Today I want to discuss the subject of choosing a due diligence platform. In my experience, due diligence is a business process never far from a compliance officer’s heart.
The importance of effective due diligence to your overall corporate compliance program cannot be overstated. That’s true when we’re talking about due diligence performed on one specific third party, and it's even more true when we talk about due diligence at scale—performed consistently and thoroughly upon thousands of third parties.
Compliance officers need a technology platform to manage that volume of work. So when you’re trying to select a due diligence platform, what should you consider?
To address this issue, I compiled a list of 10 questions compliance officers should ask, to ensure that the platform you use delivers the capabilities you need. Here are the critical questions you should be asking as you select a due diligence platform.
1. Can you take a risk-based approach?
That is, can it evaluate third parties based on business relationships, where more important or more risky relationships get more attention?
An ability to take a risk-based approach to due diligence is fundamental to the success of your compliance program. The Justice Department’s guidance on effective corporate compliance programs talks about it; so do plenty of other regulators both in the United States and around the world. Your due diligence program should be able to identify high-risk transactions, and your technology solution should then be able to give the third parties involved in those transactions more scrutiny.
2. Does the solution pull relevant data?
If due diligence is supposed to be risk-based, that means your solution will need to pull together different types of data about a third party so you can understand the amount of risk it poses. For example, low-risk parties (the vendors who provide office supplies, for example) might only need basic information such as ownership details and a credit check. High-risk parties (distributors in corrupt countries) would also need adverse media reports, criminal or litigation histories, details on true beneficial owners of the business, and more.
The solution you choose should be able to address all those needs. It should be able to source the information necessary so that you can perform whatever amount of due diligence is necessary, based on the risk that a third party poses.
3. Can the solution handle multiple languages?
Global businesses need to perform due diligence on third parties all over the world. That means your due diligence efforts will encounter documents written in different languages, and languages that rely on different alphabets: Arabic, Hindi, Chinese, Russian. However you get those documents translated into information you can understand, you will need that translation performed somehow.
4. Can the solution monitor your third parties, rather than simply onboard them?
Frankly, in due diligence, onboarding a third party is the easy part. You have a unique moment to extract that data from the business partner (“tell us what we need to know or else we can’t work with you”) and you’re actively looking for warning signs about risk.
Far more tricky is to monitor third parties after the business relationship begins. So can your due diligence solution also be configured to search for key risk indicators among your third parties on an ongoing basis? For example, can it detect changes in ownership, or perform fresh adverse media checks every quarter? Can a change in the relationship (say, upgrading an overseas law firm from scouting office real estate to closing sales deals) trigger additional checks?
5. Are onboarding processes flexible?
As your business grows and operations change, your due diligence needs will evolve as well. For example, you might acquire an overseas subsidiary with poor due diligence capabilities, and that needs to be integrated into your program. You might expand into high-risk regions or start catering to more high-risk clients. Perhaps a due diligence task that happened rarely before, so you could perform it manually; now needs to happen at an automated scale.
The due diligence solution you use should be flexible enough to change along with you. The alternative is a technology that quickly becomes a legacy system—and you end up either getting a flawed, incomplete picture of risk; or embarking on yet another software implementation project to close the gap.
6. Does the solution centralize data?
What a global business does not want is data about its third parties scattered across various parts of the enterprise. In this situation, the Chief Compliance Officer can’t pull together the necessary information quickly. That can lead to an inaccurate or incomplete picture of a third party’s risk, or complicate your efforts at reporting because you can’t easily pull together all the information you need.
An effective due diligence solution will store all third-party risk data in one repository, the fabled “single source of truth.” You’ll need to assure that privacy and security concerns of that data are addressed, but centralized control of data reduces the risk that a critical piece of information is lost in some far-flung pocket of the enterprise that you didn’t see.
7. Does it include escalation processes?
High-risk third parties will require considerable due diligence. Some of those tasks, such as following up with the party to complete a risk questionnaire or asking the party to explain an inconsistency, may need to be done by employees. Don’t die of shock here, but sometimes employees don’t do those tasks in a timely manner.
So your due diligence solution should also include alerting processes to “remind” employees when they need to complete a task, and escalation processes when they don’t do the task in a timely manner. If you already have alerting and escalation processes in place, then see whether the due diligence tool can integrate with those existing processes.
8. Does it fit with other program elements?
Due diligence is only one part of a holistic corporate compliance program—so how well can the solution you choose fit with those other program elements? For example, could the due diligence tool integrate with your compliance training efforts, so that third parties hitting a certain level of risk automatically receive alerts about anti-corruption training you want the party to take?
Likewise, consider how data from the due diligence solution could cross-reference with data from your internal reporting program; so that you could determine whether a party that raises due diligence alarms has ever turned up in a whistleblower allegation, or vice-versa.
9. Does the solution scale?
You don’t want a due diligence tool that can’t reach into certain geographic markets your organization plans to enter next year, or can only handle a certain volume of queries each month. Look for a solution that can grow with your volume of requests, the nature of your requests, and the geographic scope of your requests.
10. Is the implementation straightforward?
Compliance officers need to consider this question first from a technology perspective since your IT department will be critical allies (or fearsome enemies) to get your solution up and running. You also need to consider the question from an operations perspective too: will it mean much disruption to employees somehow involved in due diligence?
Ideally, your due diligence solution will automate lots of tasks, and relieve those employees from the more tedious tasks of due diligence. Simplicity will win employees over. Furthermore, your solution should run as a Software-as-a-Service model, where an intensive systems integration project isn’t necessary. That technology will win over the IT department.
Then, after all those questions are answered to your satisfaction, you can get on with the fun stuff—studying the results of due diligence and acting accordingly, to drive more ethical business practices.
Implement a bespoke Third-Party Risk Management solutionView platform