Due diligence is necessary for companies to ensure compliance with international anti-corruption legislation. Implementing tools and procedures can help simplify the process of doing business. This page provides model due diligence tools that can be used for different types of third parties and in the public procurement process. These tools and procedures work together with the country profiles, local information networks and your company’s anti-corruption strategy to help mitigate corruption risks.
STEP 1: Capture key data.
Collect key organizational information on the entity and the department that initiates due diligence into a centralized third party management system. If your data is flawed, your due diligence data will be fraught with duplicates and holes, thus nullifying – or at least severely impairing – the results of the entire process. If you capture your key data correctly, you’ll not only fill in your compliance data holes; you’ll be able to identify and mitigate risks before they become a problem. To this end, creating automatic alerts is a key time-saving and organizational feature of successful data aggregation – use your own tools or a third party!
STEP 2: Identify the types of third parties.
Identify the type of third party you are engaging. Third parties present a higher risk because they are subject to a lower-degree of control compared to employees. Yet companies are held liable for corruption committed by third parties.
- Customs Clearing Agent is authorized by international customs authorities to certify and manage consignments between countries.
- Service Provider is a person or entity that provides another organization with functional support (e.g., logistics, processing services, etc.).
- Joint Venture Partner may be a person or an organization which has agreed with another person or organization to establish a new business entity and to manage its assets.
- Customers are recipients of a product, service or idea. They may be intermediate customers (dealers purchasing goods for resale) or ultimate customers (end users).
- Contractor and sub-contractor is a non-controlled individual or organization that provides goods or services to an organization under a contract.
STEP 3: Internally Assess Third Party Risk
After all of your data has been authorized, the initial risk of the relationship between the company and a third party should be evaluated by asking the entity or department initiating the business a number of relationship questions via a questionnaire. A set of “red flag” questions ensures the risk questionnaire can be used to create guidelines for the depth of an investigation that will be conducted on a third party, and will determine the initial risk level of a specific third party to an organization.
You can automate sending risk questionnaires to the entity or department(s) initiating the business relationship (“Originator”), which contain sets of “red flag” questions that will trigger requests for additional information. Questionnaires with the Originator’s responses should be recorded in a centralized system and the team conducting the due diligence should be notified automatically via email upon its completion.
At this stage, a third party should be subjected to background checks. Third parties should vetted against an internet database or against other available sources. Background check findings for evidential purposes are crucial. An internal or third-party management solution can help you update your system of record automatically, saving time.
STEP 4: Conduct External Due Diligence
- Risk Score Calculation: A risk score must be calculated based on the Originator’s responses as well as the results of the background screening. The risk score of a third party (Low, Medium, High) determines the minimum required scope of due diligence that must be conducted through a set of questions in the due diligence questionnaire.
- External due diligence questionnaire: Assign and send an external questionnaire to the third party. In the questionnaire, the third party will be asked to confirm or provide more information about its business activities. It should include information that may have previously been kept on file as well as external information that was obtained from independent sources.
Sending external questionnaires and tracking their completion progress can get very complex, very quickly. It’s highly recommended to implement some sort of automation for questionnaire assignment and distribution that can be tied to your risk score calculations.
STEP 5: Submit the Due Diligence Questionnaire for Review
Once the third party has completed the due diligence questionnaire, adjust your risk score to accommodate for their responses. Then, a compliance reviewer must make the determination of whether the third party will be approved or rejected after review is complete. (Note: the employee championing a partnership with a third party should not be the only reviewer or final decision-maker).
Once the Originator has completed the due diligence questionnaire, the form should be submitted for compliance review–ideally through a platform or system that allows those in control to track its submission and status in the review process. The third party should automatically be added to a queue for review to the compliance office and an email notification must be sent to the approver in the compliance office. Document all movement on the submission for future audits and reporting purposes. This can be done manually, or automatically if software has been implemented.
STEP 6: Approve or Reject
Make a determination and notify the Originator on whether the business will transact with a specific third party. To do this efficiently, you will need to follow specific processes. These include, reviewing the assigned due diligence questionnaires after which reviewers need to decide whether the third party is acceptable or whether there are any objections to due diligence. In the latter case, the approver can send the due diligence questionnaire back to the Originator, the third party or to previous approvers for clarification. Approval or rejection will be submitted through a centralized system or software platform. The system should, then, automatically notify the Originator of the results via email, which includes the determination, the reasoning for the decision and all supporting documentation—saving it for historical reference.
STEP 7: Finalize: Post-Approval Phase & Contract
After the final approval of the due diligence process, a business relationship with the third party can now be established. Additional information on the transaction or contractual details should be registered and stored alongside the rest of the partner’s due diligence information.
Based on their respective risk level, the third party should be automatically scheduled for recertification at predefined intervals. This can be accomplished through automated recertification reminders, which are essential to this portion of the process.