Tag: 3rd party due diligence

Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 2: Stephanie Font on Questionnaires and Due Diligence

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Consulting and Advisory Services; Stephanie Font, Director, Operations Optimization Group; Kairi Isse, Group Manager of Managed Services Group, Productions; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, Regulatory Compliance Manager from the Volkov Law Group. In this Part 2, I visit with Stephanie Font on the need for evaluation of potential third-party through questionnaires and determination of the necessary due diligence investigations to comply with regulations while navigating using questionnaires to uncover the truth.

What is the importance of understanding regulations and risk factors when creating questionnaires to help with due diligence? Through understanding the risk model and what specific regulations the company needs to comply with, creating effective questionnaires to help with due diligence can become easier. Stephanie also found out that having a due diligence risk management system can automate some of the processes and help flag any potential risk factors. With the help of questionnaires and due diligence, Stephanie was able to learn how to effectively document and investigate potential third parties.

Key Highlights

  • How questionnaires can be used to comply with regulations and inform a risk model.
  • How due diligence investigations can help to uncover risk factors in a potential third party.
  • How a third-party risk management system can automate parts of the process.

 Notable Quotes

 1.     “Knowing what you’re trying to comply with and thinking of those questions that are going to get you there is probably the top thing.”

2.     “Don’t lose your common sense and listen if your gut tells you something’s wrong.”

3.     “Documentation is key to creating an internal audit trail and having something to show to regulators.”

4.     “Know your own risk model and build the risk model into the system to flag any potential risk factors.”

 Resources

Stephanie Font on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
31 Days to More Effective Compliance Programs

Day 18 | Levels of due diligence


Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.
The 2020 Update stated, “A well-designed compliance program should apply risk-based due diligence to its third- party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”
The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.
There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II and III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to “Document, Document, and Document” all your due diligence.
Three key takeaways:

  1. A Level I due diligence should only be used where there is a low risk of corruption.
  2. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared.
  3. Level III due diligence is deep dive, boots on the ground investigation.
Categories
Popcorn and Compliance

The Empire Strikes Back – Darth Vader and Due Diligence


In honor of David Prowse, the original actor portraying Darth Vader, I am running a podcast series this week on the intersection of compliance and Star Wars. Second in our series on compliance through the lens of Star Wars is Episode V – The Empire Strikes Back, which is my personal favorite of the original three movies. The film begins with a cool battle on the ice planet of Hoth and has some great HR lessons as Darth Vader executes officers for work place failures; demonstrates some dangers involving ineffective training for Luke Skywalker on the tropical plant of Dagobah, where he travels to learn under the Jedi master Yoda who utters the immortal line “Try not! Do, or do not. There is no try”; and ends in Cloud City, a floating gas mining colony in the skies of the planet Bespin run by Han Solo’s old buddy, Lando Calrissian. It also has one of the greatest movie lines of all-time, thundered by Darth Vader to Luke Skywalker, near the end of the film. Today, we consider it for the continued issue of due diligence.
Solo and Calrissian go way back and Solo trusts him. Of course, Solo won his starship, the Millennium Falcon, in a card game from Calrrisian but it was never clear just how legit the card had been. Unfortunately for Solo, he was followed to the Cloud City by bounty hunter Boba Fett who alerts the Empire to Solo’s location. Solo’s friendship with Calrrisian is sorely tested when Vader and his Imperial Troops arrive, take Solo, Chewbacca and Princess Leia prisoner and torture them to entice Luke to come to save his friends. During the climactic battle between Luke Skywalker and Darth Vader, there is the BIG REVEAL where Vadar utters the immortal line, “I AM YOUR FATHER”.
I thought about these last two points, in the context of knowing who you are doing business with under the FCPA or UK Bribery Act. I once heard a company President say he did not need to perform due diligence because he looked a man in the eyes and that was enough to know if he was honest. (I should add, this President also evaluated the strength of a handshake as an additional level of due diligence.) Hopefully we have moved past this level of sophistication for due diligence and its evaluation thereof.
One of the areas I still receive questions about are the different levels of due diligence. I break due diligence down into three stages: Level I, Level II and Level III.
Level I-consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. 
Level II-encompasses supplementing Level I due diligence with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed Internet searches. 
Level III-it is an in-country ‘boots-on-the-ground’ investigation and is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions.
Now imagine if Luke had performed a more robust level of due diligence on Darth Vadar? Would he have been able to find out Darth Vadar was his father? Perhaps not but then again, we might not have heard that seminal line “I AM YOUR FATHER”.

Categories
Compliance and Coronavirus

John Fanning on the Increased Need for Due Diligence During Covid-19


Welcome to the newest addition to the Compliance Podcast Network, Compliance and Coronavirus. In this episode, I visit with John Fanning. He is a long-time player in the compliance space and John recently associated with Integrity Risk International. We discuss his move over to IRI and then take a deeper dive into 3rd party due diligence in the time of Coronavirus.
Some of the highlights include:

  • Why are due diligence services even more important in the era of Covid-19?
  • What are Three Important Due Diligence Technology Innovations?
  • Due Diligence is broader than simply FCPA compliance, for instance what is the role of DD in ‘Green Risk’?
  • What are some of the other services IRI provides?

For more information on Integrity Risk International and click here.
For more information on John Fanning, check out his LinkedIn profile here.