Your Step-by-Step Guide to Developing a Risk-Based Due Diligence Process

This is a guest post by Ramsey Kazem, East Coast Vice President, Spark Compliance Consulting.  He can be reached at

Last spring, the Department of Justice issued a guidance document, which outlines the specific factors prosecutors consider in evaluating a company’s compliance program and deciding whether to bring charges, negotiating plea agreements, or offering leniency in assessing penalties.  The guidance makes clear that a “well designed compliance program should apply risk-based due diligence to [a company’s] third-party relationships.”  That is, a company must have a process in place to perform an appropriate level of due diligence before engaging a new third-party.  This process must be current, effective, and risk-based.

While the expectation is clear, the process by which a company meets this expectation is not as straightforward.  As with most things in compliance, there is no one-size-fits-all solution to satisfying this standard.  Indeed, a company must develop an approach to third-party due diligence that fits the company’s size, structure, industry, geographical presence, and risk profile.     

So how does a company go-about designing a third-party due diligence process that will meet the expectations described in the DOJ’s guidance document?  In this two-part series, we will share some guidelines and best practices for undertaking this effort.  In this part I of the series, we will discuss how to define the scope of a third-party due diligence program.  In part II, we will explain how to develop a risk-based process to effectively screen the in-scope third-parties for compliance-related risks.

Defining the Scope of a Third-Party Due Diligence Program

The first step in designing a third-party due diligence program is to define the scope of the program…