Your third parties hate you right now. One due diligence questionnaire comes from compliance, another from information security, another from corporate social responsibility, another from health and safety… all coming from different email addresses and systems. All repetitive. All taking an overly long amount of time.
For the past couple of years, there has been a push to relieve the stress felt by third parties by integrating the due diligence process into a single process. Saying “we should have a single process” is simple. Executing on that is really, really hard.
One blog post could not do justice to the grandness of this task, so this one will focus solely on scoping the types of risks that should be considered for an integrated third party risk management approach. Every company is different of course, and understanding the due diligence already being performed by various functions is a critical part of gathering information to succeed in creating the process. Regardless, some risks are commonly incorporated into an integrated third party program. These include:
Bribery and Corruption
The need for bribery-related due diligence in corporate compliance sparked the entire industry. Many third party due diligence programs are still focused solely on bribery and corruption, and it should still be a major focus of any third party due diligence program.
Modern Slavery/Human Trafficking
With the implementation of the UK Modern Slavery Act, California Transparency in Supply Chain Act, Australian Modern Slavery Act, US Federal Acquisition Regulation and many others, third party due diligence has gone from a nice-to-have to a need-to-have. Not only is modern slavery third party due diligence the right thing to do, it can also be cited in your company’s required reports as an activity proving your commitment to stopping these heinous crimes.
Sanctions screening is a must for all companies because of the strict liability nature of many sanctioning instruments. Luckily, sanctions screening software options abound, and most bribery and corruption-related software automatically screen for sanctioned parties.
With the advent of GDPR, it was clear that companies needed to be ultra-careful when choosing third party processors that would process personal data. As global and US state data privacy laws proliferate, the need to perform privacy-related due diligence increases.
Information and Cyber Security
Information security, cybersecurity, and data privacy go hand-in-hand. Under data privacy laws, data must be secured properly, so any third party with access to personal data should be screened to ensure it meets the data protection requirements imposed on it by the company and the law.
Depending on the nature of your business, you may have Know Your Customer and anti-money laundering due diligence requirements.
Many companies perform Dunn & Bradstreet reviews to ensure companies are creditworthy and financially stable.
Health and Safety
For many companies, health and safety is a top concern. This is especially true if a company’s workers are going to be on-site at a third parties’ location.
If your third parties provide or deal with chemicals, waste-water, explosives, or contaminants, due diligence may need to be performed to ensure a good track record of environmental law compliance.
Corporate Social Responsibility
For many companies, corporate social responsibility is an important consideration. More and more frequently, this review may include diversity and inclusion concerns, as well as the broader CSR universe.
If your company’s products require the extraction and trade of mineral ores containing tin, tantalum, tungsten, or gold, a conflict mineral check should be done on all third party vendors supplying such materials.
In many cases, regulations or best practices within an industry drive additional due diligence. For instance, third parties may need to have a valid license to perform certain tasks.
If you’re putting together an integrated third party risk management program, consider which of the above categories of risk should be included in your review, and determine the people at your company who are the subject matter experts for those categories. By defining the scope of risk to be reviewed, you’ll be one big step forward toward creating an integrated program.