9 Steps to Effective Third-Party Due Diligence
Faced with complex, global third-party networks, it is more critical than ever for you to have an effective strategy for evaluating and monitoring third-party risk. Below we have outlined nine steps for an enhanced due diligence process to ensure you have the insights needed to avoid financial and reputational harm due to third-party relationships. Review the nine effective steps below.
STEP 1: Understand Compliance Concerns
The global nature of business today subjects your enterprise to a growing number of regulations and a greater need to mitigate risk exposure through partners and third parties—regardless of where your enterprise is located.
STEP 2: Define Corporate Objectives for Due Diligence
Your due diligence process needs to align with the strategic, financial, regulatory, and reputational risks your organization may face. This is especially true for organizations doing business with third parties in countries that attract high levels of regulatory scrutiny.
STEP 3: Gather Key Information
For a corporate entity, organizations need to collect basic information including:
For an individual, organizations need to focus on gathering:
STEP 4: Screen Prospective Third Parties against Watchlists and PEPs
Once a basic level of vetting has taken place, prospective third parties—both companies and individuals—should be subjected to a watchlist screening process. By conducting watchlist and politically exposed persons (PEP) checks early in the process, you can quickly determine if the potential third-party relationship poses a significant risk. Names of companies, individuals, NGOs and, if applicable, assets such as vessels should be checked against:
Global sanctions lists
Law enforcement lists of known criminal entities
Regulator-published lists of debarred or disqualified companies and individuals
PEP lists to identify political connections
STEP 5: Conduct a Risk Assessment
After preliminary information collection and watchlist screening has taken place, it’s time for you to perform a risk assessment.
Considerations should include:
Country of origin risks such as those identified by Transparency International’s Corruption Perceptions Index rating
Specific sector risks like a high level of government involvement that might increase corruption risk in the defense industry or dependence on local agents that might increase bribery risk in the construction industry
Entity risks such as the use of intermediaries in transactions, joint-venture partners and exposure to money laundering
Essential internal factors related to financial risk including deficiencies in employee training, skills, and knowledge; a bonus culture that rewards excessive risk taking; lack of clear policies and procedures related to hospitality and promotional expenditure; and political or charitable contributions.
STEP 6: Validate the Information Collected
Following the risk assessment, your due diligence process should include verification of the information that has been accrued. For low-risk third parties, this final screening involves corroborating details against public records, a credit check, and using specialized databases like CIFAS. High-risk third parties require an enhanced due diligence process of the entity itself, as well as known associates, subsidiaries, and other related entities. Negative news checks establish potential reputational risks from media archives. Additionally, checks against legal databases pull the litigation history of the prospective client or third party.
STEP 7: Audit the Due-Diligence Process
Throughout the due diligence process, your organization needs to maintain a comprehensive record of relevant documents, assessment, and decisions to ensure you can demonstrate ROI and prove that decisions to engage with partners or third parties were made in good faith.
STEP 8: Establish an On-Going Monitoring Plan
Once a third party has been vetted, you still need to actively monitor the relationship to ensure that you are aware of potential problems before they put your organization at risk.
STEP 9: Review Your Due-Diligence Process Regularly
Business needs change. Commit to periodic reviews with stakeholders to ensure that your due diligence process is always aligned with those needs over time.
* Offer available to individuals that are not currently subscribed to the Nexis Diligence™. To be eligible, recipient must be 18 years of age or the age of majority in his/her country of residence, and in the country where the offer is made. Current customers are subject to the terms and conditions of your current services agreement with the applicable LexisNexis Risk Solutions entity. Usernames and Passwords are non-transferable and are not authorized to be shared. Use of the login credentials is limited to the addressee only. Promotional username must be activated to be eligible. Credits will not be issued. No purchase necessary. Void where prohibited. Other restrictions may apply.