It’s not enough to just check your customer or business partner once, you need to have a system that monitors your business partner on an ongoing basis. This helps you stay updated on any adverse happenings and avoid surprises in the long run.
Companies should undertake some form of ongoing monitoring of third-party relationships. Where appropriate, this may include updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications by the third party.
Conducting the investigation of an acquisition target, joint venture partner or third-party service provider from thousands of miles away is often impractical, and logistically challenging. Enlisting a suitably qualified risk advisory firm provides a company with access to the latest compliance related intelligence as well as unbiased reporting and expertise in the overseas markets under examination. Engaging an advisory firm that specializes in third-party due diligence also provides regulators with direct evidence of a corporation’s commitment to compliance.
The professional services firm will likely be well versed in all aspects of the applicable laws and enforcement and consequently possess the requisite skills and expertise to help companies conduct an efficient and effective third party due diligence investigation.
Further, three guiding principles relating to third-party due diligence:
- As part of risk-based due diligence, companies should understand the qualifications and associations of its third-party partners, including its business reputation and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface.
- Companies should understand the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the services to be performed. Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country as well as the timing of the third party’s introduction to the business. Moreover, companies may want to confirm and document that the third party is actually performing the work for which it is being paid and that its compensation is commensurate with the work being provided.
- Companies should undertake some form of ongoing monitoring of third-party relationships. Where appropriate, this may include updating due diligence periodically, exercising audit rights, providing periodic training, and requesting annual compliance certifications by the third party.
Implementing a risk-based approach design to vet third parties and satisfy regulatory expectations generally involves a five-step process:
STEP 1: CREATION OF A THIRDPARTY RISK INVENTORY
This involves aggregating third-party data from the company’s IT systems. Having removed duplicates and errors, companies must determine the type and purpose of the relationship. Companies often underestimate the number of third parties that they engage. In order to capture an accurate third-party inventory, companies must analyze the contents of their ERP and CRM systems, accounts payable records, point-of-sale data, business reviews and any other source that may house third-party records. In addition to conducting an initial inventory, companies must develop an automated mechanism that runs continuously to capture newly added third-party relationships.
STEP 2: CONDUCT AN INITIAL RISK ASSESSMENT AND CREATE THIRD-PARTY RISK PROFILES
In this step, companies determine the general risks that each intermediary present. Does the third party operate in a country known to be a high risk for corruption? How much business does it conduct with the company? What percentage of the intermediary’s revenue depends on your business? Does it interact with government officials? Based on the risk calculation, third parties will fall within a risk profile, or tier that has a prescribed scope of due diligence. As an example, high-risk third parties qualify for Enhanced Due Diligence, the most stringent form of review, whereas a low-risk third party undergoes a Global Database Check, which is the least in-depth form of analysis.
STEP 3: RESOLVE RED FLAGS
Address red flags or deficiencies identified during the due diligence phase. In certain circumstances, a prudent course of action involves severing ties with a third party. Yet, it is often possible to remedy issues with the third party through training, contract revisions and other steps designed to mitigate risk. A robust and auditable investigation, which includes evidence of a company’s efforts to address red flags, helps companies demonstrate their commitment to compliance.
STEP 4: A COMMITMENT TO ONGOING MONITORING
The scope of a third-party relationship and the corresponding level of compliance risk it presents, yields the need to monitor each entity over time. The inherent risk that each entity embodies often changes with time. Reviewing the entire population on a frequent basis helps ensure that the company maintains its understanding of the compliance risk that it accepts and manages within it operations.