Due diligence is one of the most critical duties that a corporate compliance program handles. It can also be one of the most painstaking, frustrating, and prone to error. The solution, as compliance professionals have heard so often, is to use an agile, risk-based approach.
So what does that mean, really? How does a compliance leader ensure that the company’s due diligence processes are indeed agile?
Building a Due Diligence Process
Begin with what the Justice Department says about due diligence and third-party risk management. In the department’s guidance about how to evaluate corporate compliance programs, the word “agile” never actually appears in the text—but when you consider what the guidance does say about due diligence, it’s clear that agility is a big part of the message.
Consider this line:
Although the degree of appropriate due diligence may vary based on the size and nature of the company or transaction, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners... that are commonly used to conceal misconduct.
That’s just as true for due diligence in acquisitions. “A well-designed compliance program should include comprehensive due diligence of any acquisition targets,” the guidance says—and since every M&A target is unique, the implicit point is that the correct amount of due diligence varies with each deal.
So that’s what the Justice Department means when it talks about a risk-based approach to due diligence. Agility enters the picture when you consider how to live up to that standard the Justice Department wants to see.
In theory, a company could execute all its due diligence processes manually; that’s not against the law. It’s just impractical because manual processes take too long and are too prone to error. Neither your management team nor the Justice Department would be pleased with the results.
Agile due diligence, really, is about embedding and automating due diligence processes as much as possible. Your compliance processes will vary depending on the risk of each third party, and your compliance technology will run those processes as quickly and efficiently as possible.
Sounds like a nifty idea. Let’s unpack its component parts.
Five Pillars for Agile Due Diligence
1. Effective Risk Assessments
To begin, the company needs an effective risk assessment that identifies broad categories of risk. That is, a company that works extensively in emerging markets with high corruption risk has one set of challenges; a company that works with high-net-worth customers in financial services has another.
A risk assessment illuminates what those categories of risk are. That tells the compliance function what sort of questions its due diligence processes will need to answer.
2. Clear Policies
Second, the company needs clear policies about how and when due diligence will happen. Policies guide employees about how due diligence will actually work. Crafted thoughtfully, policies set the thresholds for assurance about a third party that your due diligence processes should extract. For example:
- “Due diligence must be complete before any local agent can receive payments from the company.”
- “Any local agent with prior history of corruption charges must be approved by the chief compliance officer.”
- “Due diligence includes identifying all beneficial owners or controllers of a local agent, and performing criminal background checks on those persons.”
Granted, those are simple examples, but you see the direction: policies spell out what your due diligence processes should achieve, and which processes should happen under what circumstances. That’s what a risk-based approach does.
3. Supporting Workflows
Next, the company needs defined workflows for those processes. Workflows provide structure for how due diligence processes are executed at scale—when you have thousands of third parties to review, across multiple jurisdictions or lines of business. Properly designed workflows are crucial for agile due diligence because, without them, you’re mired in manual processes that take too long (assuming those processes work well at all).
For example, when an operating unit wants to use a new third party, the workflow could be that the unit first provides basic information to the compliance function. The compliance function’s technology then performs certain due diligence procedures, depending on the risks that a specific third party brings. Only after due diligence is complete can the operating unit or legal team sign a contract with the party, or the accounting team process payments for it.
4. Technology & Automation
Fourth, the company needs technology that embraces automation. Automation is at the heart of agility and risk-based due diligence. Policies outline the steps for due diligence at a conceptual level, workflows outline the steps at a task level—and then automation accelerates that work as much as possible. It alleviates the burdens on employees and reduces the chance for error or fraud at the same time.
5. Data Analytics
Finally, the company needs data analytics and reporting to show how well due diligence is actually working. Even the most automated, agile, risk-based due diligence program can still encounter errors. Risk profiles change, sketchy third parties try to evade detection, pressured employees find new ways to circumvent corporate policy.
That’s natural, and regulators have long stressed that they don’t expect perfection in due diligence. They do, however, expect sincere efforts to monitor the compliance program’s success and to remediate weak spots where necessary. That expectation for assessing the effectiveness of your program (due diligence included) goes all the way back to the U.S. Sentencing Guidelines introduced 30 years ago.
Monitoring, data analytics, and reporting are how those course-corrections get done—how a company makes its due diligence more agile if you will. They help compliance officers identify changes in policy and workflow to make due diligence even more integrated into business operations.
Plus, the Human Factor
None of this works without strong leadership and deft interpersonal skills. Compliance officers need to work with others across the enterprise to develop policies and workflows that will at least win the respect (and ideally, the enthusiastic support) of employees whose routines will be touched by due diligence. The senior executive team needs to communicate its own support for a strong culture of compliance, and due diligence is part of that culture.
The goal is a due diligence process that’s responsive to the business: responsive to the risks that each third party brings, and responsive to the speed with which the company wants to move. That’s agile due diligence—and it’s what compliance programs need to develop to satisfy regulatory compliance and business demands at the same time.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.