Due diligence is necessary for companies to ensure compliance with international anti-corruption legislation. Implementing tools and procedures can help simplify the process of doing business. This page provides model due diligence tools that can be used for different types of third parties and in the public procurement process. These tools and procedures work together with the country profiles, local information networks, and your company’s anti-corruption strategy to help mitigate corruption risks.
|Step 1: Capture key Data and Authorize it|
|Step 2: Identify the Types of Third Parties|
|Step 3: Internally Assess Third-Party Risk|
|Step 4: Conduct External Due Diligence|
|Step 5: Submit the Due Diligence Questionnaire for Review|
|Step 6: Approve or Reject|
|Step 7: Finalize: Post-Approval Phase & Contract|
Collect key organizational information on the entity and the department that initiates due diligence into a centralized third party management system. If your data is flawed, your due diligence data will be fraught with duplicates and holes, thus nullifying – or at least severely impairing – the results of the entire process. If you capture your key data correctly, you’ll not only fill in your compliance data holes; you’ll be able to identify and mitigate risks before they become a problem. To this end, creating automatic alerts is a key time-saving and organizational feature of successful data aggregation – use your own tools or a third party!
Identify the type of third party you are engaging. Third parties present a higher risk because they are subject to a lower degree of control compared to employees. Yet companies are held liable for corruption committed by third parties.
After all of your data has been authorized, the initial risk of the relationship between the company and a third party should be evaluated by asking the entity or department initiating the business a number of relationship questions via a questionnaire. A set of “red flag” questions ensures the risk questionnaire can be used to create guidelines for the depth of an investigation that will be conducted on a third party, and will determine the initial risk level of a specific third party to an organization.
You can automate sending risk questionnaires to the entity or department(s) initiating the business relationship (“Originator”), which contain sets of “red flag” questions that will trigger requests for additional information. Questionnaires with the Originator’s responses should be recorded in a centralized system and the team conducting the due diligence should be notified automatically via email upon its completion.
At this stage, a third party should be subjected to background checks. Third parties should vetted against an internet database or against other available sources. Background check findings for evidential purposes are crucial. An internal or third-party management solution can help you update your system of record automatically, saving time.
Once the third party has completed the due diligence questionnaire, adjust your risk score to accommodate for their responses. Then, a compliance reviewer must make the determination of whether the third party will be approved or rejected after review is complete. (Note: the employee championing a partnership with a third party should not be the only reviewer or final decision-maker).
Once the Originator has completed the due diligence questionnaire, the form should be submitted for compliance review–ideally through a platform or system that allows those in control to track its submission and status in the review process. The third party should automatically be added to a queue for review to the compliance office and an email notification must be sent to the approver in the compliance office. Document all movement on the submission for future audits and reporting purposes. This can be done manually, or automatically if software has been implemented.
Make a determination and notify the Originator on whether the business will transact with a specific third party. To do this efficiently, you will need to follow specific processes. These include, reviewing the assigned due diligence questionnaires after which reviewers need to decide whether the third party is acceptable or whether there are any objections to due diligence. In the latter case, the approver can send the due diligence questionnaire back to the Originator, the third party or to previous approvers for clarification. Approval or rejection will be submitted through a centralized system or software platform. The system should, then, automatically notify the Originator of the results via email, which includes the determination, the reasoning for the decision and all supporting documentation—saving it for historical reference.
After the final approval of the due diligence process, a business relationship with the third party can now be established. Additional information on the transaction or contractual details should be registered and stored alongside the rest of the partner’s due diligence information.
Based on their respective risk level, the third party should be automatically scheduled for recertification at predefined intervals. This can be accomplished through automated recertification reminders, which are essential to this portion of the process.