The Red Flag Group®
third party due diligence

Third party due diligence


Third party due diligence step by step


Step 1 – Remove duplicates

The first and most obvious way to reduce numbers is to remove duplicates. While this sounds very simple, it can be made much more complex when organisations operate with your company in multiple countries and in various names. Removing duplicates is a very simple and effective way to cull companies from the lists of third parties that do not require due diligence.

Step 2 – Multiple countries/regional third parties

The next consideration should be those companies that operate in multiple countries with your company. This might include, for example, a logistics or freight forwarder that operates in multiple European jurisdictions. In many companies such an entity may appear five to ten times in their diligence request list.

It is good practice to remove those entities from your list and categorise them in a different area, which would require further analysis and undoubtedly a different approach at handling them from an operational perspective.

For example, it would not be appropriate to conduct a full due diligence on the same entity in multiple countries. It would be far more cost-effective and useful to review one combined report for the entire entity. It is simply not practical to conduct the same due diligence on the same entity in multiple countries; there is simply too much redundancy. A different, tailor-made approach is often required for this type of company.

Step 3 – Removing very low level categories

The third and most significant way of removing organisations from your third third-party due diligence list is by organisational type. One of the most frustrating aspects of conducting third party due diligence for a particular manager in a country is to see his or her budget being spent on conducting due diligence on either very small entities, such as those that provide coffee or other disposables to the office. These companies are clearly not designed to have due diligence conducted on them. Their risk profile is typically extremely small, and if any risk does exist then due diligence is usually not the answer to extinguish or risk management. It is important at this juncture to remove as many of those providers that you can from your list, and to treat them in a different category.

In some cases it may be that due diligence on these entities is ignored altogether (because the risk is so small), and in others a very light form of due diligence may be done. Organisations that fall into this category are typically office supplies producers, taxi providers, airlines, and other suppliers who render disposable or non-competitive products that do not involve any connection with government.

Step 4 – Removing the extremely small companies

The fourth category of list culling is those organisations which are extremely small.

Many organisations will have resellers or distributors that are one-off, or extremely small in volume. While one-off distributors are generally represented as high risk because they may have appeared out of nowhere and be a conduit for a conflict of interest, in many cases small one-off distributors or very small distributors have a very low corruption risk or bribery. For example, if your distributors typically have sales figures of greater than $100,000 per year, you might decide to exclude from the due diligence process any distributors that purchase less than $5000 per year. Most organisations will have a large number of distributors or resellers which are extremely small and should not be included in the standard due diligence process simply because the costs of compliance are greater than the expected profit that would come from conducting due diligence.

That is not to say that there is no risk in those small third parties. As has been proved in previous cases, very small payments or bribes in very small transactions could give rise to significant liability for a company. However, it is important to take a commercial and risk-based approach in deciding how best to implement a programme in a way that is cost-effective and business-focused. In these circumstances it is up to the organisation to set their own risk profile and determine what level of revenue cut-off is acceptable, based on their appetite for risk. For example, it might be perfectly acceptable to conduct simple and automated watchlist/sanctions-list checks through your accounting system for this category.

Step 5 – Inactive organisations

Another simple way of reducing the volume of the companies falling into the due diligence process is to exclude those organisations that have not conducted sales or supply operations with your company for, say, the last year or two. Although these entities may be listed in your accounting system or in your third party compliance system, the fact that they have not conducted business with your company may mean that they are not appropriate to conduct due diligence on. A better approach is to separate those organisations into a different category and put them “on hold” or “inactive”. If that organisation places another order they would then become an active supplier, or reseller or distributor, and then go into the appropriate due diligence process. That means that the organisations are not subject to due diligence initially, but once they become active again will be subject to due diligence.


Once the above steps are completed, the scope of the third parties that are subject to the due diligence process are typically reduced by approximately 20 to 25 percent. Making this reduction and focusing the list more specifically on the risk areas that are most likely to cause significant problems to the company is a key attribute in making the third party due diligence programme business-focused and effective.


Third party due diligence

In order to remain competitive and financially stable, outsourcing has become a business necessity. The outsourcing may be done for a variety of reasons. It may be to acquire skills, extend a product portfolio, minimise costs or simply to have a more flexible labour force.

Whilst the benefits of outsourcing are numerous, there are also certain risks involved.

When entering into agreement of third parties, it is critical that the organisation ensures full compliance of third parties with the internal and legal requirements, particularly in areas such as corruption, IT and business continuation.

If the associated third parties are involved in non-compliant or illegal operations, it can damage the reputation of the organisation and may also result in fines, penalties and loss of business.

Third party management

When evaluating a new partner or a trading party, many companies perform rigorous background checks to make sure that the association will not have any negative impact on the business.

Whilst this is of course admirable, what happens when the third parties are on board?

Unfortunately, all too many businesses have little or no procedures for checking and monitoring their third party associates once they are on board. Some even fail to understand that they are ultimately responsible if they fail to identify and address an issue.

Regulations such as the Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, the Federal Trade Commission (FTC) Act, the Accountability Act (HIPAA), Anti-Money Laundering (AML) requirements and the Dodd-Frank Act have put the spotlight on third party governance. Organisations need to make sure that they fully monitor the third party once they are on board.

Technology and due diligence

Of course, trust plays an important role in any business relationship, but it is no longer enough. Organisations need to be fully aware of any third parties risks and be vigilant in monitoring them. This may seem daunting, particularly in an SME, but if a clearly defined process is put into place the work involved in third party due diligence can be minimised.

By defining specific rules or criteria for each type of third party organisations can reduce the burden of due diligence and also ensure that strategic third parties are better tracked.

Investing in technology to support the process of due diligence can save both time and money in the long run.

The process of due diligence is no longer reliant on individuals and allows everyone within the organisation access to pertinent information. Basing any decisions on up to date information will allow the organisation to act quickly should a crisis occur.

There are many benefits of using technology to support third party due diligence, including:

  • real-time, global data feeds
  • consistent due diligence reporting
  • supporting compliance with third party management regulations

Third parties can enhance an organisation and support its business growth, provided that proactive due diligence is applied on a continual basis from the outset. Engaging experts to set up bespoke technology to support the due diligence process in your organisation will allow you to enjoy the benefits whilst minimising the risks involved.