This is a guest post written by Ramsey Kazem, East Coast Vice President at Spark Compliance Consulting. It’s everything you need to know to develop a REAL risk-based approach to your third-party due diligence program

This is Part II of a two-part series describing how to design a third-party due diligence program that will meet the expectations articulated in the April 2019 guidance document issued by the Department of Justice (“DOJ”).  In Part I, we focused on how to define the scope of a third-party due diligence program.  That is, we discussed the key considerations in (1) selecting the risk areas for which the due diligence program will screen, and (2) identifying the third-party relationships that will be subject to due diligence scrutiny. 

In this second part of the series, we will explain how to develop a risk-based due diligence process to effectively screen the in-scope third-parties for compliance-related risks.   

Developing a Risk-based Due Diligence Process

After deciding which third-party relationships will be required to undergo due-diligence scrutiny, the next step is to develop the review process.  In designing the process, it is important to remember that there is no one-size-fits-all solution.  In fact, the DOJ’s guidance reminds us that a company should develop a process that is reasonable given the size and nature of the company and/or its business transactions.  On one end of the spectrum, this means that companies will be expected to develop a robust process supported with substantial monetary resources.   On the other end of the spectrum, a more limited process may be perfectly acceptable.  Regardless of where your company falls on the spectrum, the following factors should be considered in designing the due-diligence review process: 

Capabilities and resources of the company.  The due-diligence process should be designed to fit the technical capabilities, personnel and other resources of the company.  For the process to be successful it must be put into action – and, for that to happen it must be designed to meet the capacity, sophistication, technical know-how, and capabilities of the people, systems, and programs expected to execute the process.  This is not to say that you should not design a process that your company will grow into (especially if the company or compliance program is expected to expand over time).  However, for that approach to be effective, the implementation strategy must use a phased approach so that added complexity to the process is introduced in conjunction with the additional capacity or capability of the company or department.   

Cost and budget.  These two considerations go together.  In designing the process, you must estimate the cost to fully implement the due diligence process and compare it to the amount budgeted for the project.  If the estimated cost exceeds the budgeted amount, you must take a step back and decide how the program can be redesigned to reduce its overall cost (or develop a phased implementation strategy if additional resources are expected in the future).  Alternatively, after developing the lower-cost alternative, you should initiate a request for additional resources by presenting both versions of the due diligence process and explaining why the higher-cost version is better and more cost-effective in the long run. 

Impact on the business.  An effective third-party due diligence process requires buy-in from “the business” as they will be on the frontlines of “making it work”.  That is, the personnel responsible for managing the relationships of in-scope third-parties will likely be your best source for gathering the initial information about the third-party and assisting in clearing any red flag findings.  However, you must be judicious in assigning tasks to the business team.  After all, company employees have a day job and the last thing they will want is a bunch of extra work or an overly cumbersome and inefficient process that slows down their day-to-day progress.

With the above factors guiding the overall design of a company’s due diligence process, it is essential that the process includes the following five steps (1) Information Gathering, (2) Analysis, (3) Due Diligence Review, (4) Clearing Red Flags, and (5) Third-party Approval Decision.  Each of these steps will be discussed in turn. 

Step 1:  Information Gathering.  The first step in a third-party due diligence process is gathering information about the specific in-scope third-party.  In designing the process, you must determine what information will you need to properly evaluate the risk presented by the third-party and how you will get it.    A best practice is to require the person responsible for managing the third-party relationship to complete an internal questionnaire with targeted questions relevant to the risk area(s).  Another common practice is to send a questionnaire directly to the third-party.  The third-party questionnaire can be in addition to, or instead of, the internal questionnaire. 

Whichever approach you undertake, it is essential that the questionnaires trigger responses that are used to evaluate and rate the level of risk presented by the third-party.  For example, for an anti-bribery and corruption due diligence review, the questionnaire may ask the following:

In drafting the questionnaire – whether for internal use or sent directly to the third-party – it is most effective to include only those questions that are relevant to the applicable risk area(s) and seek information necessary for evaluating the third-party risk.  Lengthy questionnaires with questions ancillary to the relevant risk area(s) are often returned late with incomplete responses. 

Step 2:  Analysis.  The next step in a third-party due diligence process requires an analysis of the information gathered.  The goal of this step is to assess the information obtained and calculate a risk rating for the third-party.  In designing the process, three issues should be addressed. 

First,
the process should specify who is responsible for analyzing the information.  This necessarily requires a determination of whether you will use (1) an internal resource, (2) an external resource, or (3) a technology solution/online platform.  Regardless of who is responsible, the process should require that the information gathered is transmitted for review to the same person/people and in the same manner.    

Second, the process should explain how the information is transmitted from the information gatherer to the party responsible for analyzing the information.  Is the information sent by email?  Are the questionnaire responses submitted via an online form?  Is the information entered into a central database or directly into a technology solution/online platform? 

Third, the process should establish an analytical framework for evaluating the information.  A best practice is to develop a weighted scoring system where each questionnaire response (or piece of information obtained) is ascribed a certain value based on the significance of the information.  The combined score of the evaluation is then used to determine an overall risk rating for the third-party.  The analytical framework should specify the score range for each risk rating (e.g., third-parties scoring between 0 and 50 are rated low risk, third-parties scoring between 51 and 80 are rated medium risk, and third-parties scoring over 81 are rated high risk). 

Please note, the analytical framework/scoring system can vary in sophistication (from using a basic spreadsheet to developing a detailed algorithm with your online platform provider) based on the level of resources available to support the program.  However, it is essential that all in-scope third-parties are subject to the same analysis.

Step 3:  Due Diligence Review.  After the analysis of information and risk rating the third party, the next step of the process is to conduct the due diligence review.  There is a wide variety of due diligence activities you can undertake to perform this review.  Common due diligence activities include: 

 

The process should detail the types of due diligence activities to be performed for each risk rating (e.g., low-risk, medium-risk, and high-risk).  Each in-scope third-party of the same risk rating should be subject to the same level of due diligence scrutiny.   

§  Step 4:  Clearing Red Flags.  After the third-party undergoes due diligence scrutiny in accordance with its risk rating, the next step in the process is to examine the results of the review.  That is, any adverse findings or red flags must be reviewed and cleared before the third-party may be submitted for approval.  A best practice for clearing red flags in a consistent manner is to develop a uniform red flag clearing criteria.  The red flag clearing criteria should identify issues or findings that are commonly triggered by the due diligence screening.  For each, the clearing criteria should provide a description of the issue and specify the follow-up actions with the third-party (e.g., requests for documentation to disprove the finding) and any next steps (e.g., adding specific contract clauses, mandating certain training, etc.) to mitigate or clear the finding.  In addition, the red flag clearing criteria should specify when and to whom high-risk issues or uncleared findings must be escalated.

 

Step 5:  Third-party Approval Decision.  The final step in the process is making the approval decision.  In other words, will the business be permitted to move forward with the third-party?  The process should specify the person or people responsible for approving the third-parties.  A best practice is to develop a tiered approval process where senior leaders/managers approve the higher risk parties (and lower risk parties are approved by middle managers).      

 

Finally, the due diligence process must include two additional elements.  First, the process should include specific documentation requirements to ensure there is a clear paper trail confirming that each step of the process was performed and detailing how key decisions were made.  Second, the process should specify when and how often the due diligence should be renewed.  The process, for example, may establish a due diligence renewal schedule that requires renewal at a specific point in time (e.g., every two years) or the occurrence of a specific event (e.g., contract renewal).

    

Conclusion

The DOJ’s recent guidance document clearly asserts its expectation that a compliance program includes a risk-based due diligence process to screen a company’s third-party relationships.  To comply with this expectation, a company must undertake a two-step process.  First, as discussed in Part I of this series, the company must define the scope of the due diligence program in terms of the risk areas to be reviewed and the third-party relationships to be screened. Second, the company must design a process to screen the in-scope third-parties and respond to adverse findings in a consistent, effective and efficient manner.  Moreover, the due diligence process should include specific documentation requirements and establish a due diligence renewal schedule.