Skip to content

What is Third Party Due Diligence? Everything You Need to Know

Click on a section below to skip ahead if there’s a specific topic you would like to learn more about:

  1. What is Due Diligence?
  2. Why Due Diligence is Top of Mind
  3. What is Third Party Due Diligence
  4. Ten Golden Rules of Due Diligence
  5. 6 Logical Steps to Getting Started in Third Party Due Diligence
  6. Levels of Third Party Due Diligence
  7. What is Enhanced Due Diligence?
  8. What is a Due Diligence Review?
  9. Due Diligence Workflow Automation
  10. Build an End-to-End Due Diligence Solution
  11. Transform Your Compliance Program

What is Due Diligence?

Broadly speaking, due diligence is a deep dive investigation into a certain topic, organization, or person. As it relates to compliance, the term most often refers to third party due diligence or due diligence on a specific individual.

Conducting due diligence allows compliance teams to make more informed decisions about who they do business with and in what capacity. It’s also an essential function for organizations to understand their potential liability under anti-corruption laws and other legislation.

Due diligence is typically carried out prior to engaging in a formal agreement but ongoing monitoring is also essential to keep up with ever-changing risk factors. Initial due diligence might also provide an opportunity for the compliance team to put mitigation activities in place in an attempt to lower the risk exposure of working with higher risk third parties or individuals or ones that will directly be representing your organization.

Due diligence is a wide-reaching topic and critical piece of the compliance puzzle.

Why Due Diligence is Top of Mind

Taking a step back, there are many reasons why due diligence has taken center stage:

  • Businesses are continuing to expand and enter new global markets.
  • The regulatory environment continues to grow, touching data privacy, sanctions, export controls, and money laundering. In short: modern legislation goes way beyond corruption.
  • Executive boards are recognizing the criticality of compliance, are starting to understand the advantages of being compliant, and have a deeper understanding of compliance than in the past.
  • Regulators and enforcement agencies are more educated than they have ever been about what resources are available to compliance teams. This knowledge has caused their expectations to increase drastically for how companies manage their compliance programs.

For these main reasons, organizations and compliance officers alike have prioritized the efficiency and accuracy of their due diligence process.

(jump to top)

What is Third Party Due Diligence

At its core, third party due diligence is independent investigative work conducted either by using primary and secondary resources remotely or by conducting more investigatory assurance locally. In both cases the goal is to gather vital information that either sheds light on new red flags that require risk assessment or comfort that your third party is reputable.

The Foriegn Corrupt Practices Act (FCPA) also plays a large role in third party due diligence becoming such an essential function of the compliance team. To put in perspective, more than 90 percent of all FCPA enforcement actions over the last forty years have been linked to the misconduct of third parties. These staggering numbers have motivated compliance teams and boards alike to prioritize third party due diligence in hopes of reducing organizational risks and the potential for fines.

Third party due diligence, as any compliance process, is not one-size-fits-all. The unique attributes of organizations including the regions in which they operate, number of third parties, where the third parties are located, and the wide-variety of risks associated with those third parties, often dictate what the internal process looks like. With that said, there are some common elements that most programs lean on when building a third party due diligence strategy.

(jump to top)

Ten Golden Rules of Due Diligence

While there are many best practices around third party due diligence, few offer a structured checklist of the essentials your program must have. Below are the ten golden rules of third party due diligence. If you follow these rules your due diligence process will thrive. Use these as a guiding light to steer your program in the right direction.

  1. Consider a wide variety of risk factors, specific to your organization.
  2. Stress test your risk factors and their weightings.
  3. Create dynamic workflows rather than linear.
  4. Don’t rely on database screening alone, integrate human-led due diligence.
  5. Align due diligence process with broader risk framework.
  6. Communicate your company’s risk tolerance and be transparent with third parties.
  7. Leverage technological solutions to support processes.
  8. Strike the right balance between a centralized process and decentralized teams.
  9. Out-source to patch gaps in internal knowledge.
  10. Take advantage of workflow automation technology.

(jump to top)

6 Logical Steps to Getting Started in Third Party Due Diligence

If your organization is implementing a due diligence process for the first time, or is revamping an existing process, finding the best way to get started might sound like a simple task, but in reality it can be quite complicated.

How does a compliance program even get started on something like this? Let’s break down the answer into six logical steps.

I. Find the third parties you currently have

Your company works with third parties, possibly lots of them. You could ask the accounting team, “Send me a list of all parties that receive payments from us,” although that might return more parties than the compliance department needs to worry about. Another route would be to ask leaders of business operations teams to give their lists of resellers, local agents, joint venture partners, and so forth; if the company has a strong culture of compliance and you trust that they’ll tell you the truth. Identifying your current third party population will help you understand the scope of this project.

II. Know your organization’s risks

Anti-corruption risks are one obvious concern but third parties can also bring up issues around money-laundering, trade sanctions, antitrust, or cybersecurity risk. Really, you want to understand your own organization's regulatory and compliance obligations, regardless of any third parties—and then understand how your use of third parties magnifies those risks.

III. Identify your high-risk regions

Various groups rate countries around the world on their corruption risk. In any country with high corruption risk, you can assume local agents and other third parties in those countries are also high-risk. That is where you will likely need to perform more rigorous due diligence.

IV. Understand the current due diligence processes

The truth is that your organization already does at least some due diligence, even if it’s only a sales executive asking the reseller to correctly spell his or her name for a paycheck. Talk to people in the finance and accounting functions about how third parties get paid and talk to people in procurement or business functions about how third parties are selected.

Recall the company’s risks from Step 2, and ask: “What can we do right now to lower the chances these transactions trigger a risk?” (Pro tip: Prepare for much staring at shoes.)

V. Learn about the current reporting processes

Again, your organization already does at least some reporting about its transactions with third parties, even if that reporting is scattershot discussion via email and phone calls, with no aggregate analysis. The point here is simply to understand what the company’s current process for third-party due diligence is, even if—especially if, really—the current process is not up to par.

VI. Start to think about improvements and automation

Only when the compliance officer has a complete, clear-eyed understanding of the current third party due diligence process, can you then begin considering how to improve the situation. Almost always, that improvement will involve some automation of due diligence tasks. That could be integrating background checks from outside sources, or automating the collection of certifications from third parties, or implementing new rules to block payments to any third parties that haven’t completed due diligence (more on automation in a later section).

(jump to top)

Understand the Bigger Picture

The six steps above are natural candidates for a gap analysis: studying the difference between what regulations require your business to do to manage risks, and what your business actually does to manage risks. If this is your first time approaching third-party due diligence, that’s how you start. You perform a gap analysis.

Improving third party due diligence is really about understanding workflows within your organization. As we said, your business already does at least some due diligence, if only to find a third party and pay it to do something on your company’s behalf. Whatever that process is—that’s a workflow. It might be inadequate and arbitrary and invite all sorts of risk to your organization, but it’s there.

Then comes the process of improving that workflow. Compliance officers need to think practically about how to do that because lots of improvements make great sense in theory but fail in practice. If you impose manual, time-consuming tasks, employees won’t do them. If you start by blocking all payments, they’ll find workarounds. If you don’t consider how to automate reporting, you’ll never fully understand whether your third party due diligence program works.

That’s why technology, specifically automation, is so crucial to improving due diligence. It can put more power into the workflow, without additional burden or disruption falling on employees that could cause them to try and evade compliance. Plan it well, and your automation of third party due diligence will make workflows easier for employees while also reducing compliance risks for the business.

Levels of Third Party Due Diligence

When conducting third party due diligence it’s essential to conduct the right amount of due diligence. Let’s start by mapping due diligence in relation to all other key third party risk management activities.

Note that after the initial risk assessment that subsequent activities continue to form an ever-changing profile that may or may not increase or decrease an entity’s risk levels.

Let’s say your organization wants to categorize third parties into three levels of due diligence based on risk. Below we introduce all three phases but will have extra emphasis on Level II (often a missing component) which can be described as your Ronald Reagan “trust but verify” phase. These Level II activities should be conducted at various intervals, depending on risk factors on your third parties in relation to your company’s risk appetite. Although some companies use different delineations for which activities constitute a tier of work, here is an example of one way to tier your third party due diligence.

Third Party Due Diligence - Level I


  • Gather new or revised third party information for purposes of bribery and corruption (among other areas) risk.
  • Ensure third parties and their key associated parties are clear from inclusion on global watchlists.
  • Determine level of risk and appropriate actions to take should a third party be included on a watchlist.
  • Research based on risk, beneficial owners, shareholders, and executive management for inclusion in watchlist screening.

How to Execute

  1. Disseminate third party questionnaires and risk scoring based on results of responses and support provided.
  2. Compare all third parties to relevant watchlists.
  3. Identify high risk entities for extended screening.

Related Activities

  • Automate continuous watchlist screening.
  • Manual false positive identification and clear with reasons codes.
  • Difficult to resolve potential matches requiring escalated to the Chief Compliance Officer and likely Level II due diligence.
  • Extended party (beneficial owners, corp. family, directors, C-level execs) identification and watchlist screening.

Although some companies categorize restricted party or watchlist screening as monitoring, we consider monitoring in context to the business and due diligence to consist of external information gathering to ensure no red flags exist; and when possible from independent resources. Since watchlists are created by both government and non-government organizations that are related to bribery and corruption, drug and human trafficking, money laundering, terrorist activity and other legal violations; any match is essentially based on external research.

This matching exercise is automated and relies on analysts to determine if matches are legitimate or not, so we consider this to be a basic level of due diligence.

Third Party Due Diligence - Level II

Level II due diligence, is analyst driven and uses technology across a wider spectrum. This second level is designed to look wider and dig deeper to gather enough information to provide reasonable assurance that there are no red flags or issues that can or may lead to regulatory or reputational risk for your company.


  • Ensure third parties do not present a risk of bribery and corruption (FCPA and UK Bribery Act most notably), other regulatory (i.e. modern slavery), or reputational risk through independent research.
  • Issue a formal report to the compliance team and greater organization for review.

How to Execute

  • Engage in due diligence using open source and subscription services to conduct reasonable independent research and analysis on third parties on the basis of risk.

Effectively performing this research requires skilled researchers, analysts, or paralegals who will utilize expert search software by firms to aggregate vast global databases of free available and subscription-based public records. The goal is to conduct thorough but not necessarily exhaustive research for relationship assurance purposes.

The beauty in conducting this level of research on an entity is that you are employing available resources to widen your investigative parameters (and the capability of leveraging these activities for non-FCPA and UK Bribery Act purposes), covering data protection, modern slavery, export control and commercial risk detection for instance. However, this is not to be substituted for enhanced due diligence, when the risk calls for it.

So how much due diligence is enough and what factors should we be looking at?

Level II research consists of:

1. Company Profile

Company name and known trade names are researched. What business the target entity engages in and how it relates to the organization. Locations, employee base, and industries, among others, of target, factor into the overall risk assessment that is being built.

2. Corporate Structure

Subsidiaries which may include acquisitions. For instance, a vendor in the domain name space out of Australia was acquired by a US company, thus changing how an organization l would be able to manage work for its non-US customers going forward given the US sanctions difference from the UK and EU. Although not a FCPA issue, it was a sanction compliance matter that was picked up and raised to the business for action.

3. Beneficiary Ownership

Often a critical element when looking at smaller private firms in that an undisclosed beneficiary owner could be a money launderer or involved in other corrupt activities. This can require looking at corporate registration in the jurisdiction where the third party conducts business. This can sometimes be performed remotely via desktop, but could depending on which country, require feet on the ground walking into a government office. This is what we classify as a level III Enhanced Due Diligence activity.

4. Corporate Registry

Can be a key to the kingdom in a sense that information required for filing in a jurisdiction may be contradictory to what a third party is telling you. It can also reveal ownership percentages and how corporations are organized. Some countries like China and Singapore are on line, Hong Kong requires an online payment and Indian sole proprietorships have no registration requirements.

5. Enforcement Actions and Litigation

These clearly let you know whether your target is officially involved in either of these two legal actions; the latter could be criminal but also civil involving claims by the target or against them. We once had a company on a level III on-site audit tell our auditor they had no litigation over the past 3 years, but research determined there had been a settled case. We of course had to include this as an integrity concern on the report.

6. Watchlist and PEP Screening

Formal results are included in the report for assurance purposes. This screen though will include extended parties identified in steps 1 and 2 above.

7. Negative Media and Social Media

Anything formally published in all print publications that have been digitized or web-based reports are screened for any red flags of corruption. Because in some countries the available media is in another language, you may have to use a source to translate. Some services do this for you. Doing this level of research is necessary if there already is a red flag of some sort, the entity is small and the only available media is in the local language. Depending on risk level, 1 to 5 years of media reports is required. This can be the most time-consuming exercise, especially on UK, EU and US public companies where there is a wealth of information available. Social Media can be useful but you must consider the source of the information provided. Usually, patterns of negative chatter may be worth noting and can either lead to increased monitoring and more frequent level II reports.

8. Location and the Corruption Perception Index

This can just as easily be included in the company profile section. We elected to look at location risk in relation to the Corruption Perception Index published by Transparency International separately because it’s a risk not related to the company itself and centered on the location(s) the firm is based or operating in. Although the location element often drives the initial overall risk rating higher; the results of a due diligence report could be used to reassess the overall level going forward.

The finished product is captured in a due diligence report, whether it be on a person or any sized company, which demonstrates that a thorough review has been carried out using the best resources to capture available public data that will either give assurance that there are no needs for concern or that raises red flags that require compliance and or business action.

Level II Due Diligence reports are designed for easy digestion of facts which are beary of a target third party outside of the company website.

If lacking foundational or any information at all; a decision then needs to be made in the absence of any other internal red flags whether to obtain assurance conducting a local visit to the third party’s headquartered or satellite location to gather the foundational information through enhanced due diligence. Thus leading us to Level III of the program.

Third Party Due Diligence - Level III


  • Ensure third parties do not present a risk of bribery and corruption, other regulatory (i.e. modern slavery), or reputational risk through local research, interview and or on premises audit.

How to Execute

  • Conduct enhanced due diligence consisting of local or onsite validations of third party integrity, reputation, corporate registration, and compliance with anti-bribery requirements.

Although the areas reviewed are essentially the same, enhanced due diligence is the gathering of greater primary evidence on the ground locally consisting of:

  • Verification of local business registrations
  • Obtaining references via related party interviews
  • Accessing information from Chamber of Commerce
  • Reviewing local legal records
  • Identifying local litigation or law enforcement issues
  • Searching and reviewing local open source records
  • An on-site audit of third party

Your organization might have other mitigating controls in place with its IP agents, including agents taking customized anti-bribery training and participating in annual meetings held by our agent management team. However, these assignments are rarely conducted in the absence of red flags.

When necessary it is vital to engage an internal auditor who is skilled and experienced in conducting local research and while on site to conduct a bribery and corruption audit to ensure integrity in what has been presented to our firm from the point the relationship was developed.

Ultimately the goal is to create a defensible record that in case the regulators, or even angry customers, come knocking on your door accusing your company of turning a blind eye you can demonstrate you took due care in taking more than reasonable steps to detect any visible red flags in your third party relationships.

Although a portion of the program does sometimes act as a “check the box exercise” coupled with the other internal activities companies should undertake, your program can prevent bribery or association with corrupt parties.

To learn more about how to risk rate your third parties, download A Compliance Officer’s Guide to Third Party Risk Rating eBook or watch the on-demand webinar. These resources serve as a robust guide to understanding the risks your third parties present, creating a systematic and scalable approach to properly managing third parties, and discovering the valuable role automation plays in the process.

(jump to top)

What is Enhanced Due Diligence?

Due diligence is such a big, crucial part of what corporate compliance functions do that lately we’ve even created a whole new branch of it: enhanced due diligence.

At its simplest, enhanced due diligence is the additional screening that a company should perform on high-risk third parties, to gain the best understanding possible of their identities and the compliance risks they might pose to your business.

The concept is useful across a wide range of industries. For example, any business partners who have close ties to foreign governments (politically exposed persons or PEPs) would qualify as high risk under the FCPA. So performing enhanced due diligence on those persons or businesses would make a lot of sense. In financial services, customers who conduct transactions through shell companies or off-shore tax havens would also fit the description.

An important point for compliance professionals to understand, however, is that enhanced due diligence is the second phase of screening, for a specific subset of third parties.

That is, all third parties should undergo basic due diligence, where they provide sufficient biographical documentation that your company can independently prove the party’s identity. That first step helps your company to identify the high-risk third parties. Then comes enhanced due diligence, to understand exactly how high that risk is, and to understand what controls should be put in place to reduce the compliance risks that party might pose to your company—including, potentially, the control of not doing business with that customer at all.

(jump to top)

The Foundation for Enhanced Due Diligence

First, a company needs to define the criteria that would qualify a third party as high risk. No authoritative list of those criteria exists, but most are common sense in the land of compliance officers. For example:

  • Does the person come from a country at high risk of corruption generally, such as those countries flagged by the Corruption Perceptions Index?
  • Does the person come from a country known to have weak rules against money laundering, labor standards, tax avoidance, or similar misconduct?
  • If the party is a business rather than a person, are any of its senior officers or beneficial owners (anyone who owns or controls 25 percent or more of the firm) on any watch lists? What about specially designated nationals, politically exposed persons, or so forth?
  • Does the party (either a person or a business) conduct much banking through offshore financial centers or private banks, where transparency standards might be lower?
  • Does the party work in a cash-intensive business: gold trading, fine art, legalized cannabis, and the like?

You get the idea. Enhanced due diligence should be risk-based, where a third party that hits more of those criteria gets more attention. Your organization might even have specific criteria unique to your industry or another variable that you screen for. It’s not any different than the due diligence companies have performed for years—just more of it, done more thoughtfully.

Enhanced Due Diligence in Practice

So what extra documentation should a company seek when performing enhanced due diligence? Again, there’s no definitive list. The better approach is to ask, “What evidence can help me verify this party’s true intentions, and the compliance risk he or she brings, given the transactions we want to do?” Then go about collecting those materials.

Some of that evidence can be found independently: corporate registration documents or articles of incorporation, for example, which ideally will be available through some public registry. You’ll always want to collect such evidence from trustworthy, independent sources, to confirm their authenticity. (This includes results from background checks done by outside service providers.) When performing enhanced due diligence on a specific person, you may also need to collect evidence from him or her directly: passports, birth certificates, marriage certificates, and related materials.

Throughout all of this, remember: your compliance program will need policies and procedures to gather this evidence, and a recordkeeping system to preserve it.

The goal with enhanced due diligence isn’t just to perform a one-time exercise in third-party onboarding and then forget about it. The goal is to develop a clear, documented understanding of the third party’s compliance risk, that you can use as a risk tool again and again in the future as your relationship with that party evolves.

Why Do Enhanced Due Diligence?

For several reasons. First, globalized business and companies’ constant quest for growth keeps pushing companies into new markets. That includes high-risk geographic markets and high-risk third parties all over the world. Your risk of brushing up against corruption is simply greater.

Second, enforcement against corporate corruption is growing around the world. Thankfully, at the same time, more regulators are giving companies a compliance defense: the ability to avoid criminal charges and severe penalties, if the company can demonstrate that it took proper steps to reduce its exposure to corruption.

That’s what enhanced due diligence is, really—taking proper steps to reduce corruption risk. The proper steps for a high-risk third party are very different from the proper steps for a low-risk third party. That’s what a risk-based approach to due diligence is all about.

If you apply basic due diligence to all third parties, but nothing more, that’s not a risk-based approach. That’s a compliance exercise to look good to regulators, who increasingly won’t fall for such a tap-dance routine.

On the other hand, if you apply enhanced due diligence to all third parties, you’ve performed more compliance than necessary. That’s a waste of resources, which will alienate business partners, coworkers, and senior executives approving your budget request.

Enhanced due diligence requires judgment. It’s a disciplined effort to collect the evidence you need, to identify the compliance risks a third party truly poses. It’s not always easy, but with proper foresight and the right tools, it’s a powerful way to get the risk assurance your company needs.

What is a Due Diligence Review?

A due diligence review is a process that one business undertakes to confirm how reliable another business is before the two organizations undergo some sort of transaction. This will typically start with an executive summary and risk assessment using the company’s risk grid. All reports are reviewed by a senior-level compliance officer and if the risk is greater than moderate, the Chief Compliance Officer will determine a course of action.

Identifying that the target entity has a website that has addresses and names of partners and personnel that coincide with the company records is useful, independent data sources are more desirable. At the very least an analyst expects to find business registration, articles of incorporation, profile, ownership information, or local news mentions.

In a merger, the acquiring company will perform due diligence on the target company to confirm that, say, the target has all the customer contracts it claims to have. In a technology purchase, a company might perform due diligence to confirm that a vendor has sufficient operations to provide follow-up services for the life of the contract.

And of course, in the compliance world, a company will perform due diligence on business partners to confirm they pose no threat of corruption or misconduct that could bring liability back to your own business.

In all cases, due diligence is about gaining assurance in another party, to reduce the potential for harm to some acceptable level. A due diligence review is just the collection of steps you take to gain that assurance.

(jump to top)

Why Due Diligence Reviews Are Necessary

Let’s keep this short and sweet: if you don’t do due diligence reviews, the risk of harm might cause your business all sorts of trouble. That’s it, really.

For example, if you don’t perform a due diligence review on a new technology vendor, you might discover four months later that the vendor has gone bankrupt and its software no longer works—perhaps leaving your business unable to perform mission-critical tasks. Then come lawsuits from shareholders or your own customers, seeking damages because your company should have done better at reducing the risk of harm.

Likewise, regulators expect businesses to take prudent steps to reduce the risk of violating the law. They expect due diligence as part of that effort. Those due diligence reviews don’t need to be perfect—because no due diligence program can be—but regulators do expect companies to make a sincere, thoughtful effort at due diligence.

Moreover, even if the regulatory climate shifts over time, or differs from one country to another, that doesn’t devalue the need for strong due diligence capability generally. Companies still have countless other business risks that exist regardless of the regulatory climate.

Due diligence reviews are just an indispensable part of corporate life generally, and that’s never going to change.

How to Prepare for a Due Diligence Review

As a practical matter, due diligence can be done in any number of ways. The most important point is that the company plan its due diligence review wisely. Two questions immediately come to the fore:

First, is the due diligence review scoped correctly? That is, do you know the right facts and assurances you want to get from the target, to address the risks and questions you have?

For example, in an anti-corruption review, due diligence should always include identifying the true owners and controllers of the target business, to see whether they are politically exposed persons (PEPs) or fall into some other high-risk category. The review should also try to find any prior brushes with corruption the target might have had. Meanwhile, a due diligence review for sanctions right might inquire about the products that target makes (say, nuclear materials) and other customers the target has (any in Iran or North Korea).

Sanctions risk and corruption risk are different, so the scope of due diligence will be different. Setting the wrong scope can be disastrous.

Second, is the due diligence review thorough and objective? This drives the question of who actually performs a due diligence review. It can be your own company, an outside due diligence firm, or (most likely) a mixture of both.

Tedious, repetitive due diligence tasks—such as checking for adverse media reports and prior litigation, or identifying corporate owners—are best left to outside firms. The work is dull, and not the best use of your employees’ time. Much of that work can also be automated, which produces more reliable, data-driven results.

So a big part of performing due diligence is simply building the capability to embed and automate those tasks, usually with a blend of in-house and outside technology. When you need to perform thousands of due diligence reviews, year after year, this approach is paramount.

That said, some crucial parts of due diligence shouldn’t be automated. If you’re dealing with a third party that’s high value but also high risk, the human touch might be better to ask sensitive questions or to push for important disclosures. For major transactions (say, a joint venture with a state-owned entity), your company may even hire a professional services firm for some due diligence tasks.

All of that is in pursuit of a thorough, objective due diligence report, that provides the assurance you need for the risks your business has.

On the Receiving End of Due Diligence

Those points about scoping a due diligence review and striving for thorough, objective evidence are just as useful for third parties on the receiving end of due diligence, too. After all, the vast majority of businesses want to be good business partners—so clearing a path for good due diligence is very much in their interests.

For example, as a third party, you should understand the scope of due diligence that your customer is likely to set. You should anticipate the customer’s wants, and prepare your own business to provide them.

Take anti-corruption training as a specific example. Many compliance due diligence reviews will ask what anti-corruption training you’ve provided to your employees or your own third parties.

Compile that documentation: the training materials, completion rates from employees, certifications from your third parties, and so forth.

Also, understand what your client’s anti-corruption training expectations might be. They could try to push you to provide their training to your employees. Maybe you’ll allow that, or maybe you’ll only certify that parts of your training are identical to theirs, and allow their training for issues yours doesn’t address.

Those choices are yours to make. A good third party will simply prepare to make them as quickly and efficiently as possible.

Due Diligence Workflow Automation

Now that we understand the need for due diligence, let’s get the chore done as efficiently and effectively as possible.

The key to successful due diligence today is, more than anything else, efficiency: the streamlining and automating of the steps involved in due diligence, so a company can perform those tasks at scale. Modern compliance risks are simply too great for companies to master due diligence any other way.

Yes, we always say that employees in operating units should “own the risk” and perform due diligence on the third parties they work with. In the real world, however, due diligence can be painstaking and error-prone. Employees need help to do the work.

The compliance officer’s job is to provide that help—which means figuring out which parts of due diligence can be automated off the employees’ to do list.

Conceptually, you want to automate as much data collection and documentation as possible. Those are the repetitive parts of due diligence that employees in the operating units don’t want to do.

These administrative tasks include:

  • Screening third parties for key employees who pose corruption risks.
  • Identifying the ultimate beneficial owners of a third party.
  • Searching for adverse media reports.
  • Documenting office locations and contact information for a third party.

The more a compliance program can automate that work, the more you save time for more productive and strategic due diligence processes. Those more productive purposes are analysis and mitigation of third party risks. That’s where an employee in the operating unit becomes invaluable to an effective due diligence program.

For example, a company could automate the screening of third parties against lists of Politically Exposed Persons or Specially Designated Nationals. Employees will welcome that, since they don’t want to spend time hounding third parties with questionnaires or researching those third parties on Google. Plus, you don’t want them entering those answers into a database or spreadsheet by hand, either.

Inevitably, some potentially lucrative third party will have an executive on a watch list. What happens then?

That’s a judgment call each company must make for itself. The company might decide the third party is too risky, and cease doing business with it. Or the company might impose more rigorous due diligence procedures and controls: perhaps more detailed audits, or an in-person conversation with the third party’s leadership.

The point is that judgment must be exercised. The more your due diligence program can automate the routine chores of data collection to save an employee’s time and focus for those specific, judgment-intensive tasks, the better.

Exercise of judgment is the part of due diligence that can’t be automated. It can only be supported, by providing a supply of data for employees—the compliance officer and operations executives, working together—to analyze.

This approach helps compliance officers in two practical ways. First, you win more enthusiasm from operations executives to help with due diligence, because the issues are more challenging and less tedious. Second, regulators want to see due diligence programs that are risk-based, where procedures and controls are tailored to each third party based on its specific risks.

How do you implement that automation? The answer will vary with every company and its unique business processes. What the automation of due diligence should accomplish, however—that’s easier to discern. The end result should be better judgment about third parties, exercised more quickly and more precisely.

(jump to top)

What’s So Hard About Due Diligence?

Willie Stargell, the Hall of Fame Pittsburgh Pirate Outfielder, once said that hitting a pitch from Steve Carlton, Hall of Fame pitcher, was as difficult as eating soup with a fork. You don’t have to be a baseball enthusiast to get that analogy.

This reminds us of due diligence for anti-bribery and corruption: On the surface it does not seem like that daunting a task, but considering the what, how, who, and when of the entire process leaves many fine CCO’s shaking their heads and asking; “what is enough?”

It’s an even harder task if you don’t know what activities and steps actually comprise due diligence or how much due diligence will satisfy a regulator. So here are a list of factors that make due diligence difficult at a high level:

  • Lack of a plan or methodology.
  • Not maximizing the right risk factors.
  • Developing a segmentation rationale and employing it.
  • Selecting which activities to perform for each segmented tier of third parties.
  • Obtaining independent information on private parties in higher-risk countries.

The Risk Factors

What’s interesting about the due diligence cycle is that it can have you running in circles. For instance, your due diligence plan or workflows might depend on the information you lack. If a compliance professional does not know whether the third party is customer, vendor, contractor; or what industry they are in, you are operating at a disadvantage. Knowing the activities your third party is engaged in will also determine potential monitoring activities. An analytical tool can be used to identify red flags of fraud and corruption by employees and vendors.

So we’ve identified the risk factors. However, creating such a list and actually gathering this information and keeping it updated is a challenge.

The most confounding part of due diligence is when you turn up nothing on a third party. It happens more with individuals but a business in place for 5 or more years with no media, no registration, no public records, no beneficial ownership information, and only satellite support that an office building exists is alarming. But it’s not uncommon especially in certain countries including China. When this happens, depending on the relationship, it could mean that it’s time for boots on the ground.

Unfortunately, the risks above only further highlight what most of us have long understood: that due diligence can be frustrating, just like eating soup with a fork.

Build an End-to-End Due Diligence Solution

CCO’s today are faced with many hurdles to overcome as we’ve outlined above and arguably, one of the most pressing is how to manage third party risk.

As the outsourcing of services continues to rise and complex supply chains continue to expand, regulatory scrutiny leaves organizations more vulnerable than ever to third party risks. As a result, compliance teams need a comprehensive solution that helps protect them against these risks.

The problem? Existing methods of mitigating third party risks all have areas of weakness. As a technology provider, we wanted to change that; so we partnered with Control Risks and other human-led due diligence vendors. With the common goal of building an all-encompassing third party due diligence solution, we have created a hybrid product that helps compliance teams best manage risk.

(jump to top)

Limitations with Your Current Due Diligence

Up until this point, compliance teams have had three main options when attempting to mitigate third party risk; manual processes, technology partners, and consulting partners. While each of these strategies has advantages, each is also fraught with limitations.

Many organizations don’t have a dedicated third party risk management team or a centralized information repository, indicating that they are mainly relying on manual processes. While manual processes are inexpensive they are also labor and time intensive, and more susceptible to error. Additionally, a manual approach is unscalable and unsuitable for handling large volumes of third party due diligence.

Technology provides a single system of record and assists with automating repetitive tasks, saving you time. However, technology alone lacks local expertise and context that could potentially be invaluable in your due diligence process. Without local expertise and understanding the nuances of a specific culture, organizations might easily overlook critical risks associated with a third party.

Consulting partners, on the other hand, have the critical expertise and investigative experience needed to gather an accurate and complete picture of a third party’s background and integrity profile. Unfortunately, consulting partners lack the robust technology capabilities that allow you to quickly and efficiently pull analytics in real time.

Modern compliance teams need a hybrid solution that has both actionable intelligence and reports with clear red flags. That’s where our due diligence software comes in.

Uniting Revolutionary Technology with Unparalleled Reporting

We’ve built an unprecedented third party due diligence solution. You can now request higher level reports directly from within the GAN platform. This partnership unites consulting’s strengths with the technology edge to bring you a closed loop solution to due diligence. This feature is designed to help you drive efficiency, optimize internal resources, and, ultimately, minimize risk.

With the our due diligence solution you can:

  • Adopt a fully automated risk-based approach.
  • Capture all your data within one platform.
  • Access interconnected top-notch consulting and cutting-edge software.

This is an end-to-end third party due diligence solution that helps you manage third party risk. The combined power of workflow automation technology with specialist due diligence capabilities create an inclusive compliance process. Now, you can focus on the analysis, filter out the noise, and elevate your due diligence to a strategic level.

Transform Your Compliance Program

We would love to show you how our software can transform your existing third party due diligence compliance program.

Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Implement a tailored Third-Party Risk Management solution