Beyond Due Diligence: Monitoring Performance of Third Parties

Author: Leslie Benton, J.D.

The first line of defense is the business relationship owner, equipped to foster relationships and protect the organization through continuous monitoring of third-party performance.

– Leslie Benton, J.D.

SVP & Deputy General Counsel

Due diligence and onboarding of third parties, while extremely important and often complex efforts, are only the first steps in a successful relationship with your organization’s third parties. As the business relationship develops over time, the value, fit for purpose, and quality of the third party are revealed. What you do to monitor and evaluate the performance of your third parties throughout that relationship is vital to protecting your organization from legal, ethical, and business risks. 

A quick review of liability for third party actions from the latest Department of Justice FCPA guidance and the fact the more than 80% of FCPA matters since 2019 involved third-party intermediaries serves as a stark reminder as to how real the risk can be. And, every week there seems to be new data breach notice, often stemming from a weak point at a third party entity. 

There are several opportunities to evaluate the performance of third parties and mitigate risks to your organization within the normal course of the business relationship. In this post, we discuss how organizations might approach keeping in closer connection with how their third parties are performing against business and compliance expectations. 

Risk Drives Scope and Frequency of Reviews 

The measures you take to evaluate the performance of third parties after screening, due diligence, and onboarding should be based on the level of risk inherent in the engagement and the residual risk that remains after controls are established. Considerations include: 

  • How critical is this third party to your organization to continue to operate? 
  • Is there higher risk in retaining this third party just because of where they happen to be operating or the type of work they perform?  
  • Is this third party a sole source for this service or product? 

Annual (or less frequent) due diligence refreshes, transaction sampling, or monitoring watchlists for issues of reputation or politically exposed persons may be sufficient with third parties of low risk and low criticality. But an agent or distributor based in a corruption prone geography or a critical supplier for which there are few, if any, alternatives should be watched for signs of concern during the regular course of the business relationship. For those higher risk third parties, quarterly check-ins or, even better, making more frequent performance observations part of the course of the business relationship is preferred. 

Compliance can’t be everywhere, and audits can be resource intensive (not to mention the difficulty in securing the contractual right to audit) and are not necessarily the answer here. A well-trained business relationship owner is in a far better position to observe changes in the behavior and performance of a third party that might warrant additional attention or remediation.  

Integrate performance evaluations into your business activities. 

The first line of defense is the business – the relationship owner. They drive the relationship and should be equipped with the tools and training to succeed in fostering that relationship and protecting the business. Train your business relationship owners on performance standards to identify any red flags that require further inquiry. Embed the practice of asking, looking, and listening for signs of compliance or non-compliance with expectations into the ongoing activities and interactions that naturally occur over the course of the relationship. 

Get your business owners ready to monitor performance. 

  • Encourage them to take advantage of site visits and observations during the normal course of business.  
  • Provide a list of red flags to watch for.
    • Red Flags – Payments and Documents
      • Unusual or untimely payment requests
        • Requesting payments in cash 
        • Altered dates on invoices or changes to the invoices themselves – requested remittance to a different bank account or address, invoice issued from a difference location or department, etc. 
        • Unusual requests for travel, accommodation, or meals 
        • Refuses to provide invoices or other documentation 
    • Red Flags – People
      • The primary contact mentions family members with business ties to the third party or to government officials 
      • New / unfamiliar people attending meetings – Who are they? Why are they present? 
      • Are contacts uncharacteristically dodging your questions or refusing to meet with you or giving you answers to questions that are inconsistent with prior conversations and behavior? 
  • Show them how to escalate concerns.  
  • Prepare them to ask, look, and listen for signs of the third party’s compliance with their obligations.
    • Understand how the third party manages their third parties
      • Is the third party meeting those operational processes outlined in their answers to due diligence questionnaires? 
      • Has it become clear that the third party does not have the ability to live up to its contractual obligations and performance standards? 
      • Get to know their compliance program – Do they have a hotline? Are they doing training? Are they running risk assessments? Are codes and policies accessible by their employees? 

Share the results of what you find with other internal stakeholders and your third parties. Implementing these types of periodic reviews from a place of partnership with the third party is much more effective than taking the position of policing your third parties. Focus on remediation and recognition for good performance and progress made. 

Strong Ethics is
Good Business
Apply for the 2025
world’s most
ethical companies
OPEN july 31 – october 31, 2024

Best Business Practice 101 – Standard Operating Procedures and Documentation 

In the latest Department of Justice (DOJ) guidance for Evaluation of Corporate Compliance Programs, some of the questions prosecutors will ask about third party risk management include: 

  • How does the company monitor its third parties? 
  • How does the company train its third-party relationship managers about compliance risks and how to manage them? 
  • Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process? 

The DOJ and other regulators expect a reasonable, risk-based effort in managing third party risks – not a completely exhaustive effort. Have standard operating procedures (SOPs) for how to document the ongoing performance of third parties and make this part of business line training. 

Make it convenient to document observations about the health of the relationship. Make consistent records of evidence and observations of a third party’s compliance or non-compliance with terms, conditions, and performance.  

Why is Documentation Important? 

Even if the government doesn’t come knocking on your door asking to see evidence of what you knew, when you knew it, and what you did about, there are other uses for this recording keeping. Having consistent and accurate documentation of your third-party evaluation efforts serves many purposes including:  

  • providing rationale for continuing the relationship,  
  • creating baselines for remediation or performance improvements,   
  • transferring relationship knowledge to those beyond the business relationship manager, 
  • gaining insights from performance trends across geographies or types of suppliers, and 
  • providing justification for refining the due diligence or risk assessment process. 

And, If the day comes when you need to terminate the relationship for failure to perform, you will have the documentation you need to support your decision and to ensure that the third party does not reenter your ecosystem down the road. 

What to document 

  • Document why you got into the relationship with the third party and why you continue to stay in the relationship.  
  • Document if you have confidence or reliance in what the third party is telling you – and, the reasons why or why not. 
  • If there are deviations from SOPs or allowances for non-conforming third-party behavior or performance, clearly note the reasons for any deviation. 

The best approach is the one tailored to your organization 

The size of your organization, your compliance team and your third-party universe are all secondary considerations behind risk scoring of your third parties when determining if you are sufficiently overseeing their performance. Your organization might be a large, multinational or a smaller company with a domestic or regional footprint. You might have hundreds of third parties or tens of thousands of third parties. Take advantage of the unique opportunities in and needs of your organization to develop a method of monitoring third party performance that: 

  • Matches the level of risk assigned to your third parties 
  • Creates a standardized and convenient process used consistently by the business 
  • Furthers the relationship between you and your third parties and encourages the adoption of ethics and compliance best practices 
  • Provides documentation of your rational for continued engagement with or termination of third parties 

Connect with one our experts to learn more about how Ethisphere’s specialized assessments can assist in uncovering the capabilities, threats, and opportunities for improved third-party risk mitigation.

The Only Ethics and Compliance Community You Need

In 2019 we introduced the Business Ethics Leadership Alliance (BELA) Impact Awards. While the recognition is focused on BELA individuals or organizations, the awards were conceptualized by the exceptional level of support given across the ethics and compliance community.

That support was represented by sharing work product, frequent discussions among those focused on their next program advancement, and hosting other officers for roundtable discussions as they sought breakthroughs not just for their own organization but, selflessly, for anyone else in the community.

As one of the recipients of this year’s BELA Impact AwardsLamond Kearse, Chief Ethics, Risk & Compliance Officer at Metropolitan Transportation Authority may have captured it best:

The willingness of the BELA community to share not only their successes, but also their failures, has been invaluable as we have traversed together new regulations, demands and expectations for our E&C programs

– Lamond Kearse

Chief Ethics, Risk & Compliance Officer at Metropolitan Transportation Authority

In photo: Kevin McCormack, Lamond Kearse, and Erica Salmon Byrne.

What is an Ethics and Compliance Community?

“Community” is a ubiquitous term, used often in both professional and social spaces. It is easily inserted into any description for member-based organizations, broad business categories, and even social media groups.  But for a community that concentrates on making companies better and coalescing on integrity and values, it has an elevated position among professionals.

There is a treasure trove of people and information available if you:

  • Find a trusted set of peers that can help you, and your team, on the journey. We know compliance leaders are as eager to connect with you as you are with them.
  • Seek diversity in experience, background, and industry. The remit for ethics and compliance is only growing and a global perspective across a range of disciplines is essential.
  • Make this a true exchange of knowledge. Everyone in ethics and compliance has valuable insights to offer and benchmark against.

Evolving Roles in Ethics and Compliance Teams

The difference-makers in the ethics and compliance community, while traditionally anchored at the Chief Ethics and Compliance Officer level, are now also found in more specialized roles.

According to our 2024 World’s Most Ethical Companies® dataset, the vast majority of companies have more than a dozen different backgrounds within the ethics and compliance function.

Data analysts are becoming more prolific to help the company better measure risk, benchmark against specific criteria and peers to identify strengths and opportunities, and work as partners across the business to identify untapped data lakes. Those ethics and compliance team members with communication backgrounds are also considered to be an essential part to connect the goals of ethics and compliance across the enterprise and reinforce a culture steeped in doing things the right way.

Exclusive Ethics and Compliance Roundtables

With such positions of growing influence and source of ideas, they have an increasingly active role to play in the ethics and compliance community. 

Hosting nearly fifty roundtables per year in partnership with BELA companies, the commitments that company make to participate and support one another – whether through leading discussions, participating in short polls, or simply asking questions – are indicative of a community that is vibrant and thriving.

They may not solve all of their problems in a week, a month, or even a year, but they trust in a community that has consistently served as that lighthouse to guide them on the journey. Just as best practices, benchmarking, and solutions are essential to progressing ethics and compliance, so is community.

Strong Ethics is
Good Business
Apply for the 2025
world’s most
ethical companies
OPEN july 31 – october 31, 2024

Trusted Resources and Tools

The years of experience may determine how much guidance you are seeking, but a community can boost that experience for any level, no matter how new to the role or function.

In response to the community, among our top resources published this year is A Guide for the New Ethics & Compliance Leader: Insights into Assessing, Building and Improving Programs, Teams, and Culture. It covers the talk question an ethics and compliance officer should ask around: program and resources, perceptions of ethical culture, written standards, training and communications, monitoring and detection, discipline and incentives, and relationships with key partners. 

This guide was curated by combining our data and insights from the ethics and compliance community over the past twenty years. We also aligned key questions with the DOJ’s Evaluation of Corporate Compliance Programs (ECCP). It gives leaders, or anyone on the team for that matter, a baseline. That baseline set of questions and challenges serve as a launch pad for deeper dive conversations with your community to learn how others are addressing similar issues and advancing both in program and in career.

More than just a Community

While ethics and compliance leads are often looking to earn that seat at the table within the company, with the right community that table is continuously set, the menu is substantial, and there is always an open seat.

Joining an ethics and compliance community can be as intimate and resourceful as being able to hop on a virtual call at a difficult moment for peer advice and note comparison. It can be a set agenda with a small group eager to commit to a working group, series of themed conversations, or closed-door roundtable. It can be bold enough to be featured on a podcast in service to the community to share a It can be energized through events like the Global Ethics Summit where the community is at its loudest, where numerous relationships are forged, and the collective action is super-charged.

Ethics and compliance can be a lonely job for some. And even if you don’t feel lonely, you still might feel alone in the work. At the end of the day it’s not to be isolated from the amazing work that is happening outside of your immediate sphere of influence.

Being in the ethics and compliance space already demonstrates your wisdom in knowing that the best companies can succeed through a commitment to higher standards, discipline, purpose, and values. There is also wisdom in recognizing you cannot solve for it all. That is where the right community will shine for you. We’ll be happy to help you find it.

5 Proven Ethics and Compliance Best Practices from Industry Leaders

In today’s rapidly evolving business environment, maintaining a strong ethical foundation is more important than ever. The ethics and compliance community continually seeks new ways to uphold integrity, ensure compliance, and foster a culture of trust within organizations. At the forefront of this movement is the Business Ethics Leadership Alliance (BELA), a global community where leading companies come together to share best practices, strategies, and tools that effectively advance ethics and compliance programs. In this blog post, we highlight five actionable ethics and compliance best practices from BELA members that can help you enhance your organization’s ethical standards and compliance strategies.

Listen Now
How Active Listening Creates a
Better Speak-Up Culture
Steve
Koslow

VP & Chief Ethics and
Compliance Officer,
Allianz Life

1. Transforming Speak-Up Culture with Active Listening at Allianz Life

At Allianz Life, fostering a culture where employees feel safe and encouraged to speak up about ethical concerns is a top priority. Steve Koslow, Vice President & Chief Ethics and Compliance Officer at Allianz Life, recognized that while many employees believe in the importance of raising concerns, only about half actually do so. To address this, Allianz Life shifted the focus from simply urging employees to “speak up” to creating a culture centered around “being heard.” This approach empowers employees by ensuring that their voices are not just encouraged but truly valued and listened to by management.

By implementing this “Hear Me” culture, Allianz Life has redefined the power dynamic within the organization. Employees are now more confident in sharing their concerns, knowing that management is committed to listening and taking action. This approach not only strengthens the overall ethics program but also builds a more transparent and trust-filled workplace.

To hear Steve Koslow discuss this transformation in detail, watch the full interview: How Active Listening Creates a Better Speak-Up Culture

Ei
Ching

Lead, Ethics,
Prudential
Singapore
Listen Now
Bringing Ethics to Life with Mascots
at Prudential Assurance Singapore

2. Bringing Ethics to Life with Mascots at Prudential Assurance Singapore

Ethics and integrity are often discussed in philosophical terms, but at Prudential Assurance Singapore, these concepts have been brought to life in a tangible and engaging way. Ei Ching, Lead, Ethics at Prudential Singapore, wanted to make ethics an integral and visible part of the company’s culture. The solution? A company-wide design competition that led to the creation of three ethics mascots: Ethel the elephant, Trustee the dolphin, and Shortcut the crab.

These mascots serve as daily reminders of the importance of ethical behavior in the workplace. Ethel represents integrity and the courage to do what is right, even when no one is watching. Trustee symbolizes the importance of trust and teamwork, thriving in environments where ethical behavior is a shared goal. Shortcut, while playful, represents the temptation to take unethical shortcuts, but also the importance of learning from mistakes. Together, these mascots promote an ethical culture within Prudential Singapore, making the company’s values more relatable and engaging for employees.

For a closer look at how Prudential Singapore brought these mascots to life, watch the full episode: A Closer Look at Prudential Assurance Singapore’s Ethics Advisers Program

Listen Now
How to Conduct Investigations
that Empower and Engage
Kim
White

VP and General
Counsel-Compliance,
Ingredion

3. Enhancing Investigations with Continuous Training at Ingredion

Effective investigations are critical to maintaining an ethical workplace, and Ingredion has implemented a comprehensive approach to ensure their investigations are both empowering and effective. Kimberly White, VP and General Counsel-Compliance at Ingredion highlights the importance of selecting the right investigators, providing them with continuous training, and ensuring that objectivity and confidentiality are maintained throughout the process.

Ingredion’s approach goes beyond just having a policy against retaliation; they actively monitor their environment to ensure that employees feel safe when reporting concerns. The company conducts regular training sessions for their investigators, focusing on skills such as interviewing, report writing, and document review. These sessions are not just a one-time event but are part of a continuous learning process, ensuring that investigators are always equipped to handle new challenges.

By demystifying the investigation process and providing clear communication about what employees can expect when they report an issue, Ingredion has created an environment where employees feel supported and confident in the integrity of the investigation process.

To learn more about Ingredion’s approach to investigations, dive into the full discussion:How to Conduct Investigations that Empower and Engage

Joe
Rodgers

SVP, Global Ethics
and Compliance,
Eaton
Listen Now
Leveraging Storytelling as an
Ethics Superpower

4. Leveraging Storytelling as an Ethics Superpower at Eaton

At Eaton, storytelling has become a powerful tool for reinforcing ethical behavior across the organization. Joe Rodgers, SVP, Global Ethics and Compliance, leads Eaton’s “Integrity in Action” program, which encourages leaders to share their personal experiences with ethics and integrity. By asking leaders questions about who influenced them as ethical leaders, how they handle ethical gray areas, and what tone at the top means to them, Eaton creates a platform where ethical behavior is openly discussed and celebrated.

These stories are then shared across the organization, including on Eaton’s onboarding site, ensuring that new employees are introduced to the company’s ethical values from day one. By making ethics a central part of the conversation, Eaton helps employees understand the importance of integrity and empowers them to act ethically in their own roles.

Explore how Eaton uses storytelling to promote ethics by watching the full episode: Storytelling Is Your Ethics Superpower

Listen Now
How to Conduct Investigations
that Empower and Engage
Mark
Howard

KKR
Lígia Gutierrez
Setúbal

Feedzai

5. Integrating Compliance and ESG at KKR and Feedzai

In the fast-paced world of technology, staying ahead in compliance and ESG (Environmental, Social, and Governance) initiatives is crucial for long-term success. Mark Howard from KKR and Ligia Gutierrez Setubal from Feedzai emphasize the importance of embedding compliance and ESG into the company’s overall strategy. By making these elements a core part of decision-making processes, KKR and Feedzai ensure that they remain aligned with regulatory requirements and maintain a strong ethical foundation.

These companies monitor compliance through various mechanisms, engage with stakeholders, and provide regular training to ensure everyone is on the same page. By integrating compliance and ESG into the company’s DNA, KKR and Feedzai not only reduce risks but also build a sustainable business model that supports long-term growth and success.

For more insights on how KKR and Feedzai are leading the way in compliance and ESG, watch the full discussion: ESG & Compliance Are Part of the Portfolio

Join the BELA Community and Elevate Your Ethics and Compliance Program

The Business Ethics Leadership Alliance (BELA) offers an exclusive network where leading and emerging compliance programs share best practices, tools, and strategies to advance their compliance efforts. By joining BELA, you can connect with other professionals in the ethics and compliance community and gain access to a wealth of resources that will help you enhance your organization’s ethical standards.

Request guest access to the BELA member resource hub today:Visit here

For more valuable resources on speak-up culture, investigations, training, and more, be sure to visit the Ethisphere Resource Center at Ethisphere.com/resources.

The Currency of Ethics and Compliance is Trust

Author: Erica Salmon Byrne, J.D.

The currency of ethics and compliance is trust—a fundamental element in building competitive advantage and ensuring corporate integrity.

– Erica Salmon Byrne, J.D

Reflections on Ethisphere ‘s 15th Annual Global Ethics Summit—the leading ethics & compliance conference.

This past April, I had the pleasure of kicking off our 15th Global Ethics Summit with my colleague Kevin McCormack. Here at Ethisphere, we think of the ‘year’ as being GES-to-GES, since that is our best opportunity to gather with the thousands of dedicated professionals that make up our ethics & compliance community and live up to the motto of the Business Ethics Leadership Alliance – there is no competition in compliance.

I say it every year, and every year it is somehow true; the team puts together an agenda that is even better than the year before, and this year was no exception. Every panel topic was curated to what we had been hearing since the last GES, and every speaker was fantastic, from the opening session on the Voice of the Chief Compliance Officer, though to the closing session on the Public and Private Partnership to Combat Global Corruption.

I lost track of the number of attendees (online and in person) who commented on how open people were and how willing they were to say what worked – and what didn’t. Since our mark of a successful gathering of BELA is everyone leaves with at least one new friend and some new ideas, here are a handful of my key takeaways from a truly remarkable couple of days:

Reinforce the importance of why, don’t just jump straight to what. 

This theme came through in multiple sessions. The kinds of topics we deal with can often be complicated, sometimes verging on esoteric. Always go back to why an issue matters and make sure those who you are asking to address that issue understand the why. Some problems are going to be easier to fix than others, but if you can figure out why something is happening, and why your fix for it will help, it becomes easier to implement the “what”.

Culture is the worst behavior an organization will tolerate. 

We held multiple sessions talking about culture, from main stage plenary discussions on the data in our culture set and the importance of transparency to break out sessions on empowering managers, but this culture definition came from my day one conversation with Matt Galvin, Counsel, Compliance & Data Analytics at U.S. Department of Justice. If you start from that definition of culture, and you assume there is no world in which you don’t have problems, then you aim for a world where you identify problems before they metastasize into something bigger. Measuring your culture – identifying the worst behavior your organization will tolerate – gives you a chance to focus your limited resources where they can have the greatest effect.

Matt Galvin
Counsel, Compliance & Data Analytics
at U.S. Department of Justice

If you’re using cutting-edge analytics in your sales process, you best believe the DOJ will wonder why your compliance program doesn’t get those too. 

Another insight from my conversation with Matt was this nugget. If the company is developing amazing AI enabled sales, and compliance is using baseline spreadsheets, that delta will be noted and will need to be explained. The most mature programs are using data-enabled insights to direct activity and prioritize efforts and are not treating data analytics as an afterthought (or the last element in a presentation to the Department). They use design thinking in the process, so they are not bolting analytics on at the end but instead using data to gain trust across a wide variety of stakeholders.

AI is a tool, and a risk, and it’s here. 

Multiple sessions touched on AI, reflecting the ongoing conversations happening across the community on this emerging technology. Speakers encouraged the audience to think about the opportunities it will provide for efficiency as well as the risk it presents (from IP risk to fraud risk and more). And on the risk front, we were also reminded to keep in mind the work of the late Daniel Kahneman, who showed us that we are as susceptible to error as the machines, so stay humble and curious.

The currency of ethics and compliance is trust. 

As Melissa Stapleton Barnes in the panel The View from the Boardroom, there is no more relevant control function than E&C to ensure that a company is operating in a way that will build trust and competitive advantage in the marketplace. We saw this point reinforced by Todd Haugh and Suneal Bedi, who presented their findings on the ROI of a compliance program using innovative willingness to pay study techniques to gauge a consumer’s interest in paying more for a product developed by a company with a strong compliance program.

Melissa Stapleton Barnes
Independent director on the board of
Algonquin Power & Utilities Corporation

Whew. It was a great couple of days, and the beautiful thing about the age we live in now is that the content lives on in BELA Member Hub, so if you missed anything you can revisit it at any time, or request Guest Access. I can’t say yet what will be on that agenda, but I know that the energy, the connections, and the learnings from this GES will be things that will carry us through the rest of this year until we can gather together again.

Save the Date for the 2025 Global Ethics Summit held in Atlanta, GA and online April 6-8. 

5 Steps to Effective Third-Party Due Diligence

Author: Leslie Benton, SVP, Deputy General Counsel, Ethisphere

Third-party due diligence is crucial
for evaluating business partners and ensuring they operate ethically,
meet compliance standards, and align with your organization’s values.

– Leslie Benton

SVP, Deputy General Counsel, Ethisphere

Many businesses use third parties as part of their global value chains. While third parties can be necessary and beneficial in many circumstances, they can also pose significant risks.

Third-party due diligence is the process used to get to know and evaluate business partners. It entails gathering enough information to be able to determine whether a partner is the right fit for you – from their ability to provide products and services that meet business requirements to whether they will operate ethically and in compliance with applicable laws and any policies you require them to follow. Different types of business partners pose different levels of risk, so naturally the diligence process must be risk-based. It also should be reasonable, transparent, sustainable, and consistently followed. 

With supply chain due diligence regulation on the rise, through acts like the U.S. Uyghur Forced Labor Prevention Act (UFLPA), the German Supply Chain Due Diligence Act (LkSG) and the European Union’s Corporate Sustainability Due Diligence Directive (CSDDD), it is important to get the basics right before tackling these additional requirements. 

In this post, we detail the steps that should be taken when conducting third-party due diligence, including key considerations and risk factors. 

5 Steps of the Third-Party Due Diligence Process
STEP1
Assess the level of risk to determine the scope of review 
STEP2
Perform an initial screening
STEP3
Conduct enhanced due diligence for higher risk entities
STEP4
Verify responses and information
STEP5
Weigh data and risk to make and document final decision

Step 1: Assess the Level of Risk to Determine the Scope of Review 

Assess the risk

The first step in the due diligence process should be an assessment of the risk posed by a third party. Many organizations categorize third parties by types or categories into low, medium, and high risk buckets, which then triggers the level of due diligence required. Common factors that trigger a higher level of risk include geography, government relationships, and spend. The higher the risk, the greater the scope and depth of diligence.  

In addition to the information below, also listen to Ethisphere’s Erica Salmon Byrne, Chief Strategy Officer and Executive Chair, discussing how to assess third-party risk in this first Ethicast podcast episode in a three-part series on third parties. 

Determine the Scope of the Review

Third-party risk management is a team sport. Coordinate with legal and the business units responsible for third-party partner relationships to discuss your due diligence plan. 

It is important to understand the business purpose behind the relationship with the third party and confirm whether they are qualified (through knowledge, expertise, credentials, licenses, etc.) for that business purpose. You should also consider why and how the third party was chosen. 

Important factors for determining how much due diligence is needed may include:  

  • interactions with government officials,  
  • the nature and volume of the work the third party will provide,  
  • where the third party is located,  
  • if the third party’s industry is considered high-risk, and  
  • whether the third party is subject to legal or regulatory proceedings or sanctions 
  • red flags raised in the diligence process

Step 2: Perform an Initial Screening  

There is no one-size fits all approach for due diligence. As noted above, lower risk third parties will require less intensive looks than higher risk third parties. 

Basic screening for all third parties should include:

  • An open-source background check 
  • Internet searches 
  • Adverse media searches 
  • A simple questionnaire 
  • Legal proceeding searches, such as government investigations against the company or employees or civil or criminal legal proceedings 
  • Restricted party/Politically Exposed Persons/watch list screening 

Some questions to consider in your questionnaires:

  • Corporate organization structure and registration verification 
  • Beneficial ownership and significant shareholders 
  • Connections to government officials and state- owned enterprises 
  • Key clients and References 
  • Request for audited financials 
  • Ethics and Compliance track record, include program certifications, such as whether they have a Code of Conduct or certain policies, and information on any employee training 
  • Whether the third party intends to use subcontractors to perform the services your company requires 
  • Data security practices and controls 
  • Human rights and labor conditions 
  • Environmental impacts 
Strong Ethics is
Good Business
Apply for the 2025
world’s most
ethical companies
OPEN july 31 – october 31, 2024

Step 3: Conduct Enhanced Due Diligence for Higher Risk Entities 

Third parties that fall into the category of high-risk (whether by virtue of their characteristics or a flag that come up in the process) will require greater due diligence.  

Enhanced due diligence may include: 

  • Hiring an external consultant or local investigator 
  • On-site appraisal of the premises 
  • Physical records check and review of books 
  • Sample transaction testing 
  • Reviewing and verifying policies and procedures 
  • Interviewing employees and others 
  • Requesting banking institution references 
  • Obtaining information on business interests of owners 

Step 4: Verify Responses and Information 

If you are relying on the third party for certain information, you must verify the information you receive. You can do this in a number of ways.

  • Ask the third party to provide supplemental information for any answers that may increase their risk level.
  • Coordinate with other departments (such as legal or the business unit responsible for the partnership) to confirm responses.
  • Dive deeper into the responses through open-source searches, court records, business references, and subject-matter experts if necessary. 

Step 5: Decide and Document the Process 

Once you have obtained all available information, make a reasonable, justifiable decision about whether to proceed. If you do, obtain all necessary approvals. 

Regardless of the decision, you should document it, referring to the steps of the due diligence process. Document decisions not to proceed, as well as any deviations from your normal diligence practices that were required. Ensure that these records are stored properly so they can be reviewed and monitored, or provided to regulators or counsel should an investigation or other legal proceeding become necessary. 

Looking for help in mastering due diligence on ethics and compliance risks in your third parties? Connect with one our experts to learn more about how Ethisphere’s specialized assessments can assist in uncovering the capabilities, threats, and opportunities for improved third-party risk mitigation.