5 Steps to Effective Third-Party Due Diligence
Author: Leslie Benton, SVP, Deputy General Counsel, Ethisphere
SVP, Deputy General Counsel, Ethisphere
Many businesses use third parties as part of their global value chains. While third parties can be necessary and beneficial in many circumstances, they can also pose significant risks.
Third-party due diligence is the process used to get to know and evaluate business partners. It entails gathering enough information to be able to determine whether a partner is the right fit for you – from their ability to provide products and services that meet business requirements to whether they will operate ethically and in compliance with applicable laws and any policies you require them to follow. Different types of business partners pose different levels of risk, so naturally the diligence process must be risk-based. It also should be reasonable, transparent, sustainable, and consistently followed.
With supply chain due diligence regulation on the rise, through acts like the U.S. Uyghur Forced Labor Prevention Act (UFLPA), the German Supply Chain Due Diligence Act (LkSG) and the European Union’s Corporate Sustainability Due Diligence Directive (CSDDD), it is important to get the basics right before tackling these additional requirements.
In this post, we detail the steps that should be taken when conducting third-party due diligence, including key considerations and risk factors.
Step 1: Assess the Level of Risk to Determine the Scope of Review
Assess the risk
The first step in the due diligence process should be an assessment of the risk posed by a third party. Many organizations categorize third parties by types or categories into low, medium, and high risk buckets, which then triggers the level of due diligence required. Common factors that trigger a higher level of risk include geography, government relationships, and spend. The higher the risk, the greater the scope and depth of diligence.
In addition to the information below, also listen to Ethisphere’s Erica Salmon Byrne, Chief Strategy Officer and Executive Chair, discussing how to assess third-party risk in this first Ethicast podcast episode in a three-part series on third parties.
Determine the Scope of the Review
Third-party risk management is a team sport. Coordinate with legal and the business units responsible for third-party partner relationships to discuss your due diligence plan.
It is important to understand the business purpose behind the relationship with the third party and confirm whether they are qualified (through knowledge, expertise, credentials, licenses, etc.) for that business purpose. You should also consider why and how the third party was chosen.
Important factors for determining how much due diligence is needed may include:
- interactions with government officials,
- the nature and volume of the work the third party will provide,
- where the third party is located,
- if the third party’s industry is considered high-risk, and
- whether the third party is subject to legal or regulatory proceedings or sanctions
- red flags raised in the diligence process
Step 2: Perform an Initial Screening
There is no one-size fits all approach for due diligence. As noted above, lower risk third parties will require less intensive looks than higher risk third parties.
Basic screening for all third parties should include:
- An open-source background check
- Internet searches
- Adverse media searches
- A simple questionnaire
- Legal proceeding searches, such as government investigations against the company or employees or civil or criminal legal proceedings
- Restricted party/Politically Exposed Persons/watch list screening
Some questions to consider in your questionnaires:
- Corporate organization structure and registration verification
- Beneficial ownership and significant shareholders
- Connections to government officials and state- owned enterprises
- Key clients and References
- Request for audited financials
- Ethics and Compliance track record, include program certifications, such as whether they have a Code of Conduct or certain policies, and information on any employee training
- Whether the third party intends to use subcontractors to perform the services your company requires
- Data security practices and controls
- Human rights and labor conditions
- Environmental impacts
ethical companies ⟶
Step 3: Conduct Enhanced Due Diligence for Higher Risk Entities
Third parties that fall into the category of high-risk (whether by virtue of their characteristics or a flag that come up in the process) will require greater due diligence.
Enhanced due diligence may include:
- Hiring an external consultant or local investigator
- On-site appraisal of the premises
- Physical records check and review of books
- Sample transaction testing
- Reviewing and verifying policies and procedures
- Interviewing employees and others
- Requesting banking institution references
- Obtaining information on business interests of owners
Step 4: Verify Responses and Information
If you are relying on the third party for certain information, you must verify the information you receive. You can do this in a number of ways.
- Ask the third party to provide supplemental information for any answers that may increase their risk level.
- Coordinate with other departments (such as legal or the business unit responsible for the partnership) to confirm responses.
- Dive deeper into the responses through open-source searches, court records, business references, and subject-matter experts if necessary.
Step 5: Decide and Document the Process
Once you have obtained all available information, make a reasonable, justifiable decision about whether to proceed. If you do, obtain all necessary approvals.
Regardless of the decision, you should document it, referring to the steps of the due diligence process. Document decisions not to proceed, as well as any deviations from your normal diligence practices that were required. Ensure that these records are stored properly so they can be reviewed and monitored, or provided to regulators or counsel should an investigation or other legal proceeding become necessary.
Looking for help in mastering due diligence on ethics and compliance risks in your third parties? Connect with one our experts to learn more about how Ethisphere’s specialized assessments can assist in uncovering the capabilities, threats, and opportunities for improved third-party risk mitigation.
