Most business executives now understand the need for due diligence; they just want to get the chore done as quickly as possible.
Shrewd compliance officers should say that’s precisely the point.
The key to successful due diligence today is, more than anything else, efficiency: the streamlining and automating of the steps involved in due diligence, so a company can perform those tasks at scale. Modern compliance risks are simply too great for companies to master due diligence any other way.
Yes, we always say that employees in operating units should “own the risk” and perform due diligence on the third parties they work with. In the real world, however, due diligence can be painstaking and error-prone. Employees need help to do the work.
The compliance officer’s job is to provide that help — which means figuring out which parts of due diligence can be automated off the employees’ To Do List.
Conceptually, you want to automate as much data collection and documentation as possible. Those are the “boring” parts of due diligence that employees in the operating units don’t want to do. For example…
- Screening third parties for key employees who pose corruption risks;
- Identifying the ultimate beneficial owners of a third party;
- Searching for adverse media reports;
- Documenting office locations and contact information for a third party.
The more a compliance program can automate that work, the more you save employees’ time for more productive due diligence purposes.
Those more productive purposes are analysis and mitigation of third party risks. That’s where an employee in the operating unit becomes invaluable to an effective due diligence program.
For example, a company could automate the screening of third parties against lists of Politically Exposed Persons or Specially Designated Nationals. Employees will welcome that, since they don’t want to spend time hounding third parties with questionnaires or researching those third parties on Google. (You don’t want them entering those answers into a database or spreadsheet by hand, either.)
Inevitably, however, some potentially lucrative third party will have an executive on a watch list. What happens then?
That’s a judgment call each company must make for itself. The company might decide the third party is too risky, and cease doing business with it. Or the company might impose more rigorous due diligence procedures and controls: perhaps more detailed audits, or an in-person conversation with the third party’s leadership.
The point is that judgment must be exercised. The more your due diligence program can automate the routine chores of data collection to save an employee’s time and focus for those specific, judgment-intensive tasks, the better.
Exercise of judgment is the part of due diligence that can’t be automated. It can only be supported, by providing a supply of data for employees — the compliance officer and operations executives, working together — to analyze.
This approach helps compliance officers in two practical ways. First, you win more enthusiasm from operations executives to help with due diligence, because the issues are more challenging and less tedious. Second, regulators want to see due diligence programs that are risk-based, where procedures and controls are tailored to each third party based on its specific risks.
How do you implement that automation? The answer will vary with every company and its unique business processes. What the automation of due diligence should accomplish, however — that’s easier to discern.
Automate the menial tasks of collecting and verifying data. Feed them into a system that allows employees (compliance and operations alike) to spend more time analyzing the data and mitigating risks to appropriate levels. The result: better judgment about third parties, exercised more quickly and more precisely.