Skip to content


Creating an Efficient Due Diligence Process – Tearing Down Silos

By Michael Volkov (Updated )

The pandemic has disrupted every organization, aiming a giant spotlight at breakdowns in the supply chain. It has become clearer than ever that management of vendors, suppliers, and other third parties is business-critical. Meanwhile, the regulatory, reputational, and financial risks that third parties can expose an enterprise to are higher and even more heavily scrutinized than in the past. The U.S. Department of Justice (DOJ) released a revised version of its “Evaluation of Corporate Compliance Programs” guidance in June 2020 in which it indicated that it would be taking a hard look at whether organizations are adequately resourcing programs, empowering them to function effectively. The DOJ furthermore signaled that compliance programs must have the necessary resources to accomplish its goals, but also have a seat-at-the-table – meaning it must be elevated to the same levels as other prominent departments. This empowers the compliance department to be respected and integrated into the business, giving it the ability to accomplish its goals.

Despite the elevated risk, most organizations are admittedly failing to deliver third-party risk management (“TPRM”) programs that meet business or regulatory expectations. Many of these programs are doomed to fail because they’re not actually “programs” at all: due diligence is fragmented, and risk is managed in “silos.”

What are business silos?

Silos, or autonomous units, exist in most organizations; Oftentimes different departments do different, yet similar things, with little to no collaboration between them. These silos exist across the typical enterprise, with various departments (legal, sales, HR, finance, compliance) handling localized risks in isolation. These specialized silos allow departments the depth and functionality for improved efficiency and broad-spectrum growth. For example, the finance department might focus on liquidity risks whereas the IT department deals with security threats and privacy concerns, and customer service deals directly with the end customer.

The experts in each area can better detect the relevant risks in their own departments, but aren’t aware of risks that other departments are seeing in relation to the same third parties. Most departments can detect their own risks on their own, however they cannot always see the “big-picture,” leading to possible risks going undetected elsewhere. This can lead to a whole host of problems, from inadvertently missing big-picture risk management to duplicating risk management efforts.

When there is no comprehensive overview of risk management, information is not adequately shared over organizational boundaries, and major threats are missed. These threats run the gamut, from financial losses to data leaks to other issues that could create serious legal problems. When different areas do not collaborate with each other and information is not communicated between employees, an increasing knowledge gap increases the probability that someone will make a costly mistake. Operational silos can cause other issues as well. When departments do not communicate well with each other, they may end up taking different approaches to the risks they accept. At the end of the day, business involves risk – the question is how much a company is willing to accept. Major issues can occur if one department accepts more than another may be anticipating, such as slow response times or lack of a unified response. Taking decisive action is therefore made difficult in an environment siloed by function and department.

Business silos and risk management

Silos ultimately make it difficult for a company to fully understand – and by extension, manage – the risks that they may be facing. Furthermore, these silos can lead to decreased efficiency when multiple parties end up duplicating risk mitigation efforts, while letting other necessary procedures go unaddressed. With no framework for bringing it all together, poor visibility into the organization’s relationships makes it difficult to make intelligent judgments about third-party risk and performance. The problem with silos is that organizations that are heavily siloed too often miss the “big picture.” As such, this impacts planning and strategy by failing to account for various risks. Thus, the organization is missing out on the potential to make compliance and risk-management a competitive advantage.

Forward-thinking, competitive, and successful organizations address third-party risk management with an integrated strategy, process, and architecture to manage the ecosystem of third-party relationships with real-time information about third-party performance, risk and compliance, and how that impacts the organization as a whole. This strategy reflects positively in the organization’s bottom line.

Using technology to create an efficient due diligence process

Leveraging technology, third-party risk management workflows can be combined with other operational workflows in one platform, thereby consolidating various tasks and processes, streamlining operational efficiency, reducing the manual burden on employees, and improving organizational culture. Harmonizing and automating multiple siloed processes into one platform or technology can make the process far more effective and efficient. This integrated approach provides an organization the “big picture” perspective, synthesizing the management of risks into the very fabric of the organization.

For example, technology solutions give organizations the ability to customize platforms that double as vendor/supplier management, allowing on-boarding of and transactions with third parties. Centralized solutions will give organizations the ability to identify potential high-risk third parties and activities in real-time, before they impact business. External data sources can also be integrated with the platform and leveraged to provide real-time information. For example, where due diligence exposes certain risks in doing business with a third-party only in certain limited circumstances, that information is vital for other parts of the business other than compliance. If the information is only visible to compliance, that doesn’t stop finance, for example, from making a payment to third-party in that limited circumstance where it was prohibited. An integrated platform, however, could alert finance in real-time, stopping a payment that could otherwise put the entire organization at risk. All stakeholders will see the benefits of having a system that can quickly provide the necessary information to make proper decisions when they’re required.

How integrated compliance management platforms create efficient due diligence processes

By implementing inter-departmental coordination via one shared platform, bridges are created between the silos, further securing big-picture assessment. Companies should create procedures to escalate critical risks up the chain of command in a timely fashion. Those risks should further be conveyed to all departments, as needed, which can be accomplished through an effective platform.

Integrated platforms have a multitude of other functions. For example, technological solutions can help ensure that the mountain of data faced by the organization is accessible, reliable and fit-for-purpose, unlocking information and insights for timely, informed decision-making. Automation, too, can prove to be a critical component of any TPRM. It’s inefficient to have scarce and often expensive resources managing tasks and processes that could be automated, and means that more important things can get left behind. Better automation means better business workflow management. Systems can automate much of the process including triggering actions, routing, notifications, communications, scoring inherent risk, tiering, and triggering escalations. This allows for much of the heavy lifting to be already done, ensuring that focus of precious human resources can be on the more strategic elements of the program.

Forward-thinking organizations value their relationships, realize the power of an effective TPRM, and understand that effective third-party relationships lead to resilient, successful businesses. Silos within a business can cause blind spots, or otherwise create risks that can negatively impact an otherwise effective organization. These internal risks can sometimes be even more problematic than risks from outside the organization, as they can remain unknown or ignored until they grow too large to control. Through coordination in a single platform, an organization can effectively mitigate risk at every stage for sustained growth. For companies looking to take their risk management practices to the next level, reaching not only compliance but also adding strategic value, an integrated TPRM leveraging technological solutions is the way to go.

Michael Volkov

Michael Volkov specializes in ethics and compliance, white collar defense, government investigations and internal investigations. Michael devotes a significant portion of his practice to anti-corruption compliance and defense. He regularly assists clients on FCPA, UK Bribery Act, AML, OFAC, Export-Import, Securities Fraud, and other issues. Prior to launching his own law firm, Mr. Volkov was a partner at LeClairRyan (2012-2013); Mayer Brown (2010-2012), Dickinson Wright (2008-2010); Deputy Assistant Attorney General in the Department of Justice (2008); Chief Counsel, Subcommittee on Crime, Terrorism and Homeland Security, House Judiciary Committee (2005-2008); and Counsel, Senate Judiciary Committee (2003-2005); Assistant US Attorney, United States Attorney's Office for the District of Columbia (1989-2005); and a Trial Attorney, Antitrust Division, United States Department of Justice (1985-1989).

Implement a tailored Third-Party Risk Management solution

View platform

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.

We respect your privacy. Your data will be kept confidential and will not be sold or shared with third parties. For more information, please see our Privacy Notice.