Third Party Due Diligence – a vital but challenging process | Deloitte UK has been saved
Limited functionality available
For multinational organisations dependent on a growing network of external third parties, failure to properly manage the increasing number of risks posed by such relationships can have serious consequences, including regulatory fines, criminal prosecutions, reputational damage, and operational impact.
Regular headlines about organisations caught out by issues of corruption or tax evasion in relation to donors, agents, distributors or joint venture partners highlight more than ever the need for effective Third Party Risk Management (“TPRM”) including Third Party Due Diligence (“TPDD”), and the cost of getting it wrong.
Similarly, supply chain integrity problems such as human rights issues – including the alleged use of forced labour by suppliers – all too frequently see established and otherwise reputable brands brought into the headlines for the wrong reasons. Indeed, the question of product safety, and the traceability of product components through the supply chain, is one which continues to be of key importance in a number of sectors (including the food, pharmaceutical, and luxury items sectors) with even legitimate distribution channels in developed nations being increasingly infiltrated by counterfeits.
Increasing regulatory pressures and the need to mitigate an increasing range of risks therefore, make it essential that any approach to understanding and assessing an organisation’s third parties is risk-based and proportionate, allowing for the efficient distribution of resources while reducing overall risk exposure.
Based on almost 25 years of helping clients manage third party risk through effective due diligence, we have identified six considerations and questions that we believe are important in effectively taking on this challenge:
1. Do you understand your third party population and the different levels of risk posed by your third parties?
Key to successful TPRM is understanding your third party population and the type and severity of risk they may pose to your organisation, as different third parties will typically require a different approach. For distributors and agents for instance, bribery and corruption remain a significant risk, while with an ever-increasing public focus on ‘responsible’ value chains, violations relating to human rights or sustainability issues will be key when looking at suppliers.
Understanding the severity of risk posed to your organisation by different third parties allows for the most efficient distribution of resources (both in terms of budget and internal and external specialists) when mitigating risks associated with these relationships, allowing you to focus greater resources on those third parties performing the most high risk activities or that are of most strategic importance to your business.
Risk segmentation is therefore the foundation of any successful TPRM programme, and requires an organisation to understand and map out who its third parties are; where they are located (and who their contacts are within the organisation); what services they provide to the organisation; what regulations apply to the services being provided; how strategically important they are; and how these factors affect their overall risk profile.
2. Does your approach to TPDD adequately mitigate the relevant risks?
TPDD is a core component of any successful TPRM framework, and a thorough understanding of one’s third party population enables TPDD to be conducted proportionally and on a risk-basis, typically using a tier-based approach with the level of screening conducted proportionate to the risk presented by the relationship. For instance automated screening tools can be extremely helpful in screening higher volumes of third parties considered lower risk, whereas higher risk third parties – or those of strategic significance to the organisation – typically require a more in-depth human-led approach conducted by subject matter experts with knowledge of the relevant regulatory frameworks and research tools, as well as jurisdictional complexities and nuances.
Segmentation further allows an organisation to screen against multiple relevant risks for a particular third party, beyond just anti-bribery and corruption (the traditional domain of TPDD). Such risks may include environmental issues, labour issues, human rights and child labour issues as well as food safety, all of which are also subject to regulatory pressures and are increasingly coming under close scrutiny by the public, with the potential for significant reputational fall-out for any organisation perceived to not be adequately addressing and combating such issues.
3. Are your third parties screened on a regular – or even ongoing – basis?
When considering whether your TPDD approach successfully mitigates against relevant risks, it is also important to consider how you monitor your third parties once the initial due diligence exercise has been completed. While routinely reviewing risk assessments (for instance refreshing searches every 2-3 years) does contribute to reducing risk exposure to a certain extent, leveraging technology to monitor these on an on-going basis (a relatively new development in this space) is a cost-effective tool that can help identify substantial issues in “real time”.
In recent years for instance, a multinational industrials business paid the US Securities and Exchange Commission and Department of Justice millions of dollars in fines to settle FCPA offenses relating to the payment of bribes by its intermediaries to officials in various jurisdictions over a period of several years. There had been allegations of wrong-doing by the intermediaries in the public domain years before the company was investigated, which ongoing monitoring would have identified a lot sooner and allowed the company to cease – or more tightly control – its relationship prior to the damage being inflicted on the company itself.
4. Does your organisation have central oversight over the TPDD approach?
Is there sufficient SME specialism to deal with the outputs of any TPDD activities? While some organisations closely control and manage TPDD activities centrally, others devolve responsibility to their regional businesses. In our experience, while regional teams can add invaluable jurisdictional insight into the TPDD process (for example in terms of which individuals should be included and the risk profile and areas of focus of certain local third parties), some level of central oversight is vital to ensure consistency across the process and to avoid the temptation for certain local business to perform less meaningful due diligence activities to ensure revenue generating activities are not “undermined”. This does not mean a single standard methodology should be employed across the world – indeed it is vital that for higher risk third parties TPDD is done using meaningful local data sources and by individuals who understand jurisdictional nuances - but where different approaches are taken across regions this should be a deliberate approach.
A centralised ownership approach to TPDD also allows for consistency and accountability in any required remediation activities, for example in responding to TPDD that identifies allegations of corruption or other risks. In turn, it is essential that those dealing with such issues have adequate understanding of the applicable regulatory frameworks to ensure that these items are dealt with adequately.
5. Have you defined your red lines from a risk perspective?
Another important component of a successful TPDD approach is understanding your organisation's risk appetite, defining deal killers and having a clear process in place to deal with the results of the due diligence risk assessments as well as any noncompliant third parties. It is key that action is taken where required to minimise exposure to risk, not least because, should something go wrong, being aware of specific risks and not acting on these will not be viewed positively by any regulators.
6. Are you using technology to enhance the value, efficiency and costeffectiveness of TPDD activities?
In addition to the abovementioned developments on automated ongoing monitoring, we have seen many clients’ ability to successfully manage TPDD and TPRM enhanced by tech-enabled TPRM platforms that automate actions (such as populating questionnaires; risk segmentation activities; remediation activities), ensuring that key risks are not missed; allowing your internal specialists to avoid admin tasks and focus on what is important; and also helping with the central oversight point set out above. There are now a number of different tools that can be configured specifically to your organisations needs which many companies operating in emerging markets are now utilising to their benefit.
Access the full report here.
Mark Bethell is a partner in the UK Extended Enterprise (“EE”) practice. Mark rejoined Deloitte in 2015 after spending four years at a global FTSE 5 company. Whilst working there Mark led the design and implementation of a global third party risk management framework. Mark’s other roles whilst there included membership of the internal audit leadership team with accountability for all internal audit work performed in relation to the extended enterprise (contractors, suppliers and joint ventures). Since returning to Deloitte, Mark has led a number of projects to help clients across many industries manage the risks associated with the extended enterprise. He has helped his clients to design, build, and implement third party management frameworks and design and operate large-scale, global programs of third party audits covering a variety of risk types. Mark specializes particularly in the implementation of EE managed services for his clients, and in the ongoing development of technologies to automate third party management activities, from contracting to ESG data collection and validation, through to real time risk sensing.
Jorge leads the Corporate Intelligence Services team in London, which he joined in May 2011 after working with two London-based political risk consultancies and for NATO in Belgium. Jorge is fluent in Spanish and has lived, worked and travelled extensively in Latin America. During his career he has manged many hundreds of investigations into a wide range of entities and individuals globally, across a diverse range of sectors, and now oversees the team’s delivery due diligence reports to a wide range of clients.