Most companies fully understand the need to comply with the requirements around third-parties as they represent the greatest risks for bribery and corruption. However, most companies are not created out of new cloth but are ongoing enterprises with a fully up and running business in place. This means they may need to bring resources to bear to do so while continuing operating an ongoing business. This can be particularly true in the area of performing due diligence on third-parties. Many companies understand the need for a robust due diligence program to investigate third-parties but have struggled with how to create an inventory to define the basis of third-party risk and, thereby, perform the requisite due diligence required.
Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. The information that you gathered in Steps 1-Business Justification and 2-Questionnaire of the third-party management process should provide you with the initial information to consider the level of due diligence needed. This leads to Step 3 of the third-party management process: due diligence. The 2020 Resource Guide stated, “as part of risk-based due diligence, companies should understand the qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface.”
Three key takeaways:
- Risk rank your third-parties and use this as a basis to begin with an adequate level of due diligence.
- Any red flags which appear must be cleared and there must be documented evidence of such clearance.
- There must be documented evidence of review of the due diligence.