“Risk-based approach” may be the three most over-used and least understood buzzwords in compliance in the past two years.  The DOJ talked at length about using a risk-based approach to third-party due diligence and risk management in its Evaluation of Corporate Compliance Program guidance, going so far as to give examples of what they mean.  And yet, nearly every client I work with has blind spots when it comes to implementing a truly risk-based due diligence program.  Why?  Because “risk-based” is easy to say but difficult to implement.

There are four distinct places that a risk-based approach should be implemented during your third-party due diligence process.  Let’s look at each in turn.

No. 1: Scoping

The first place to apply a risk-based approach is in scoping.  Scoping should result in one of two outcomes for each third-party: you’re in or you’re out.  Applying a risk-based approach to scoping is critical because if every possible third-party is in-scope, your program is probably overly broad and doesn’t address the true risk to the company.

Let’s be honest, do you really need to score and review paperclip vendors?  How about one-off customers or distributors selling less than $500 of your products annually?  Don’t laugh, I’ve seen every one of those third-party types in scope at different companies. 

Here’s my top tip for scoping: if you can’t come up with a plausible scenario where the third-party would violate the rules, the third-party type should be out of scope.  This determination rests on which risk types you are reviewing in your due diligence program. 

For example, let’s say that in your program, you’re reviewing third-parties solely for bribery risk, and you need to determine whether suppliers should be in-scope.  Try to come up with a plausible scenario about how a supplier could bribe someone on your company’s behalf.  Well, they’re not going to bribe a customer on your behalf.  The only scenario in which a bribe would be made by a supplier is the attempt to bribe your employees, who should be trained to avoid this situation.  After this analysis, suppliers should be kept out of scope for this third-party program.

Remove third-parties from the scope when there is little or no chance that they could create a problem for you based on the risk areas you’re reviewing.

No. 2: Initial Risk Ranking

Creating an initial risk ranking is critical for determining how problematic a third-party type is likely to become.  Many companies apply the hammer approach and put every third-party into the same bucket for the same treatment.  Instead of putting everyone through the same review, the creation of a truly risk-based approach comes from using multiple criteria to determine the third-party’s riskiness.  What criteria can be used?  Examples include:

Many other criteria can be used to create an initial risk ranking.  Your initial review should create a stratified third-party world. 

No. 3: Create an Escalating Process

Once you’ve got your initial risk stratification, you need to create an escalating review process with multiple layers.  You can use an entire menu of different tools.  This may include: 

There are many ways to create an escalating evaluation process, and it makes sense to do so.  Think about it, does every third-party really need a due diligence questionnaire?  The paperclip provider shouldn’t have to answer six pages of questions about its corporate history and ownership structure in order to sell your company $250 of office supplies.

By creating a consistent escalation process based on the initial risk score of the third-party, you create a defensible risk-based approach.

No. 4: Known Risk Mitigation

What happens when you get a red flag?  Is there a consistent approach to the issue?  Or does each third-party go through a different process?  Having a written approach to red flag mitigation is a critical way to complete your risk-based approach.  You can create a red flag clearing criteria matrix which describes the way that red flags are reviewed and remediated.  Once again, a list of mitigating techniques can come into play here.  See THIS DOCUMENT for a list of examples. 

Most Importantly: Document Your Thought Process

The best way to make a risk-based model defensible is to write down your thought process.  Why did you make the determinations you did?  How did you choose which third-parties were in scope?  Why did you choose the initial risk-ranking criteria that you did?  If your program is ever challenged during a prosecution, having your thought process in writing will make your program much more likely to be found credible, even if you missed something.

The number one reason compliance officers don’t take a risk-based approach is because they are terrified that something will get through the cracks, and then they’ll be blamed.  Prosecutors and regulators understand that businesses can’t and shouldn’t give the same amount of attention and resources to every third-party.  By
adopting a risk-based approach every step of the way, you’ll ensure your resources are properly applied to the highest-risk third-parties.

Want to ENSURE Your Program is Risk-Based?  Want tools and videos to help?  We’ve got you covered.  Join the Focus Series Course: Create a TRULY Risk-Based Approach. We’ll guide you every step of the way, plus provide you with cool templates, easy-to-use tools, and expert advice.  Find out more HERE.