Getting started with third-party due diligence

Approximately 90% of Foreign Corrupt Practices Act (FCPA) enforcement actions involve a third-party intermediary, underscoring the significant role third parties play in bribery and corruption cases. Given that many companies engage with numerous third-party partners, the risk of encountering unethical practices is high, emphasizing the importance of thorough third-party due diligence.

Third-party due diligence enables organizations to vet and monitor third parties effectively throughout the business relationship, thereby mitigating compliance risks and reducing the potential for legal and financial repercussions.

As a result, third-party due diligence becomes not only a crucial element of an organization's compliance program but also a focal point for regulatory scrutiny. To help you strengthen your approach, this article will explore:

• What third-party due diligence is
• Why businesses need third-party due diligence
• An effective eight-step due diligence process
• Due diligence best practices to keep in mind

What is third-party due diligence?

Third-party due diligence involves thoroughly reviewing and continuously monitoring your third-party partners to identify and mitigate risks related to financial irregularities, data security vulnerabilities, operational disruptions, reputational damage, potential conflicts of interest, and other legal, ethical, and compliance issues.

This need often arises when onboarding a new vendor or during preparations for a merger or acquisition. By implementing a robust due diligence process, organizations can proactively address potential issues, ensuring that their business partners uphold the same standards of integrity and compliance.

Though risk-based due diligence is necessary at the beginning of a business relationship, third-party due diligence should be ongoing, meaning businesses should have a system in place to identify and mitigate potential third-party risks over the length of the relationship. This may involve continuous monitoring or a due diligence renewal process.

An effective third-party due diligence strategy may include:

• Checking third-party vendor names against global databases and watch lists.
• Reviewing mentions of your third-party partner in press releases, media, web searches and more for possible signs of corruption, reputational concerns, or other ethical conflicts
• Verifying whether the third party or its key principals and owners appears in country-specific watchlist databases or government records.
• Crosscheck self-reported information from your due diligence questionnaire against information from your own investigation, or leverage a solution that offers independent verification and integrity checks.
• In addition to asking vendors to complete a detailed third-party due diligence checklist disclosing relevant information about the company, the scope of the relationship, the third party’s ownership, enhanced due diligence involves conducting a thorough investigation that may include on-the-ground research to gather local intelligence, performing discreet site visits, conducting reputational inquiries and pulling offline records related to ownership or legal filings.

Why do we need third-party due diligence?

Businesses need third-party due diligence because it helps them identify and mitigate risks related to bribery, corruption, human rights, and other ethical or integrity issues. This is critical, given that Gartner estimates 60% of businesses work with over 1,000 third parties — a number that is anticipated to grow.

Effective third-party due diligence enables organizations to make strategic decisions about who to do business with, balancing potential opportunities against associated risks. By thoroughly vetting third parties, businesses can protect themselves from compliance violations, unethical business practices, and reputational risk, ensuring they maintain a robust compliance posture. Rather than restricting third-party relationships, the solution lies in implementing a comprehensive due diligence process that reduces risk and supports strategic business enablement.

8-step third-party due diligence process

Due diligence isn’t a set-it-and-forget-it approach. It’s an iterative process of implementing safeguards, monitoring those safeguards, then improving them as the industry and third-party landscape evolve.

Here are some steps you can take to embed due diligence in all of your third-party relationships.

1. Map the compliance landscape: Your risk exposure will significantly depend on the regulations you and your third parties must follow. Identifying compliance concerns will help you determine what red flags you need to look for once you vet your third parties.
2. Define your objectives: Your due diligence process should align with any financial and strategic goals your company has and the third-party risks that might prevent your company from achieving them.
3. Gather documentation: It is essential to make sure your third parties are who they say they are. If they’re a corporation, ask for documents like articles of incorporation and key shareholder information. If they are an individual, request proof of their identification and disclosures about any possible conflicts of interest.
4. Vet third parties: Check whether or not your third-party partner appears on any watch lists or sanction lists or appears in any negative media coverage.
5. Analyze your risk: Assess whether anything you’ve uncovered during vetting poses a risk to your business. This may vary between businesses and industries and should reflect the compliance issues and objectives you identified earlier.
6. Document your process: Keep extensive records of any information or documentation you gather. This will help prove your regulatory compliance and validate your decisions about all third-party relationships.
7. Monitor third parties: A third party might be in the clear at the beginning of your relationship but develop some red flags over time. Monitor them and your relationship with them to ensure you catch any risks before they threaten your reputation or bottom line.
8. Review your process: Businesses evolve, and the third-party due diligence process you implement one year may be less effective the next. Review your process to ensure your due diligence meets your business’s needs.

Third-party due diligence best practices

Even with an effective process, third-party due diligence practices can fall short. Massive amounts of data, complicated onboarding, limited resources and even human error can all inhibit effective third-party due diligence. Strengthen your process with these best practices:

1. Centralize third-party data: The more third parties you work with, the more data you’ll need to manage. Without a centralized database, it’s all too easy to overlook critical third-party risk information. Implementing a system for managing third-party information makes that data more accessible, useful, and defensible. Centralizing your third-party data will streamline the process of identifying all of your third parties and their jurisdictions prior to moving to the next step.
2. Conduct a thorough due diligence investigation: This process ensures that your third-party is in compliance with regional regulations and is conducting themselves in alignment within your organization’s guidelines.
3. Verify self-reported information: If you've implemented a due diligence questionnaire, it's a good idea to crosscheck the data from your investigation with the information reported by the third party. Discrepancies could raise red flags that are worth further consideration.
4. Create risk tiers: Some vendors may introduce more risk than others, which means that some vendors may need extra attention during the due diligence process. Establishing tiers creates efficiencies because you can tailor your approach to the specific third party and the relationship you’ll have with them.
5. Assess their employees: Anyone the third-party employs can pose a risk of a breach — whether that’s accidental or intentional. Ensure your due diligence process extends to the third party’s employees to ensure they will all act in the best interest of your company.
6. Implement controls: Controls safeguard your system. Ensure that you have a specific process for how third parties access your systems and that any third party you work with will follow them.
7. Automate your approach: Third-party due diligence should be always-on. If it’s not, risks may arise before you can mitigate them. Automation makes due diligence easier by delivering more third-party information without adding to risk and compliance teams’ workloads.

Build a due diligence program that allows you to manage and continuously monitor risks

Effective third-party due diligence lays the groundwork for the rest of your risk management program. Anti-bribery and anti-corruption programs — among others — depend on comprehensive and accurate information on all of your third parties.

Due Diligence from Diligent provides access to database searches for cross-referencing against recognized watch lists, tools for tracking media-related risks, desktop research functions in various local languages to pinpoint both direct and indirect warning signs, and on-site investigative resources to collect local insights. Learn how Diligent conducts best-in-class due diligence investigations for more insightful, reliable intelligence. Schedule a demo today.