Our Compliance 101 series continues with a look outside the organization, to one of the most time-consuming and important tasks corporate compliance officers do: third-party due diligence.
Entire books have been written about third party due diligence, but today we’ll focus on a simple question: How does a compliance program even get started on something like this? We can break down the answer into six logical steps.
How to Get Started with Third-Party Due Diligence
1. Find the third parties you currently have
Your company works with third parties, possibly lots of them. You could ask the accounting team, “Send me a list of all parties that receive payments from us,” although that might return more parties than the compliance department needs to worry about. Another route would be to ask leaders of business operations teams to give their lists of resellers, local agents, joint venture partners, and so forth; if the company has a strong culture of compliance and you trust that they’ll tell you the truth.
2. Know the company’s risks
Anti-corruption risk one obvious concern; third parties can also bring money-laundering, trade sanctions, antitrust, or cybersecurity risk. Really, you want to understand your own company’s regulatory and compliance obligations, regardless of any third parties — and then understand how your use of third parties magnifies those risks.
3. Identify your high-risk third regions
Various groups rate countries around the world on those countries’ corruption risk — and in any country with high corruption risk, you can assume local agents and other third parties in those countries are also high-risk. That is where you will need to perform more rigorous due diligence.
4. Understand the due diligence processes your company currently uses
The truth is that your organization already does at least some due diligence, even if it’s only a sales executive asking the reseller to correctly spell his or her name for a paycheck. Talk to people in the finance and accounting functions about how third parties get paid; talk to people in procurement or business functions about how third parties are selected. Recall the company’s risks from Step 2, and ask: “What do we do right now to be sure these transactions don’t trigger that risk?” Prepare for much staring at shoes.
5. Understand the reporting processes your company uses
Again, your company already does at least some reporting about its transactions with third parties, even if that reporting is scattershot discussion via email and phone calls, with no aggregate analysis. The point here is simply to understand what the company’s current process for third-party due diligence is, even if — especially if, really — the current process is terrible.
6. Start to think about improvement and automation
Only when the compliance officer has a complete, clear-eyed understanding of the company’s current third-party due diligence, can you then begin considering how to improve the situation. Almost always, that improvement will involve some automation of due diligence tasks. That could be integrating background checks from outside sources, or automating the collection of certifications from third parties, or implementing new rules to block payments to any third parties that haven’t completed due diligence.
Understand the Bigger Picture
The six steps above are a natural candidate for a gap analysis: studying the difference between what regulations require your business to do to manage risks, and what your business actually does to manage risks. If this is your first time approaching third-party due diligence, that’s how you start. You perform a gap analysis.
Improving third party due diligence is really about understanding workflows within your organization. As we said, your business already does at least some due diligence, if only to find a third party and pay it to do something on your company’s behalf. Whatever that process is — that’s a workflow. It might be inadequate and arbitrary and invite all sorts of risk to your organization, but it’s there.
Then comes the process of improving that workflow. Compliance officers need to think practically about how to do that because lots of improvements make great sense in theory… and then employees flout them in practice. If you impose manual, time-consuming tasks, they won’t do it. If you start by blocking all payments, they’ll find workarounds. If you don’t consider how to automate reporting, you’ll never fully understand whether your third party due diligence program works.
That’s why technology, specifically automation, is so crucial to improving due diligence. It can put more power into the workflow, without additional burden or disruption falling on employees that could cause them to try and evade compliance. Plan it well, and your automation of third party due diligence will make workflows easier for employees while also reducing compliance risks for the business.
Developing meaningful stakeholder engagement to successfully manage risk
Integrating third-party data into your third-party risk management (TPRM) program - Integrating with third party systems
Interacting with high-risk parties and government officials in the life sciences and extractive industries sectors