Ethicast Episodes
SDOJ updates to the Evaluation of Corporate Compliance Programs (September 2024)
Corporate Transparency Best Practices
How to Optimize Your Culture by Measuring It
2024 Global Ethics Summit, Day 3 – Yogesh Goel of Infosys
2024 Global Ethics Summit, Day 3 w David Earl Smith
Step 1: Assess the Level of Risk to Determine the Scope of Review
Assess the risk
The first step in the due diligence process should be an assessment of the risk posed by a third party. Many organizations categorize third parties by types or categories into low, medium, and high risk buckets, which then triggers the level of due diligence required. Common factors that trigger a higher level of risk include geography, government relationships, and spend. The higher the risk, the greater the scope and depth of diligence.
In addition to the information below, also listen to Ethisphere’s Erica Salmon Byrne, Chief Strategy Officer and Executive Chair, discussing how to assess third-party risk in this first Ethicast podcast episode in a three-part series on third parties.
Determine the Scope of the Review
Third-party risk management is a team sport. Coordinate with legal and the business units responsible for third-party partner relationships to discuss your due diligence plan.
It is important to understand the business purpose behind the relationship with the third party and confirm whether they are qualified (through knowledge, expertise, credentials, licenses, etc.) for that business purpose. You should also consider why and how the third party was chosen.
Important factors for determining how much due diligence is needed may include:
- interactions with government officials,
- the nature and volume of the work the third party will provide,
- where the third party is located,
- if the third party’s industry is considered high-risk, and
- whether the third party is subject to legal or regulatory proceedings or sanctions
- red flags raised in the diligence process
Step 2: Perform an Initial Screening
There is no one-size fits all approach for due diligence. As noted above, lower risk third parties will require less intensive looks than higher risk third parties.
Basic screening for all third parties should include:
- An open-source background check
- Internet searches
- Adverse media searches
- A simple questionnaire
- Legal proceeding searches, such as government investigations against the company or employees or civil or criminal legal proceedings
- Restricted party/Politically Exposed Persons/watch list screening
Some questions to consider in your questionnaires:
- Corporate organization structure and registration verification
- Beneficial ownership and significant shareholders
- Connections to government officials and state- owned enterprises
- Key clients and References
- Request for audited financials
- Ethics and Compliance track record, include program certifications, such as whether they have a Code of Conduct or certain policies, and information on any employee training
- Whether the third party intends to use subcontractors to perform the services your company requires
- Data security practices and controls
- Human rights and labor conditions
- Environmental impacts
ethical companies ⟶
Step 3: Conduct Enhanced Due Diligence for Higher Risk Entities
Third parties that fall into the category of high-risk (whether by virtue of their characteristics or a flag that come up in the process) will require greater due diligence.
Enhanced due diligence may include:
- Hiring an external consultant or local investigator
- On-site appraisal of the premises
- Physical records check and review of books
- Sample transaction testing
- Reviewing and verifying policies and procedures
- Interviewing employees and others
- Requesting banking institution references
- Obtaining information on business interests of owners
Step 4: Verify Responses and Information
If you are relying on the third party for certain information, you must verify the information you receive. You can do this in a number of ways.
- Ask the third party to provide supplemental information for any answers that may increase their risk level.
- Coordinate with other departments (such as legal or the business unit responsible for the partnership) to confirm responses.
- Dive deeper into the responses through open-source searches, court records, business references, and subject-matter experts if necessary.
Step 5: Decide and Document the Process
Once you have obtained all available information, make a reasonable, justifiable decision about whether to proceed. If you do, obtain all necessary approvals.
Regardless of the decision, you should document it, referring to the steps of the due diligence process. Document decisions not to proceed, as well as any deviations from your normal diligence practices that were required. Ensure that these records are stored properly so they can be reviewed and monitored, or provided to regulators or counsel should an investigation or other legal proceeding become necessary.
Looking for help in mastering due diligence on ethics and compliance risks in your third parties? Connect with one our experts to learn more about how Ethisphere’s specialized assessments can assist in uncovering the capabilities, threats, and opportunities for improved third-party risk mitigation.