Skip to content


Six steps to get started in third-party due diligence

By Matt Kelly

If your organization is implementing a due diligence process for the first time, or is revamping an existing process, finding the best way to get started can be quite complicated. We can break down that challenge into six logical steps.

1. Identify the third parties you currently have

Your company already works with third parties, and possibly lots of them. For example, you could ask the accounting team, “Send me a list of all parties that receive payments from us,” although that might return more parties than the compliance department needs to worry about.

Another route would be to ask leaders of business operations teams to provide their lists of resellers, local agents, joint venture partners, and so forth. If the company has a strong culture of compliance and you trust that those business unit leaders are telling the truth, that might give you a smaller list of more relevant third parties.Either way, iIdentifying your current third-party population will help you understand the scope of this project.

2. Know your organization’s risks

Anti-corruption risks are one obvious concern, but third parties can also bring issues around money-laundering, trade sanctions, antitrust, or cybersecurity risk. Really, you want to understand your own organization's regulatory and compliance obligations, regardless of any third parties — and then understand how your use of third parties magnifies those risks.

This often means your business should form an in-house risk committee that meets regularly to talk about its risks. This committee might include the heads of finance, accounting, legal, HR, IT security, marketing, and perhaps others. Ideally the compliance officer chairs this committee, and you can use the conversations as the basis of risk assessments you later develop.

3. Identify your high-risk regions

Various groups rate countries around the world on those countries’ corruption risk. In any country with high corruption risk, you can assume local agents and other third parties in those countries are also high-risk. That is where you will likely need to perform more rigorous due diligence. (Moreover, regulators such as the U.S. Justice Department and other law enforcement agencies in Europe expressly say in their FCPA compliance guidance that companies should identify high-risk regions where they do business.)

4. Understand your current due diligence processes

The truth is that your organization already does at least some due diligence, even if it’s only a sales executive asking the reseller to correctly spell his or her name for a payment check. Talk to people in the finance and accounting functions about how third parties get paid, and talk to people in procurement or business functions about how third parties are selected. The goal here is to understand how due diligence at your company currently happens, so you can then identify any shortcomings and then introduce steps to bring your due diligence program to a higher, more effective state.

5. Learn about the current reporting processes

Again, your organization already does at least some reporting about its transactions with third parties, even if that reporting is scattershot discussion via email or phone calls, with no aggregate analysis. The point here is to understand what the company’s current process for third-party due diligence is, even if (or especially if) that current process is not up to par.

6. Look for opportunities to improve and automate improvements

Only when the compliance officer has a clear and complete understanding of the current third party due diligence process, can you then begin considering how to improve the situation.

Almost always, that improvement will involve some automation of due diligence tasks. That could be integrating background checks from outside sources, or automating the collection of certifications from third parties, or implementing new rules to block payments to any third parties that haven’t completed due diligence (more on automation in a later section).

Understand the bigger picture

The six steps above are, essentially, a gap analysis: studying the difference between what regulations require your business to do to manage risks, and what your business actually does to manage risks. If this is your first time approaching third-party due diligence, that’s how you start. You perform a gap analysis.

Improving third party due diligence is really about understanding workflows within your organization. As we said, your business already does at least some due diligence, if only to find a third party and pay it to do something on your company’s behalf. Whatever that process is — that’s a workflow. It might be inadequate and arbitrary and invite all sorts of risk to your organization, but it’s there.

Then comes the process of improving that workflow. Compliance officers need to think practically here, because lots of improvements make great sense in theory but fail in practice. If you impose manual, time-consuming due diligence tasks, employees won’t do them.

That’s why technology, specifically automation, is so crucial to improving due diligence. It can put more power into your due diligence workflows, without additional burdens or disruptions that might drive employees to try evading your compliance procedures. Plan it well, and your automation of third party due diligence will make workflows easier for employees while also reducing compliance risks for the business.

Implement a tailored Third-Party Risk Management solution

View platform

Related reading

Join the E&C Community

Get the latest news from GAN Integrity in your inbox.