Components Of An Effective Third-Party Due Diligence Program

3 min read


Third-party intermediates such as distributors, resellers, agents, service providers, or business consultants are contracted to rapidly create a presence in or access to new or emerging markets. They can work as the first foothold in opening a commercial presence, both domestic and internationally. Also, they can provide insights of the local business environment and their relationships as a business partners. While third parties are retained to operate on the organization´s behalf, their business activities are not always as transparent or controllable. It increases the exposure to bribery and corruption risks. Intermediaries include not only those used in the sales channel, but also as part of a business operations and strategy.

A third-party due diligence program (KY3P) allows reducing the risk of improper payments and fraud. In addition, regulations such as the FCPA and the UK anti-bribery act, settlement agreements, enforcement actions, ISO standards and best practices, require a third-party due diligence program as part of the corporate ethics and compliance program.

The following components are part of an effective program:

Risk-Based Approach: the first step in the program is to perform a risk assessment of third parties, usually classified into low, medium and high. These risk tiers define how deep the investigation should be performed. For instance, the risk approach should identify key factors such as interaction with government customers and other politically exposed persons, unclear ownership and control of the third party, expected purchasing volume, perceived country corruption risks, exposition to regulatory enforcement, type of business relationship, and level of confidentiality and dependency.

Consistency: automating the control activities and developing templates for selecting third parties will help drive consistency across the organization. A robust procedure will be critical for organizations with decentralized compliance departments or lacking of integrated GRC software. The third-party base should be centralized to have all the information visible and controlled.  Training on the anti-bribery policy and trade compliance should also be given on specific criteria to all agents and intermediaries.

Management involvement: compliance and commercial executives should be involved during the  third-party due diligence process to identify other risks or action plans. Workflows should be able to escalate approvals in the decision-taking process, and the remediation plans, especially when some risks cannot be avoided. The management involvement includes the compliance and legal departments, and also sales, finance, exporting and data privacy experts. The due diligence program and the anti-bribery commitments should be well communicated, internally and externally, by the top management.

Efficient, reliable and scalable: controls and validations should be reasonable to address the risks in a well-thought-out process. Contracting considerations with its third-party partners should address key risk by selecting specific acceptance procedures to each case. For instance, specific procedures include due diligence questionnaires, business justification memorandums, certification, targeted training, extended background checks including financial checks, in- depth review of sanctions and watch lists on different jurisdictions, and on-site visits and interviews

Comprehensive: Both internal and external information should be used during the due diligence. It is important to get risk information from outside the organization, such as sanction lists, financial and political exposed person lists, credit ratings, and adverse media.

Independence: conflicts of interest should be avoided during the investigation and action plans to assure the objectivity in the selection process. Due diligence procedures should be independently performed and approved from the requestor.  The acceptance of agents should be removed from the business operations.

Continuous monitoring: changes in the risk profile on agents should be proactively monitored to adjust the screened controls.  Automated database searches should be systematically performed on the third-party base.

Which best practices have you identified in implementing a third-party due diligence?

The original blog appeared here.

Jump to Topic

Hernan Huwyler

Hernan Huwyler is a CPA and MBA who specializes in risk management, compliance, and internal controls for multinational companies. He works in implementing controls to address regulatory and legal requirements in European and American companies. He currently serves as Risk Management and Internal Control Director for Veolia, leading assurance practices. He previously worked for Deloitte, ExxonMobil, Baker Hughes, and Tenaris.