Five steps for preparing third party due diligence
Understanding your partners’ integrity and compliance profiles can help you minimise and mitigate potential risks that your partners may cause to your business, brand and reputation. Thus, its important to have an effective thought-out process. Here are five steps to consider when preparing your third party due diligence process.
Step One – Remove duplicates
The first and most obvious way to reduce numbers is to remove duplicates. While this sounds very simple, it can be made much more complex when different functions within an organisation are working with different third parties. Even more so when partners operate with your company in multiple countries and in various names. Removing duplicates is a very simple and effective way to cull companies from the third party lists that do not require due diligence.
Step Two – Multiple countries/regional third parties
The next consideration should be those companies that operate in multiple countries with your company. This might include, for example, a logistics or freight forwarder that operates in multiple European jurisdictions. In many companies such an entity may appear five to ten times in their diligence request list. It is good practice to remove those entities from your list and categorise them in a different area, which would require further analysis and undoubtedly a different approach at handling them from an operational perspective. For example, it would not be appropriate to conduct a full due diligence on the same entity in multiple countries. It would be far more cost-effective and useful to review one combined report for the entire entity. It is simply not practical to conduct the same due diligence on the same entity in multiple countries; there is simply too much redundancy. A different, tailor-made approach is often required for this type of company.
Step Three – Removing very low-level categories
The third and most significant way of removing organisations from your third party due diligence list is by organisational type. One of the most frustrating aspects of conducting third party due diligence for a manager in a country is to see his or her budget being spent on conducting due diligence on either very small entities, such as those that provide coffee or other disposables to the office. These companies are clearly not designed to have due diligence conducted on them. Their risk profile is typically extremely small, and if any risk does exist then due diligence is usually not the answer to extinguish or manage that risk. It is important at this juncture to remove as many of those providers that you can from your list, and to treat them in a different category. In some cases, it may be that due diligence on these entities is ignored altogether (because the risk is so small), and in others a very light form of due diligence may be done. Organisations that fall into this category are typically office supplies producers, taxi providers, airlines, and other suppliers who render disposable or non-competitive products that do not involve any connection with government.
Step Four – Removing the extremely small companies
The fourth category is segmenting those organisations which are extremely small. Many organisations will have resellers or distributors that are one-off, or extremely small in volume. While one-off distributors are generally represented as high risk because they may have appeared out of nowhere and be a conduit for a conflict of interest, in many cases small one-off distributors or very small distributors have a very low risk of corruption or bribery. For example, if your distributors typically have sales figures of greater than $100,000 per year, you might decide to exclude from the due diligence process any distributors that purchase less than $5000 per year. Most organisations will have many distributors or resellers which are extremely small and should not be included in the standard due diligence process simply because the costs of compliance are greater than the expected profit that would come from conducting due diligence.
That is not to say that there is no risk in those small third parties. As has been proved in previous cases, very small payments or bribes in very small transactions could give rise to significant liability for a company. However, it is important to take a commercial and risk-based approach in deciding how best to implement a programme in a way that is cost-effective and business-focused. In these circumstances it is up to the organisation to set their own risk profile and determine what level of revenue cut-off is acceptable, based on their appetite for risk. For example, it might be perfectly acceptable to conduct simple and automated watchlist/sanctions-list checks through your accounting system for this category.
Step Five – Inactive organisations
Another simple way of reducing the volume of the companies falling into the due diligence process is to exclude those organisations that have not conducted sales or supply operations with your company for, say, the last year or two. Although these entities may be listed in your accounting system or in your third party compliance system, the fact that they have not conducted business with your company may mean that they are not appropriate to conduct due diligence on. A better approach is to separate those organisations into a different category and put them “on hold” or “inactive”. If that organisation places another order they would then become an active supplier, or reseller or distributor, and then go into the appropriate due diligence process. That means that the organisations are not subject to due diligence initially, but once they become active again will be subject to due diligence.
Once the above steps are completed, the scope of the third parties that are subject to the due diligence process are typically reduced. Making this reduction and focusing the list more specifically on the risk areas that are most likely to cause significant problems to the company is a key attribute in making the third party due diligence programme business-focused and effective.