camera lens


Third party due diligence

Augmenting technology with necessary human insights

Third-party relationships may create a variety of risks for companies, including corruption exposure, cyber threats, and impact on brand and reputation. A large company can have tens of thousands of third parties that should generally be subjected to customized levels of due diligence in order to identify, mitigate, and potentially avoid these risks.

Technology’s role in enhancing third-party due diligence

Software tools are now available to help companies vet individuals and/or companies in countries around the world for legal, ethical, or financial issues or other red flags. These solutions automate a portion of the work associated with risk management and compliance activities, including documentation, workflow, reporting, controls, surveys, testing, external research, and remediation.

An investigative database aggregation platform is used to gather and analyze relevant information about the third party from a variety of external sources. The database aggregator is designed to enable a single, simultaneous search of numerous open-source and subscriber data feeds. For example, a database aggregator may include several data feeds that allow searching of global regulatory actions, media reports, sanctions and watchlists, lists of politically exposed persons and state-owned entities.

The information gathered from external database sources via an investigative platform helps investigators to develop a potentially rich profile of a third party, but that’s not the end of the story.

The value of human insights

Agree on an appropriate methodology using a risk-based approach. It is imperative that companies implement a risk-based approach to focus due diligence efforts on higher-risk third parties to best prioritize limited resources. A risk-ranking methodology should be created and third parties classified as low, medium, and high risk before initiating due diligence. This classification should be based on predefined risk categories (i.e., jurisdiction, interaction with government officials, total spend/ annual sales, etc.) and will vary based on risk exposure. A "one size fits all" approach for due diligence will not suffice in today's regulatory environment and should be the end result of an overall third-party risk assessment conducted by the company.

Identify appropriate talent. Good investigators come from a variety of backgrounds, including lawyers, journalists, and other professionals with a knack for research, thinking critically, and extracting and reporting insights. Given that the riskiest third parties are geographically dispersed around the globe, a team of analysts should be skilled in multiple local languages and have knowledge of industries, key players, as well as the regulatory, political, and social climates in dozens of countries.

Accurately interpret and analyze the data. Personnel reviewing and analyzing data on the third parties should be knowledgeable about the local government, economic environment, principal industries, and political figures. They should know the schemes and issues that other companies have faced in the locale, which enables them to provide valuable insights into the due diligence process. For example, a skilled investigator with knowledge of the local jurisdiction may be able to identify subtle risk indicators, such as a known political figure, that is not flagged by a database of politically exposed persons.

Back to top