligence all decisions should be clearly recorded with the rationale behind it. Third party proofs should be obtained to substantiate data wherever possible. This will also allow the due diligence process to be audited.

Due diligence on suppliers as a continual process

It is not enough to assume that due diligence on suppliers has finished once this process is complete. Since businesses and the factors effecting need to change with time, it is essential that the relationship is monitored on an ongoing basis to avoid being exposed to risk. However, once the process is set up it should be comparatively easy to adjust it in response to shareholder demands and changing business needs.