Due diligence questionnaires are a critical tool for understanding third-parties. But they can quickly get out of control, putting unreasonable burdens on the answering party, and at worst, invading the privacy of individuals in wholly unnecessary ways.
How do you balance the legitimate need for information with the reality that no questionnaire can fully protect the company from the possibility that the third-party will misbehave? Here are three dos and don’ts when it comes to due diligence questionnaires.
1. Don’t Ask For Information That Won’t Stop The Third-Party From Being Approved
Most due diligence questionnaires are far too overreaching. The rule should be this: if you wouldn’t deny a third-party if the answer is negative, don’t ask the question.
The purpose of a due diligence questionnaire is to surface red flags that would stop the third-party from being a good choice to work with you, not so you can get to know their whole company. There are lots of questions that are nice to know, but if you’re resource restrained (and who isn’t?), asking nice-to-know questions drives inefficiency and slows down the approval process.
Let’s take the common example of questions like “do you have a compliance program, code of conduct, or anti-bribery policy?” If the answer is “no,” are you really going to not work with the third-party?
What about if they are a two-person distribution company. Do they have a compliance program? Probably not. Does this mean you shouldn’t work with them? Probably doesn’t matter unless there is a history of bad behavior. Ask questions that lead to outcomes.
2. Don’t Ask About Irrelevant Criminality
Some questionnaires ask if any employee at the company has ever been convicted of a misdemeanor. First of all, as many companies have thousands of employees, how could they possibly answer this in good faith? Secondly, if a key manager had a shoplifting offense or marijuana conviction from twenty years ago, would this stop the third-party from being engaged by your company? Probably not. So narrow this question down to what matters.
Try tailoring the question as follows:
➡️ Has the company ever been charged with or convicted of a crime?
➡️ Have any of the top executives or anyone who will be working directly on our company’s behalf ever been convicted of a felony or serious criminal action?
➡️ Has the company, any of its top executives, or anyone who will be working directly on our company’s behalf, been convicted of bribery, fraud, money laundering, sanctions avoidance/violation, or other serious financial crime?
Be careful about asking about charges or arrests versus convictions. These are not the same as each other and it is not legal in all jurisdictions to ask about arrests that did not result in conviction.
3. Do Ask All Questions Your Require for Your Risk Ranking and Approval
You probably need to know information about the ultimate beneficial owner(s) of any higher-risk third-party working with your company. You also probably need to know the names and titles of key managers, as well as if the company has ever been convicted of bribery or other compliance-related offense.
Ask all of the questions you need up front so you’re not going back to the third-party again and again. Have an “if yes” methodology that allows the third-party to explain itself if it answers important questions in the affirmative.
4. Don’t Neglect to Coordinate with Other Functions
Many third-parties are inundated with multiple questionnaires by a company. Information Security, Information Technology, Sustainability, Corporate Social Responsibility, whoever is in charge of modern slavery and human rights, Privacy… the list goes on and on. Don’t finalize your due diligence questionnaire without contacting all of the departments that may need information from the third-party. Instead…
5. Do Contact Other Functions to Find Out What Information They Need
If at all possible, all third-parties should only have to answer ONE questionnaire from your company.
Talk to Procurement, IT, IS, Sustainability and anyone else that may interact with the third-party so that only one questionnaire goes out.
6. Don’t Make Everyone Go Through The Same Level of Scrutiny
No regulator expects that all third-parties go through the same level of due diligence.
For example, a re-seller in Denmark should be subject to less due diligence than a sales agent in Mozambique. Your methodology could dictate that supplier from Denmark undergo only a sanctions check, while the sales agent from Mozambique undergo a full enhanced due diligence review.
Create a pragmatic risk-ranking methodology that would stand up to regulatory scrutiny.
BONUS: Do Consider Certifications or the Companies’ Report
More and more organizations are streamlining the due diligence by working with a collective organization or undergoing certification. Organizations like SEDEX pool independent third-party audits onto a single platform so the third-parties don’t have to go through multiple audits from multiple companies. Likewise, TRACE International offers members the capacity to see the results of the TRACE certification process and the answers provided by third-parties to a lengthy due diligence questionnaire. An ISO 37001 certification by an accredited certification body shows true adherence to all regulatory anti-bribery due diligence requirements.
Do any of these certifications or aggregated audits mean that you should do no due diligence on the third-party? Of course not. You should always ask questions to understand what the third-party will be doing for your company and to understand their background. However, if the third-party has chosen to put itself through a certification or audit process, consider this to reduce the burden of due diligence both on your company and on the third-party.
By rationalizing the due diligence process and employing a proper risk-ranking methodology, you can ensure the security of your company while simultaneously implementing a pragmatic and rational due diligence process.