Category: Third Party

Category: Third Party

The 7 Commandments of a Successful Third-Party Due Diligence Program

What makes a third-party program successful?

Is there some sort of magic that separates the wheat from the chaff?

Why do some programs seem to thrive while others collapse under the weight of angry businesspeople going around the compliance department?

As Tony Robbins says, “Success leaves clues.”

We’ve not only seen but set up and reviewed a huge number of third-party due diligence programs.

From starting them from scratch, updating them when they’ve gone stale, to performing wholesale evaluations with recommendations for improvement, not a day goes by when we’re not engaged in at least one client’s program.

We’ve seen the good, the bad, and the ugly.

We’ve seen programs thrive and fail and everything in between.

After all this review, patterns emerge.

We’ve found that there are 7 consistent elements that tell us early on whether a third-party program will succeed or fail. Read them all in this blog post.

Read More »

PODCAST! The Future of Third-Party Management with me and Tom Fox

I’m delighted to share my podcast interview with the inimitable Compliance Evangelist himself, Tom Fox. In this fast-paced discussion, we’ll go through:

  • Why third-parties are still the biggest compliance nightmare

  • Why it is inevitable that we will get to multi-risk integrated third-party management

  • What we can do today to begin multi-risk management

  • How to handle third-party monitoring and auditing concerns

  • What has changed with third-party management in the COVID world

  • What will happen in 2025 and beyond

You don’t want to miss these insights to help your program now and in the future!

Take a listen HERE (

Read More »

The Tough Stuff: What to Do with Legacy Third-Parties, Part II

When it comes to imposition on the business, third-party due diligence programs often rank highest on the list. Third-party program rollouts or expansions are frequently fraught with challenges. One of the greatest challenges is deciding what to do with third-parties that the business is already using, frequently referred to as “legacy third-parties.”

Part one of this blog series reviewed the considerations compliance officers should mull over when determining what to do with legacy third-parties. Part two below describes various options available to deal with legacy third-party challenges. As you’ll see, there is no one-size-fits-all answer to the third-party conundrum.

The Choices

There are several ways of dealing with legacy third-parties. You can…

Go All In

Want to rip off the bandage? Go all in and include the whole gambit of legacy third-parties in your new or expanded program. The benefits of this approach are numerous. First, although the business will likely complain, the bulk of the third-party review will be done all at once, meaning that once the initial discomfort is over, the third-party program will be significantly less onerous. Second, the business won’t suffer fatigue as the third-party program continuously expands, with businesspeople being repeatedly called upon to give information about new categories of their currently-used third-parties. Third, this approach is usually the most efficient. Doing the work all at once means that it goes quickly.

On the downside, going all-in may create a giant bottleneck of false positives and potential hits to clear. If you have a small team or little capacity, this could take months (see Part I for more details on capacity considerations).

Only Screen at Contract Renewal or if the Contract is Amended…

Read More »

The Tough Stuff: What to Do with Legacy Third-Parties, Part I

“We finally got the budget to start a proper third-party program!” my client exclaimed. “Great!” I said, “How many third-parties will you be starting with?” “Ten thousand.” Alarm bells went off in my head. I could already see the problems. How would she find reliable data? How would she and her team of three deal with the hundreds, if not thousands, of immediate false positives that typically come from that volume of screening? And most importantly, how would she deal with the businesspeople already using those ten thousand third-parties inevitably pushing back saying “but we’ve used them for years!”

Whether implementing a third-party program for the first time or expanding an existing one, the issue of legacy third-parties inevitably brings up monumental challenges. A “legacy third-party” is one that is already in use by the business that has not undergone due diligence. Bringing in or expanding a third-party program is already difficult. Deciding what to do with legacy third-parties can be a nightmare.

In part one of this two-part series, we’ll review the issues to consider before deciding what to do with legacy third-parties. In part two, we’ll go over different approaches to managing this challenge to help you decide the best path forward.


There are several issues with legacy third-parties, each of which should be considered when determining the best path forward. These include…

Read More »

LAST CHANCE FOR 20% OFF – Focus Course: Create a TRULY Risk-Based Third-Party Program

The launch of the Focus Course: Create a TRULY Risk-Based Third-Party program has been phenomenal. The early reviews are terrific, and I couldn’t be happier. If you haven’t taken advantage of our 20% off launch pricing, the time to do so is TODAY. Use discount code “CL” at checkout to receive 20% off.

Regulators have been 100% clear – you need a risk-based third-party program. But what does that mean in practice? Do you TRULY have a risk-based third-party program? In this Focus Series Course, you’ll learn exactly how to build a risk-based program and how to refine the program you have to meet regulatory expectations, best practices, and the needs of your business. Already have a program? Fantastic – test it out to find out if it meets regulatory expectations, and find out how to strengthen it so it is truly risk-based.

Find out more HERE. You can see some of our reviews below. We can’t wait to have you.

Read More »

Four CRITICAL Ways to Ensure a Risk-Based Third-Party Program

“Risk-based approach” may be the three most over-used and least understood buzzwords in compliance in the past two years. The DOJ talked at length about using a risk-based approach to third-party due diligence and risk management in its Evaluation of Corporate Compliance Program guidance, going so far as to give examples of what they mean. And yet, nearly every client I work with has blind spots when it comes to implementing a truly risk-based due diligence program. Why? Because “risk-based” is easy to say but difficult to implement.

There are four distinct places that a risk-based approach should be implemented during your third-party due diligence process. Let’s look at each in turn.

No. 1: Scoping

The first place to apply a risk-based approach is in scoping. Scoping should result in one of two outcomes for each third-party: you’re in or you’re out. Applying a risk-based approach to scoping is critical because if every possible third-party is in-scope, your program is probably overly broad and doesn’t address the true risk to the company.

Let’s be honest, do you really need to score and review paperclip vendors? How about one-off customers or distributors selling less than $500 of your products annually? Don’t laugh, I’ve seen every one of those third-party types in scope at different companies.

Here’s my top tip for scoping: if you can’t come up with a plausible scenario where the third-party would violate the rules, the third-party type should be out of scope. This determination rests on which risk types you are reviewing in your due diligence program.

For example, let’s say that in your program, you’re reviewing third-parties solely for bribery risk, and you need to determine whether suppliers should be in-scope. Try to come up with a plausible scenario about how a supplier could bribe someone on your company’s behalf. Well, they’re not going to bribe a customer on your behalf. The only scenario in which a bribe would be made by a supplier is the attempt to bribe your employees, who should be trained to avoid this situation. After this analysis, suppliers should be kept out of scope for this third-party program.

Remove third-parties from the scope when there is little or no chance that they could create a problem for you based on the risk areas you’re reviewing.

No. 2: Initial Risk Ranking…

Read More »

Third-Party Risk? Here’s Your Ultimate Mitigation Toolkit!

It’s November, which for many, means ski season is near. I love to ski, and I’m not alone. An estimated 130 million people ski and snowboard throughout the world. Skiing is great, but it can also be dangerous. Because of this, people have devised ways to lessen the likelihood of something going wrong. People wear hats to avoid frostbite, helmets to avoid brain injury, and releases so that their skis will detach from their boots if they fall. Skiers mitigate against the risk of things going wrong so they can enjoy the activity they love.

Businesses must do the same thing. The use of third-parties comes with tremendous upside. Third-party sales agents and distributors may hold the keys to new markets and dramatically increased revenue. New acquisitions may double or triple the size of a business. But these third-parties often come with risk.

Risk mitigation is part and parcel of a compliance officer’s job. Because greater than 90% of FCPA cases involve the use of a third-party, third-party risk mitigation is key to having a successful compliance program. But how is third-party risk mitigated? And how do we know if we’re doing it effectively?

In honor of this week’s launch of the Focus Series course on Creating a TRULY Risk-Based Third-Party Program (information HERE), let’s go through the ultimate mitigation toolkit. The following are ten different ways that third-party risk can be mitigated, along with a description of the activity, and an example of how they’ve been used by clients of Spark Compliance Consulting

Read More »

It’s HERE! The long-awaited official launch date for our Focus Series Course on Creating a TRULY Risk-Based Third-Party Program is here!

Regulators have been 100% clear – you need a risk-based third-party program. But what does that actually mean? And if you already have a due diligence program, how can you know if it is truly risk-based? We have the answer. In this Focus Series course, you’ll learn exactly how to build a risk-based program, or to refine the one you have. You’ll finally be confident that you have a truly risk-based program.

The course is built into three substantive modules with videos and downloadable tools to help you create your optimized program. This includes:

  • How to choose your risk model and evaluation criteria (with huge numbers of examples)

  • How to create a truly risk-based due diligence strategy, using multiple escalating levers

  • How to deal consistently with red flags using the red flag matrix

  • How to use the mitigation toolbox to complete your third-party risk mitigation strategy

You’ll have everything you need to create or optimize your program to meet regulatory expectations and to sleep better at night! Best, for the next TEN DAYS ONLY, as a Compliance Kristy reader, you’ll get 20% off the course using Discount Code “CL” at checkout.

What are you waiting for? Let’s get started! For more information and to sign-up, click HERE!

Read More »

JOIN ME: Just in time for Halloween, webinar on the Top Ten Third-Party NIGHTMARES!

Just in time for Halloween, I’m joining with Compliance Line in a webinar to reveal the Top Ten Third-Party Risk NIGHTMARES. In this fast-paced webinar, we’ll be diving into the fear-filled world of bad third-party risk management and poor due diligence practices, plus share practical, real-world advice on what to do about them. You don’t want to miss this exploration of the dark underside of poor risk management. Learn how to wake up feeling great about your third-party program with straightforward solutions to these nightmarish problems.

THIS THURSDAY (October 29) at 12:00 p.m. Eastern. SIGN UP HERE.

Read More »

Third-Party Due Diligence: EVERTHING You Need to Know to Develop a REAL Risk-Based Approach

This is a guest post written by Ramsey Kazem, East Coast Vice President at Spark Compliance Consulting. It’s everything you need to know to develop a REAL risk-based approach to your third-party due diligence program

This is Part II of a two-part series describing how to design a third-party due diligence program that will meet the expectations articulated in the April 2019 guidance document issued by the Department of Justice (“DOJ”).  In Part I, we focused on how to define the scope of a third-party due diligence program.  That is, we discussed the key considerations in (1) selecting the risk areas for which the due diligence program will screen, and (2) identifying the third-party relationships that will be subject to due diligence scrutiny.  In this second part of the series, we will explain how to develop a risk-based due diligence process to effectively screen the in-scope third-parties for compliance-related risks.    Developing a Risk-based Due Diligence Process After deciding which third-party relationships will be required to undergo due-diligence scrutiny, the next step is to develop the review process.  In designing the process, it is important to remember that there is no one-size-fits-all solution.  In fact, the DOJ’s guidance reminds us that a company should develop a process that is reasonable given the size and nature of the company and/or its business transactions.  On one end of the spectrum, this means that companies will be expected to develop a robust process supported with substantial monetary resources.   On the other end of the spectrum, a more limited process may be perfectly acceptable.  Regardless of where your company falls on the spectrum, the following factors should be considered in designing the due-diligence review process…

Read More »