Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Questionnaire

The next step in the five-step process is the questionnaire. The term ‘questionnaire’ is mentioned several times in the 2020 FCPA Resource Guide. It is generally recognized as one of the tools that a company should complete in its investigation to understand better with whom it is doing business. The questionnaire should be mandatory for any third party that desires to work with your company as it mandates the proposed business partner commit to the required information in writing before beginning the due diligence process. Remember, if a third party does not want to fill out the questionnaire or will not fill it out completely, you should not walk but run away from doing business with such a party.

One of the key requirements of any successful compliance program is that a company must make an initial assessment of a proposed third party. The size of a company does not matter, as small businesses can face significant risks and will need more extensive procedures than other businesses facing limited threats. The level of risk that companies face will also vary with the type and nature of the third parties with which they may have business relationships. For example, a company that appropriately assesses that there is no risk of bribery on the part of one group of its third parties will require nothing in the way of procedures to prevent corruption in the context of those relationships. By the same token, the bribery risks associated with reliance on a third-party agent representing a company in negotiations with foreign government officials may be assessed as significant and, accordingly, requires much more in the way of procedures to mitigate those risks.
The questionnaire fills several vital roles in your overall management of third parties. It provides key information you need to know about who you are doing business with and whether they can fulfill your commercial needs. Just as important is what is said if the questionnaire is not completed or is only partially completed, such as the lack of awareness of the FCPA, U.K. Bribery Act, or anti-corruption/anti-bribery programs generally. Lastly, the information provided (or not provided) in the questionnaire will assist you in determining what level of due diligence to perform.

Three key takeaways:

  1. You must have enough information to fully identify the owners, UBOs, and related parties to determine if there is foreign official involvement.
  2. All commentary on best practices compliance programs requires questionnaires.
  3. If a third party refuses to fully respond to your questionnaire, run and don’t walk away from the proposed relationship.
Categories
Blog

Reprioritizing Your Third-Party Risk Management Program-Questionnaire and Due Diligence

Are you considering a third-party questionnaire for your organization? With so much debate around what should be asked, and how detailed you should be, it can be hard to know where to start. In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. Today, we consider the third-party questionnaire and I am joined by Stephanie Font, the director of the Operations Optimization Group at Diligent as we discuss third party questionnaires and due diligence investigations.

With so much debate around what should be asked in your questionnaire and how detailed your questionnaire should be, it can be hard to know where to start. It is important that every compliance professional understand your risk profile to all crafting of the right due diligence process to ensure compliance. Here are the steps you need to follow to also get compliance and  risk.:

  1. Questionnaire: Gathering basic information about the third party and what regulations need to be complied with.
  2. Due Diligence Investigation: Investigating the third party based on their answers to the questionnaire and other risk factors.
  3. Documenting: Keeping records of the due diligence investigations to be used in the future.

Questionnaire: Gathering basic information about the third party and what regulations need to be complied with.

The first step to managing third parties is to create a questionnaire to gather basic information about the third party and what regulations need to be complied with. When creating the questionnaire, it is important to understand the organization’s risk model and what it is trying to achieve. The questionnaire should be tailored to the specific risk factors the organization is trying to address, as well as the regulations that need to be complied with. Questions should include items such as the size of the company, where they do business, and the type of relationship they have. Additionally, the questionnaire should ask questions that will alert to any potential risk factors, such as if they do business in a highly sanctioned country. Once the questionnaire is sent and responses are received, the answers can be used to inform the next step of the due diligence process. Your third-party risk management system should automate some of the process by flagging risk factors and indicating what level of investigation is needed. Lastly, it is important to document the process and create an audit trail that can be used for various reasons, such as compliance and internal review.

Due Diligence Investigation: Investigating the third party based on their answers to the questionnaire and other risk factors.

The second step of third-party due diligence is the due diligence investigation. This step involves investigating the third party based on their answers to the questionnaire and other risk factors. The best approach to this investigation is to first understand the company’s risk and what it is trying to accomplish. This allows the company to create a risk model and tailor the questionnaire to fit their needs. The questionnaire should include questions about the size of the company, where it does business, and other risk factors that may arise. After the questionnaire is complete, the next step is to assess the risk factors and determine the appropriate level of investigation needed. This could range from a baseline screening for sanctions list and other global databases to an enhanced due diligence investigation which involves boots on the ground to ask questions about the company’s reputation and verify a manufacturing site. Additionally, it is important to document the process to create an audit trail for internal stakeholders and regulators. This process should be tracked in a third-party risk management system to ensure everything is done correctly.

Documenting: Keeping records of the due diligence investigations to be used in the future.

Documenting is an important step in the due diligence process, as it helps to create an audit trail of the activities and decisions that were taken. When it comes to due diligence, it is important to keep records of all investigations that were conducted, as these records can be used in the future to defend any decisions that were taken. This allows for all the necessary information to be stored in a secure location and can even track any changes or updates to the investigations over time. Additionally, the system can be used to flag any potential risks that come up in the investigations, and it can also automate the process of deciding which type of investigation is necessary based on the risk model. Finally, it is important to keep all documents related to the due diligence process, such as the questionnaire, investigation reports, and any other relevant documents, to create an audit trail and ensure that all compliance regulations are met.

Third party due diligence is a crucial part of any compliance program. A thorough questionnaire and a detailed due diligence investigation can help organizations to mitigate risk and ensure compliance with applicable regulations. Additionally, it is important to document the process, as this creates an audit trail that can be used in the future. With the right tools and processes in place, organizations of any size can successfully manage third party risk and create a robust compliance program. With the right information and guidance, you too can create a successful third-party due diligence process for your organization.

For more information, on Diligent’s Third Party Risk Management solution, click here.

Listen to Stephanie Font on the podcast series here.