Podcasts

Ethicast Episodes

 SDOJ updates to the Evaluation of Corporate Compliance Programs (September 2024)

Page 1 of 12

Step 1: Assess the Level of Risk to Determine the Scope of Review 

Assess the risk

The first step in the due diligence process should be an assessment of the risk posed by a third party. Many organizations categorize third parties by types or categories into low, medium, and high risk buckets, which then triggers the level of due diligence required. Common factors that trigger a higher level of risk include geography, government relationships, and spend. The higher the risk, the greater the scope and depth of diligence.  

In addition to the information below, also listen to Ethisphere’s Erica Salmon Byrne, Chief Strategy Officer and Executive Chair, discussing how to assess third-party risk in this first Ethicast podcast episode in a three-part series on third parties. 

Determine the Scope of the Review

Third-party risk management is a team sport. Coordinate with legal and the business units responsible for third-party partner relationships to discuss your due diligence plan. 

It is important to understand the business purpose behind the relationship with the third party and confirm whether they are qualified (through knowledge, expertise, credentials, licenses, etc.) for that business purpose. You should also consider why and how the third party was chosen. 

Important factors for determining how much due diligence is needed may include:  

Step 2: Perform an Initial Screening  

There is no one-size fits all approach for due diligence. As noted above, lower risk third parties will require less intensive looks than higher risk third parties. 

Basic screening for all third parties should include:

Some questions to consider in your questionnaires:

Strong Ethics is
Good Business
Apply for the 2025
world’s most
ethical companies
OPEN july 31 – october 31, 2024

Step 3: Conduct Enhanced Due Diligence for Higher Risk Entities 

Third parties that fall into the category of high-risk (whether by virtue of their characteristics or a flag that come up in the process) will require greater due diligence.  

Enhanced due diligence may include: 

Step 4: Verify Responses and Information 

If you are relying on the third party for certain information, you must verify the information you receive. You can do this in a number of ways.

Step 5: Decide and Document the Process 

Once you have obtained all available information, make a reasonable, justifiable decision about whether to proceed. If you do, obtain all necessary approvals. 

Regardless of the decision, you should document it, referring to the steps of the due diligence process. Document decisions not to proceed, as well as any deviations from your normal diligence practices that were required. Ensure that these records are stored properly so they can be reviewed and monitored, or provided to regulators or counsel should an investigation or other legal proceeding become necessary. 

Looking for help in mastering due diligence on ethics and compliance risks in your third parties? Connect with one our experts to learn more about how Ethisphere’s specialized assessments can assist in uncovering the capabilities, threats, and opportunities for improved third-party risk mitigation.  

View Podcast Details
-->