Third Party Risk Management Not Just Due Diligence
The term “due diligence” is an overused expression in the compliance world. It has become a term to mean heightened concern or investigation. No one can really define what it means except to say it has different meanings in different contexts. Some would say it is a term of art in the legal and compliance world. It is misleading to add the term “investigation” to due diligence, suggesting that a due diligence investigation is something different than conducting due diligence alone.
When it comes to third party corruption risk, it is time to retire the term “due diligence.” Besides the definitional concerns, there is a substantive reason for a new approach.
In the anti-corruption space, third party due diligence often is used to describe the process for onboarding a new third party intermediary. In practice, however, we all know that onboarding a new third party is just the beginning of a more important process – third party risk management.
I would propose that we jettison the term “due diligence” and begin to use a more clunky term like “third party risk management.” Why am I making things more complicated? I guess I want the description of the function to be more accurate.
A company that takes a narrow view of the due diligence function and just devotes resources and attention to the onboarding process is bound to get into trouble. Managing third party risk is a continuing process. It starts with the initial engagement but continues throughout the business life of the third party.
Once a third party is engaged, the company has to devote time and attention to monitoring the third party’s activities. Assuming that the contract with the third party includes specific requirements for invoicing, description of services and other terms, the company has to monitor compliance with these requirements. Accounts payable in a company may play an important role in reviewing invoices and identifying potential issues. In addition, company sales and operations personnel will be interacting with the third party on an ongoing basis and should be alerted to potential red flags or issues that may come up that require follow up inquiries.
The company’s auditing program should include third parties. A financial and compliance audit can be conducted as a way to identify potential risks and ensure overall compliance by the third party. An ongoing auditing program of third parties is an important component of overall risk management.
A company has a variety of techniques available to conduct audits that range from informal spot checks all the way to formal compliance and financial audits. Chief compliance officers should work closely with their auditing partners to develop appropriate strategies to monitor and audit third parties.
When a third party’s contract comes up for renewal, companies have to conduct a fresh due diligence. This is an opportunity to reexamine the company’s relationship with the third party, collect valuable data, including the initial due diligence, and verify key issues relating to the performance of the third party.
Companies often ignore the opportunity to conduct renewal due diligence as an important component of overall risk management. In many cases, seeing no problem with the third party, companies will quickly execute a renewal contract on the same terms and conditions as the initial contract.
Third party risk management requires a different approach. Third party risk is always changing and information is the key to identify and assess potential risk. When a third party is up for renewal, the company has an opportunity to refresh its due diligence examination, collect key real world experience data, and renew the due diligence as a way to mitigate any potential risks.
As the compliance field moves away from the narrow scope of due diligence, I am optimistic that the new and more accurate term of art will land on third party risk management. After all, if the term fits, chief compliance officers should embrace it.