Willie Stargell, the Hall of Fame Pittsburgh Pirate Outfielder, once said that hitting Steve Carlton, another Hall of Fame pitcher, was as difficult as eating soup with a fork. Now you don’t have to be a baseball enthusiast to get that analogy. This kind of reminds me of Due Diligence for purposes of anti-bribery and corruption: On the surface it does not seem like that daunting a task, but considering the what, how, who, and when of the entire process leaves many fine CCO’s shaking their heads and asking; “what is enough?”
It’s an even harder task if you don’t know what activities and steps actually comprise due diligence and how much due diligence would satisfy a regulator if the party did in fact prove to be a bad seed? So here goes one person’s list of what makes it so difficult at a high level: Lack of a plan or methodology, not maximizing the right risk factors, developing a segmentation rationale and employing it, selecting which activities to perform for each segmented tier of third parties (including how much is enough) and obtaining independent information on private parties in higher risk countries.
According to H. Stanely Judd, “A good plan is like a road map: it shows the final destination and usually the best way to get there.” In this case the roadmap will outline the necessary steps to reach a reasonable conclusion that you are not dealing with a high risk party. There may not be a blue print but there are some model roadmaps out there. Here are mine.
- Third Party Vetting: The struggle is twofold: First is that the questions are often driven by commercial purposes. But larger companies can combine commercial and compliance risk into a single long form questionnaire. Alliances with procurement are important for gathering information that serve more than one single dimension. For smaller companies, determining how much to ask so you get timely responses may mean performing preliminary risk assessments, segment, and then sending more detailed questions to the higher risk parties. Some chose to do it this way.
- Risk Assessments: The struggle here is to use the information gathered during vetting process to create an objective risk assessment, and it gets even more complicated when companies have three or more tiers based on quantitative or other scoring methods. There is also a challenge in determining the method of weighting of each response, which will often vary based on company profile and risk tolerance. This means comparing risk of corporate structure to location to number of employees, government interaction, and level of the compliance program in place.
- Monitoring: dependent on third party relationships. Detailed below.
- Watchlist, PEP, and Adverse Media Screening: Ascertaining whether third parties are themselves risky parties. This should include identifying the beneficial owners, directors and executives to watchlist screenings as a level 1 due diligence activity. The challenge here is that you are widening the data base as you add principals, and more importantly there should be a rationale used and documented to clear false positives or hits that yield risk neutral information.
- Performing investigative desktop research: This level 2 process goes wider and deeper; looking at the company profile, identifying personnel, registration, locations via satellite or other; looking for litigation, enforcement actions, and any adverse media news. It’s akin to a background check but it’s a bit more interactive and requires analysis and synthesis skills. This could result in changing the overall risk score which could affect the frequency of future level 2 research.
- Enhanced due diligence is a deeper, more complete investigation with feet on the ground, obtaining local references and interviews; site verifications, and can include a site visit and interviews with personnel. I once sent an auditor to vendor sites in New Delhi and one proved to be a residence and the other an apartment building under construction. Red Flag city.
The Risk Factor
What’s interesting about the whole due diligence cycle is that it can have you running in circles. For instance, the due diligence plan may well depend on the information you lack. If a compliance professional does not know whether the third party is customer, vendor, contractor; or what industry they are in, they are operating at a disadvantage.
Industry has a large impact on assessment. At CPA Global we were doing some work for a chemical company who had requested we respond to their questionnaire for a risk assessment through Achillies, an outsourced management firm. The results of our responses could trigger two additional activities, the latter being an outside party audit. But because their compliance officer knew, based on our industry, that their risk level with us was low; she informed CPA Global Legal that we would be done at step one.
Knowing the activities your third party is engaged in will also determine potential monitoring activities. An analytical product like ACL can be used to identify red flags of fraud and corruption by employees and vendors; but it would not be enough if an agent were receiving regular payments that could be aggregated to pay a single bribe for instance.
So we’ve identified the risk factors. What else? Creating such a list and actually gathering this information and keeping it updated is a challenge.
I was recently talking to a vendor that provides Third Party Due Diligence and, if I understood him correctly, their auto due diligence forms the basis of their third party risk assessment. The vendor’s method consists in taking readily available private and public, dependent and independent info and using this data to create a risk score; factoring in of course the company’s risk criteria. I found this fascinating; but there are apparently a number of unique ways data can be utilized for due diligence.
Coming Up Empty
The most confounding part of due diligence to me is when you turn up nothing on a business. It happens more with individuals but a business in place for 5 or more years with; no media, no registration, no public records, no beneficial ownership information, and only satellite support that an office building does exist at an address is alarming. But it’s not uncommon in countries like China. When this happens, depending on the relationship, it could mean time for feet on the ground.
No Single Source of Truth
The vendor test drive example above alludes to another struggle if you are performing Level 2 research yourself, which is equipping yourself with all the high tech tools that can get at 26K or more databases of information. The struggle is knowing which to purchase and what each’s strength and weaknesses are.
Unfortunately there is no one single resource that covers the whole spectrum. Lexis Diligence is excellent and will have open litigation that most other resources can’t obtain. But business registration is not a strength. Bureau Van Dijk has best coverage and graphical representation of Beneficial Ownership I have seen. We employ One Source which is strong but they don’t always have % of ownership. Good databases will include % of ownership so you may be sure you are not paying Specially Designated National (SDN’s), as any combination of ownership exceeding 50% would be an OFAC violation.
Now that more companies will be engaging third party due diligence to meet their FCPA compliance obligations and to potentially seek ISO 37001 certification; I hope this blog is helpful in understanding what most of us have long understood, that due diligence can be frustrating, just like eating soup with a fork.