In most business relationships, there is some balance of power. But when it comes to third-parties, your company holds all the cards. Most third-parties will go through all the hoops required to get the contract. Compliance’s response to that is often to create gold-plated third-party risk management programs that go so far over the edge that they actually add risk to the company. How?
Let’s say there’s a company with a tiny compliance department that is tasked with managing the third-party program. The scope is “all third-parties,” and it is impossible to review everything that comes in.
Imagine You’re a Prosecutor…
Now imagine for a moment that you’re a prosecutor who just initiated a bribery-related investigation at that company. You pull up the due diligence report on the guilty third-party and bingo – in several adverse media reports, there are references to prior misconduct. The company had the information, but no one reviewed it because they had far too many records to review. How would you, as a prosecutor, feel about that failure?
If you ask for too much information and documentation, you won’t be able to focus on the key pieces that really drive risk. 20+ page due diligence questionnaires, requests for references, licenses, business intake forms, and multiple background checks may make it impossible to do the job properly. This is especially true if you haven’t taken a risk-based approach, so you ask for in-depth information from all third-parties instead of the ones that really present risk.
What are you Going to Do with It?
When evaluating requests for information, ask yourself this question: what am I going to do with it? For example, many third-party due diligence questionnaires ask for banking references and business references. Answer truthfully – does anyone ever follow up with the information provided, or do anything with it at all?
It should be up to the business to evaluate and validate the third-party’s capabilities before they choose the third-party. It’s not Compliance’s place. Let’s say you’re in food manufacturing and the business makes a request to use a new supplier of sodium chloride. The third-party dutifully fills out your due diligence questionnaire and includes two business references. If you called the third party’s references, what would you even ask that would be meaningful and that wasn’t already answered in the questionnaire? Also, how awkward would it be to call and ask for a compliance-related reference from the business reference of a third-party you didn’t choose and know almost nothing about. It’s nonsensical. But every day, due diligence questionnaires go out with requests for business reference information.
Don’t ask for information you aren’t going to use. If you aren’t going to phone the bank to verify the records, don’t ask for them.
What do you Need from the Business?
It’s not just the third-parties that are frequently inundated with long requests for information. Many third-party business intake forms require too much information as well. It’s rational to ask the business for their rationale for requesting a new third-party so that you have a record of it, but it’s not rational to ask the business if it is aware of any bribery-related offense committed by that third-party. The business should not be choosing a third-party it already knows is problematic. If you have that happening, you have a culture and criminal issue, not an intake form problem. Third-party intake forms should be streamlined to require only the information required to process the third-party and to perform the due diligence.
What to Do to Fix It
If your program has some or all of these challenges, take heart. Realize that the program was probably set up to be over-inclusive because of the fear of getting it wrong or missing a red flag, then decide to take a risk-based approach to your requests for information. Take a critical eye to your process. Ask yourself questions like:
Is the scope of my third-party program so big that I can’t review the most high-risk third-parties properly?
Is my process too convoluted to work easily or explain simply to others?
Am I using every piece of information in my due diligence questionnaire? And if not, where can I cut it?
Am I using every piece of information in my third-party intake form? And if not, where can I cut it?
Am I asking for information I don’t follow up on, like references and banking information?
Am I using my software as a single source of truth whenever possible?
Am I using my software to its highest and best use through automation?
Am I truly using a risk-based approach such that my attention is squarely focused on those third-parties that create real risk?
If you’re not happy with the answers to each of the questions above, re-evaluate your program. There’s no harm in asking for the information you need, but you risk missing something important if you constantly ask for more than you can process.