Modern Third-Party Due Diligence Risk Management

Most companies start third-party risk management by doing “due diligence,” a term understood by corporate lawyers to mean verification of facts that underlie a business decision. This illustration and articles developed by OCEG with GRC Solutions Council member Thomson Reuters, help outline a modern approach that enables ongoing due diligence throughout the third party relationship.

A recent Thomson Reuters survey report entitled “Third Party Risk: Exposing the Gaps” indicates that 62 percent of survey participants perform initial third party due diligence (usually only for defined higher risk tier parties), but only 36 percent are monitoring for changes to the risk profile once third parties are put in place.

When asked what prevents them from taking steps to detect ongoing risks, participants define several key challenges, with the most significant being lack of data and resource constraints. So, many choose to put controls in place and only update the risk assessment annually by using one external source of information, such as a database that tracks sanctions and watch lists. Others simply rely on annual self-certification renewals or audits for higher-risk parties.

Principles set forth in the World Economic Forum’s Partnering Against Corruption Initiative (PACI) Good Practice Guidelines on Conducting Third Party Due Diligence call for both reasonable due diligence before entering the business relationship and ongoing due diligence “as circumstances warrant.” The Guidelines indicate that this includes review of information from the internet, databases, and media search- es about the third party (as well as its owners and key employees) that may be used to verify and validate self-reported information or identify any changes in circumstances.

Automated systems for ongoing due diligence can evaluate and integrate information from a wide range of data sources about changes in legal ownership, financial activities, complex corporate relationships and partnerships, and other indicators of potential illegal or risky conduct. Regulators and prosecutors expect such ongoing tracking for high risk activities and geographies.

As use of third parties continues to grow, especially in global operations, we simply must accept that due diligence is never ending. The need for continual evaluation is clear, and this includes using methods and technologies that allow us to glean knowledge about our third parties from multiple sources of information, while wisely applying limited resources to address high risks known at the start, or that develop along the way.