“Risk-based approach” may be the three most over-used and least understood buzzwords in compliance in the past two years. The DOJ talked at length about using a risk-based approach to third-party due diligence and risk management in its Evaluation of Corporate Compliance Program guidance, going so far as to give examples of what they mean. And yet, nearly every client I work with has blind spots when it comes to implementing a truly risk-based due diligence program. Why? Because “risk-based” is easy to say but difficult to implement.
There are four distinct places that a risk-based approach should be implemented during your third-party due diligence process. Let’s look at each in turn.
No. 1: Scoping
The first place to apply a risk-based approach is in scoping. Scoping should result in one of two outcomes for each third-party: you’re in or you’re out. Applying a risk-based approach to scoping is critical because if every possible third-party is in-scope, your program is probably overly broad and doesn’t address the true risk to the company.
Let’s be honest, do you really need to score and review paperclip vendors? How about one-off customers or distributors selling less than $500 of your products annually? Don’t laugh, I’ve seen every one of those third-party types in scope at different companies.
Here’s my top tip for scoping: if you can’t come up with a plausible scenario where the third-party would violate the rules, the third-party type should be out of scope. This determination rests on which risk types you are reviewing in your due diligence program.
For example, let’s say that in your program, you’re reviewing third-parties solely for bribery risk, and you need to determine whether suppliers should be in-scope. Try to come up with a plausible scenario about how a supplier could bribe someone on your company’s behalf. Well, they’re not going to bribe a customer on your behalf. The only scenario in which a bribe would be made by a supplier is the attempt to bribe your employees, who should be trained to avoid this situation. After this analysis, suppliers should be kept out of scope for this third-party program.
Remove third-parties from the scope when there is little or no chance that they could create a problem for you based on the risk areas you’re reviewing.
No. 2: Initial Risk Ranking…