The golden rules of due diligence

What is due diligence?

Due diligence is one of the most important tasks a corporate compliance function performs. It is essential to an effective compliance program, and therefore compliance officers must always be thinking about how to make the due diligence process more accurate — and more efficient.

Broadly speaking, due diligence is the process of examining a person or business partner’s background to identify any potential risks of doing business with that party. (Hence “third-party due diligence” has become a standard term in the compliance world.) Conducting due diligence allows companies to make more informed decisions about who they do business with, and in what capacity. Due diligence is also essential for organizations to understand their potential liability under anti-corruption laws and other legislation.

Due diligence is typically carried out prior to engaging in a formal agreement (say, an acquisition or a business partnership) but ongoing monitoring is also essential to keep up with ever-changing risk factors. Initial due diligence might also provide an opportunity for the compliance team to put mitigation activities in place to lower the risk exposure of working with high-risk third parties or individuals or ones that will be working on your organization’s behalf.

Why due diligence is top of mind

There are many reasons why due diligence has become more important in recent years:

• Businesses are continuing to expand and enter new global markets.
• The regulatory environment continues to grow, touching data privacy, sanctions, export controls, and money laundering. In short: modern compliance obligations go way beyond corruption.
• Executive boards are recognizing the criticality of compliance, are starting to understand the advantages of being compliant, and have a deeper understanding of compliance than in the past.
• Regulators and enforcement agencies are well aware of the resources available to compliance teams. This knowledge has led to a dramatic increase in their expectations for “effective” compliance programs, with due diligence playing a starring role.

For these main reasons, organizations and compliance officers alike have prioritized the efficiency and accuracy of their due diligence process.

What is third-party due diligence

At its core, third-party due diligence is objective research on a potential business partner, to assess the potential risks of doing business with that partner.

Some of that research might be done in your own office, studying documents or reviewing questionnaires. Other research might be done by direct visits to the party for interviews or inspections. In both cases, the goal is to gather information about the third party’s history and the potential risks of working with that person or company.

The Foreign Corrupt Practices Act (FCPA) casts a large shadow over third-party due diligence. To put things in perspective, more than 90 percent of all FCPA enforcement actions over the last 40 years have involved the misconduct of third parties. These staggering numbers have motivated compliance teams and boards alike to prioritize third-party due diligence, in hopes of avoiding FCPA enforcement actions (and the hefty costs such enforcement brings).

As with any compliance process, third-party due diligence is not one-size-fits-all. The unique attributes of organizations — including the regions in which they operate, number of third parties, where the third parties are located, and the wide-variety of risks associated with those third parties — often dictate what the process looks like.

All that said, there are some common elements that most programs use when building a third-party due diligence strategy.

Ten golden rules of due diligence

While there are many best practices around third-party due diligence, few offer a structured checklist of the essentials your program must have. Below are the 10 golden rules of third-party due diligence. If you follow these rules, your due diligence process will thrive. Use them to steer your program in the right direction.

1. Consider a wide variety of risk factors, specific to your organization.
2. Test your risk factors and their weightings.
3. Create dynamic workflows rather than linear ones.
4. Don’t rely on database screening alone; integrate human-led due diligence.
5. Align due diligence process with a broader risk framework.
6. Communicate your company’s risk tolerance and be transparent with third parties.
7. Leverage technology solutions to support processes.
8. Strike the right balance between a centralized process and decentralized teams.
9. Outsource to patch gaps in internal knowledge.
10. Take advantage of workflow automation technology.

For more helpful best practices, read Accounting for third-party risk: a framework. This e-book will help you gain a deep understanding of the critical components of an effective third party management program within various industries. For insight into how you can supercharge your third party management process see GAN Integrity’s offering on third-party risk management.