
Third party due diligence is a critical process that helps organizations assess the risks associated with working with external partners, vendors, or suppliers.
The goal of third party due diligence is to identify and mitigate potential risks, such as financial instability, regulatory non-compliance, or reputational damage.
A thorough third party due diligence process involves evaluating a range of factors, including the third party's financial health, management structure, and operational capabilities.
It's essential to have a clear understanding of what you're looking for in a third party due diligence process to ensure you're asking the right questions and gathering the necessary information.
Check this out: Third Party Risk Management Process
What Is Due Diligence?
Due diligence is the process of thoroughly investigating and evaluating a third party, such as a vendor or supplier, to assess their suitability and potential risks.
It involves gathering and analyzing information about the third party's financial stability, operational capabilities, and reputation. This process helps to identify potential issues or red flags that could impact the success of a business relationship.
Due diligence can be a time-consuming and labor-intensive process, but it's essential to ensure that you're making informed decisions and minimizing potential risks.
For your interest: Third Party Risk Assessment Process
What Is Due Diligence?
Due diligence is a thorough investigation or examination of a business, investment, or financial opportunity to identify potential risks and opportunities. It's like doing your homework before making a major decision.
This process involves reviewing financial statements, contracts, and other documents to ensure you have a clear understanding of the situation. Due diligence can be time-consuming, but it's essential for making informed decisions.
Due diligence is often required in mergers and acquisitions, where one company is buying or merging with another. It's also used in investments, such as buying a property or starting a business.
You might enjoy: Financial Due Dilligence
Why We Need Due Diligence?
Due diligence is a crucial process for businesses, and it's essential to understand why. Businesses need third-party due diligence because it helps them identify and mitigate risks related to bribery, corruption, human rights, and other ethical or integrity issues.
The number of third-party relationships is staggering, with Gartner estimating that 60% of businesses work with over 1,000 third parties. This number is only expected to grow.
For another approach, see: Third-party Billing
Effective third-party due diligence enables organizations to make strategic decisions about who to do business with, balancing potential opportunities against associated risks. By thoroughly vetting third parties, businesses can protect themselves from compliance violations, unethical business practices, and reputational risk.
A comprehensive due diligence process is key to reducing risk and supporting strategic business enablement.
A unique perspective: Counter Party Risk
Due Diligence Process
The due diligence process is an iterative approach that involves implementing safeguards, monitoring them, and improving them as needed. It's not a one-time task, but rather an ongoing process that requires regular review and updating.
To get started, you need to map the compliance landscape, which involves identifying regulations and compliance concerns that may affect your business. This will help you determine what red flags to look for when vetting third parties.
Defining your objectives is also crucial, as it will help align your due diligence process with your company's financial and strategic goals. This will ensure that your process is focused on the right risks and objectives.
Gathering documentation is essential to verify the identity and legitimacy of your third-party partners. This may include documents like articles of incorporation, key shareholder information, and proof of identification.
You should also vet third parties by checking if they appear on any watch lists or sanction lists, or if they have been involved in any negative media coverage. This will help you assess the risk associated with working with them.
The due diligence process involves several steps, including:
- Mapping the compliance landscape
- Defining objectives
- Gathering documentation
- Vetting third parties
- Analyzing risk
- Documenting the process
- Monitoring third parties
- Reviewing the process
It's also important to document your process, including any decisions made and the reasons behind them. This will help prove regulatory compliance and validate your decisions.
Review Scope and Assessment
Reviewing the scope and assessment of third-party due diligence is a crucial step in the process. This involves understanding the business purpose behind the relationship with the third party and confirming if they are qualified for that purpose.
To determine the scope of the review, it's essential to coordinate with legal and business units responsible for third-party partner relationships. The goal is to discuss the due diligence plan and understand the factors that trigger a higher level of risk.
A different take: Bank of America Customers Were Compromised by a Third-party Vendor.
Important factors for determining how much due diligence is needed include interactions with government officials, the nature and volume of the work the third party will provide, where the third party is located, if the third party's industry is considered high-risk, and whether the third party is subject to legal or regulatory proceedings or sanctions.
Here are some key factors to consider when determining the scope of the review:
- Interactions with government officials
- The nature and volume of the work the third party will provide
- Where the third party is located
- If the third party's industry is considered high-risk
- Whether the third party is subject to legal or regulatory proceedings or sanctions
- Red flags raised in the diligence process
Assessing the risk posed by a third party is the first step in the due diligence process. Many organizations categorize third parties by types or categories into low, medium, and high-risk buckets, which then triggers the level of due diligence required.
Initial Screening and Verification
Initial screening is a crucial step in third-party due diligence, and it's essential to understand that there's no one-size-fits-all approach. Lower-risk third parties will require less intensive looks than higher-risk ones.
Basic screening for all third parties should include an open-source background check, internet searches, adverse media searches, a simple questionnaire, legal proceeding searches, and restricted party/Politically Exposed Persons/watch list screening.
For more insights, see: Who Are the Parties in an Estate?
An open-source background check is a good starting point, but it's just the beginning. You'll also want to conduct internet searches and adverse media searches to get a better understanding of the third party's reputation.
A simple questionnaire is a great way to gather information, but it's essential to verify the responses you receive. You can do this by asking the third party to provide supplemental information for any answers that may increase their risk level.
Here's a list of basic screening methods:
- An open-source background check
- Internet searches
- Adverse media searches
- A simple questionnaire
- Legal proceeding searches
- Restricted party/Politically Exposed Persons/watch list screening
Verification is key, and it's essential to coordinate with other departments to confirm responses. You can also dive deeper into the responses through open-source searches, court records, business references, and subject-matter experts if necessary.
Enhanced Due Diligence
Enhanced due diligence is a crucial step in the third-party due diligence process, particularly for high-risk entities. It involves a more in-depth examination of the third party's characteristics and activities.
Enhanced due diligence may include hiring an external consultant or local investigator, on-site appraisal of the premises, physical records check, and sample transaction testing. It may also involve reviewing and verifying policies and procedures, interviewing employees and others, requesting banking institution references, and obtaining information on business interests of owners.
Here are some specific steps that may be involved in enhanced due diligence:
- Hiring an external consultant or local investigator
- On-site appraisal of the premises
- Physical records check and review of books
- Sample transaction testing
- Reviewing and verifying policies and procedures
- Interviewing employees and others
- Requesting banking institution references
- Obtaining information on business interests of owners
Step 3: Enhanced Entity Extraction
High-risk third parties require greater due diligence, which may include hiring an external consultant or local investigator.
To extract valuable information from these high-risk entities, you'll want to conduct an on-site appraisal of the premises, including a physical records check and review of books.
You may also want to sample transaction testing, reviewing and verifying policies and procedures, interviewing employees and others, requesting banking institution references, and obtaining information on business interests of owners.
Here's a breakdown of some of the enhanced due diligence methods you can use:
- Hiring an external consultant or local investigator
- On-site appraisal of the premises
- Physical records check and review of books
- Sample transaction testing
- Reviewing and verifying policies and procedures
- Interviewing employees and others
- Requesting banking institution references
- Obtaining information on business interests of owners
Enhanced May Include
Enhanced due diligence is a crucial step in assessing the risks associated with third-party relationships. It involves a more in-depth examination of the third party, their business practices, and their potential vulnerabilities.
To conduct enhanced due diligence, you may need to hire an external consultant or local investigator to gather information about the third party.
An on-site appraisal of the premises can also be a valuable part of the process, allowing you to assess the third party's operations and facilities firsthand.
Related reading: Enhanced Customer Due Diligence
Physical records check and review of books is another essential aspect of enhanced due diligence, helping you to identify any potential discrepancies or irregularities.
Sample transaction testing can also be used to evaluate the third party's financial practices and identify any potential risks.
Reviewing and verifying policies and procedures is also an important step, ensuring that the third party has adequate controls in place to mitigate risks.
Interviewing employees and others can provide valuable insights into the third party's culture and operations.
Requesting banking institution references can help you to assess the third party's financial stability and reputation.
Obtaining information on business interests of owners can also provide valuable information about the third party's potential vulnerabilities.
Here are some of the key steps involved in enhanced due diligence:
- Hiring an external consultant or local investigator
- On-site appraisal of the premises
- Physical records check and review of books
- Sample transaction testing
- Reviewing and verifying policies and procedures
- Interviewing employees and others
- Requesting banking institution references
- Obtaining information on business interests of owners
These steps can help you to conduct a thorough and effective enhanced due diligence process, ensuring that you have a clear understanding of the risks associated with your third-party relationships.
Reporting and Documentation
Reporting and documentation are crucial steps in the third-party due diligence process. A due diligence report will either give assurance that there are no concerns or it will raise red flags that require compliance and business action.
You should document your decision to proceed with a third-party relationship, as well as any deviations from your normal diligence practices. This documentation should be stored properly and made available for review and monitoring.
Here are some key documents to consider: Articles of incorporation and key shareholder information (for corporations)Proof of identification and disclosures about possible conflicts of interest (for individuals) These documents will help you verify the identity and legitimacy of your third-party partners.
Discover more: Insurance Third Party Administrator
Decide and Document the Process
Deciding whether to proceed with a business deal or partnership requires careful consideration of the information gathered during due diligence. This decision should be made after reviewing all available data and considering the potential risks and benefits.
Regardless of the decision, it's essential to document the process and the reasons behind it. This includes documenting decisions not to proceed, as well as any deviations from normal diligence practices that were required.
Documentation is crucial in case of an investigation or legal proceeding, and it's also essential for maintaining transparency and accountability within the organization. By documenting the due diligence process, you can ensure that all stakeholders are informed and that the decision-making process is transparent.
Here are some key takeaways from the due diligence process:
The due diligence report is a critical document that captures the findings of the review and provides assurance that a thorough investigation has been conducted. It's essential to store these records properly to ensure they can be reviewed and monitored as needed.
The Report
A due diligence report is a thorough review of a third-party's background, which can either give assurance that there are no concerns or raise red flags that require compliance and business action.
The report is the finished product of the due diligence process, demonstrating that a thorough review has been carried out using the best resources to capture available public data.
It's essential to keep extensive records of any information or documentation gathered during the due diligence process, which will help prove regulatory compliance and validate decisions about all third-party relationships.
The report should be comprehensive, including insights into various risks such as cyber, ESG, financial, identity, and operational risks.
The report will either give assurance that there are no concerns or it will raise red flags that require compliance and or business action.
Here are some key components of a due diligence report:
- Assessment of bribery, corruption, fraud, and other criminal activities
- Review of third-party's compliance with regulations and laws
- Analysis of potential risks to the business
- Documentation of the due diligence process and findings
Vendor Management
Vendor management is a crucial aspect of third-party due diligence. It involves assessing and managing the risks associated with vendors who provide goods or services to your organization. To effectively manage vendors, it's essential to have a system in place to identify and mitigate potential risks.
You should use a vendor risk questionnaire that examines the vendor's risk posture, information security controls, and extended supply chain. This will help you gain a deeper understanding of the vendor's capabilities and potential risks. For example, reviewing the third party's insurance coverage, such as professional liability, general liability, and cyber insurance, can provide valuable insights into their risk management practices.
Conducting a background check on key personnel who will be performing the contract is also a best practice. This can help you identify potential risks associated with the vendor's employees. In addition, reviewing the vendor's data retention and destruction policies can ensure that sensitive information is handled properly.
Centralizing third-party data is also essential for effective vendor management. This can be achieved by implementing a system for managing third-party information, which makes it more accessible, useful, and defensible. By centralizing your third-party data, you can streamline the process of identifying all of your third parties and their jurisdictions.
Here are some key due diligence questions to ask during the sourcing and selection process:
- What IT systems, data, and infrastructure might the vendor access to perform their contract with my organization?
- Has the vendor received certifications against information security frameworks such as NIST CSF, SOC 2, or ISO 27001?
- Has the third party faced public accusations of poor ESG practices, or do they have documented ESG compliance violations?
- What is the vendor's financial health? Credit rating and other financial metrics provide insights into the vendor's viability.
By asking these questions and implementing a robust vendor management process, you can reduce the risks associated with third-party due diligence and ensure that your organization is working with reliable and trustworthy vendors.
Manage and Monitor Continuously
As you start to manage your third-party relationships, it's essential to understand that due diligence is not a one-time process. In fact, one-time due diligence is not enough. Organizations with less mature risk management programs might assume they have finished their work after completing initial due diligence on a third party.
To effectively manage and monitor your third-party relationships, you need to have a system in place to identify and mitigate potential risks over the length of the relationship. This may involve continuous monitoring or a due diligence renewal process.
Continuous risk monitoring is critical to validate vendor-supplied data and flag new and emerging issues such as data breaches, IT security vulnerabilities, operational disruptions, reputational incidents, and financial problems.
An effective third-party due diligence strategy should include ongoing checks against global databases and watch lists, as well as reviews of mentions in press releases, media, web searches, and more for possible signs of corruption, reputational concerns, or other ethical conflicts.
Check this out: Copay Due at Time of Service
Here are some key components of a third-party due diligence strategy:
- Checking third-party vendor names against global databases and watch lists.
- Reviewing mentions of your third-party partner in press releases, media, web searches and more for possible signs of corruption, reputational concerns, or other ethical conflicts.
- Verifying whether the third party or its key principals and owners appears in country-specific watchlist databases or government records.
- Crosschecking self-reported information from your due diligence questionnaire against information from your own investigation, or leveraging a solution that offers independent verification and integrity checks.
By implementing a tailored third-party risk management solution and continuously monitoring your third-party relationships, you can ensure that you're always aware of potential risks and can take steps to mitigate them.
Enhanced Due Diligence Tools
Enhanced due diligence is a crucial step in identifying high-risk third parties. It involves a more thorough investigation to ensure the party's legitimacy and compliance with regulations.
Some common practices for enhanced due diligence include hiring an external consultant or local investigator, conducting an on-site appraisal of the premises, and physically reviewing the party's records and books.
Sample transaction testing, reviewing and verifying policies and procedures, interviewing employees and others, requesting banking institution references, and obtaining information on business interests of owners are also essential components.
Here's a breakdown of some specific steps involved in enhanced due diligence:
Risk Assessment
When assessing the risk posed by a third party, it's essential to categorize them by type or category into low, medium, and high risk buckets, which then triggers the level of due diligence required.
Common factors that trigger a higher level of risk include geography, government relationships, and spend. The higher the risk, the greater the scope and depth of diligence.
Listen to Ethisphere's Erica Salmon Byrne, Chief Strategy Officer and Executive Chair, discussing how to assess third-party risk in the first Ethicast podcast episode in a three-part series on third parties.
Structuring your third-party due diligence assessments around a common industry framework can simplify risk assessments.
A different take: A Party That Invests in Common Stock
Location and Compliance
A thorough review of a target company's corporate structure is essential to understand potential compliance risks.
This includes examining subsidiaries and possible acquisitions, such as a U.S. parent acquiring an Australian company, which may subject the Australian firm to U.S. sanctions law.
A compliance officer needs to know this level of detail to assess potential risks and ensure compliance.
Recommended read: Third Party Hipaa Compliance
Corporate Registry
A corporate registry can provide invaluable objective evidence about a third party.
Some countries, like China and Singapore, have online corporate registries, making it easy to access this information remotely. Hong Kong requires an online payment to access its corporate registry.
Indian sole proprietorships have no registration requirements, which can make it difficult to verify information about these businesses.
A corporate registry can reveal ownership percentages and how corporations are organized, which can be especially useful if the information contradicts what the third party has told you.
You can sometimes access a corporate registry via computer, while other times you may need to visit a physical office to obtain the information.
Enforcement Actions
Some third parties might simply deny that they’ve ever had any issues with enforcement, but just about every regulatory agency does have detailed records that can disprove such claims.
Having a history of enforcement actions can be a major red flag for potential partners or clients. This is because it indicates a lack of accountability and a willingness to disregard the law.
Regulatory agencies often have detailed records of enforcement actions, which can be used to verify a company's claims. These records can include fines, penalties, and other forms of enforcement.
It's essential to do your due diligence and research a company's enforcement history before partnering with them or doing business with them. This can save you from potential financial losses and reputational damage.
Curious to learn more? Check out: Third Party Claims Administrator
Adverse Media Reports
Adverse media reports can be a valuable resource in conducting due diligence on third parties. They can provide insight into potential corruption or other issues that may be relevant to your business.
When searching for adverse media reports, it's a good idea to look back at least one to five years, focusing on media in markets where the target company has a significant operational presence. This can be a time-consuming exercise, especially if searching foreign-language media where translation services may be necessary.
Social media reports can be inherently untrustworthy, but they can often point to issues worth researching in traditional print or broadcast media. It's essential to verify information found on social media through other sources.
To give you a better idea of what to look for, here are some examples of adverse media reports:
- Unflattering media reports
- Commentary on social media
- Reports of bribery, corruption, drug and human trafficking, money laundering, terrorist activity, and other legal violations
These types of reports can be a red flag, and it's crucial to investigate further to determine their accuracy and relevance to your business.
Location and CPI
Location and CPI play a significant role in determining a country's corruption risk. The Corruption Perception Index (CPI) is a reliable benchmark published by Transparency International.
Countries with a higher CPI score generally have lower corruption risk. The CPI score can be affected by a Level II due diligence report, which can lead to a reassessment and potentially lower the final risk score.
Level III
Level III due diligence is the most advanced level of third-party research, designed to provide the highest level of assurance that third parties do not present a risk of bribery and corruption or other regulatory risks.
At this level, the focus is on conducting in-depth research to gather as much information as possible about the third party. This includes using expert search software to aggregate vast global databases of free available and subscription-based public records.
The goal of Level III due diligence is to provide a high level of assurance that the third party is compliant with all relevant regulations, including the FCPA and UK Bribery Act. This level of research is typically conducted by skilled researchers, analysts, or paralegals who have access to advanced search tools and databases.
Here are the primary components of Level III due diligence:
- Assure that third parties do not present a risk of bribery and corruption or other regulator risks.
Breaking Down Silos
Breaking down silos is crucial in third party due diligence, as it requires collaboration and information sharing between teams.
In the context of third party due diligence, silos often refer to the separation of risk, compliance, and other teams. This separation can lead to a fragmented view of the third party, making it difficult to identify potential risks.
Effective communication and collaboration can help break down these silos, allowing teams to share information and work together to identify and mitigate risks.
Choose a Repeatable Framework to Simplify Assessments
Breaking down silos in risk assessment requires a structured approach.
Using a common industry framework for third-party due diligence assessments simplifies the process and ensures consistency. This approach enables your team to assess vendors using similar criteria, providing familiar best-practice remediation recommendations.
A repeatable framework helps organizations categorize third parties by types or categories into low, medium, and high risk buckets. This triggers the level of due diligence required, making it easier to identify and address potential risks.
Structuring assessments around a common framework also helps identify common factors that trigger a higher level of risk, such as geography, government relationships, and spend.
Breaking Down Silos
Breaking down silos requires a fundamental shift in how teams communicate and collaborate. This is often hindered by the presence of silos, which can be defined as separate groups within an organization that have their own distinct goals, priorities, and communication channels.
A study found that 85% of organizations have siloed teams, with each team having its own separate goals and priorities. This can lead to duplication of effort and a lack of transparency.
Effective communication is key to breaking down silos. In fact, a survey revealed that 71% of employees believe that communication is the most important factor in breaking down silos.
By establishing clear goals and priorities, teams can work together more effectively and avoid duplication of effort. This can be achieved through regular team meetings and open communication channels.
Regular feedback and check-ins can also help to break down silos. A study found that teams that have regular feedback sessions have 25% higher productivity and 30% higher employee engagement.
Frequently Asked Questions
Is skipping third party due diligence good practice?
Skipping third-party due diligence can lead to contractual violations and legal liability, making it a risky and potentially costly practice. A formal due diligence process is essential to ensure compliance and protect your business from regulatory risks.
What are the three types of due diligence?
There are three main types of due diligence: financial, legal, and operational, each focusing on a specific aspect of a business or investment. These types of due diligence help identify potential risks and opportunities, ensuring informed decision-making.
Featured Images: pexels.com


