The 7 Commandments of a Successful Third-Party Due Diligence Program

/

What makes a third-party program successful?

Is there some sort of magic that separates the wheat from the chaff?

Why do some programs seem to thrive while others collapse under the weight of angry businesspeople going around the compliance department?

As Tony Robbins says, “Success leaves clues.”

And here at Spark Compliance, we’ve not only seen but set up and reviewed a huge number of third-party due diligence programs. 

From starting them from scratch, updating them when they’ve gone stale, to performing wholesale evaluations with recommendations for improvement, not a day goes by when we’re not engaged in at least one client’s program.

We’ve seen the good, the bad, and the ugly.

We’ve seen programs thrive and fail and everything in between.

After all this review, patterns emerge. We’ve found that there are 7 consistent elements that tell us early on whether a third-party program will succeed or fail:

  1. A mandate

  2. Leaders communicating the mandate

  3. A sufficient budget

  4. The business has an obligation to participate

  5. Program consistency

  6. Having a risk-based approach

  7. A single source of truth

Break one and your program will suffer.

Break all and you’ll likely have a frustrating failure on your hands.

Where do we start?

At the top of course.

Commandment 1: You Must Have a Mandate

Compliance cannot successfully implement a third-party program by itself. If compliance tries to push out the program by itself, it will be pushing so far uphill that it will inevitably collapse under the weight of the pushback.

There must be a mandate from the C-suite, Board, and/or Audit Committee to create a successful program. Someone higher up than Compliance must be invested and believe that the program is necessary.

Without the mandate, when push comes to shove and a sale is on the line, there won’t be anyone standing behind the Compliance department and people will quickly realize that the program is, in effect, voluntary.

Find your champions, and once you do, move to commandment 2…

Commandment 2: Your Leaders Must Communicate the Mandate

While having the mandate to implement the program is one thing, communicating the mandate to those who will be participating is perhaps even more important.

The communication about why the program is important and that the top leadership is behind it should come from top leadership directly.

Let’s face it - people care most about what their boss thinks. If their boss is behind the program, then they are much more likely to be as well. Get positive communications from managers even if you have to write them yourselves.

Commandment 3: You Must Have a Sufficient Budget

Budget comes in several flavors – technological, financial, and human. Each is critical for the success of the program.

Technological Budget

First, technology.

Many vendors offer third-party compliance platforms that do everything from housing records to automating the due diligence workflow. In our experience, only the smallest of third-party programs can be successful without some sort of technology assisting to make it run.

  • Technology platforms can run continuous monitoring for sanctions and adverse media. 

  • Technology can keep records all in one place instead of in myriad email boxes.

  • Technology can keep lists of approved and denied third-parties and automatically risk-rank third-parties based on the criteria you determine.

  • Technology is a lynchpin of any larger third-party due diligence program.

Monetary Budget

Next is the financial budget.

A defensible third-party program needs layers of escalating due diligence based on the risk posed by the third-party. A one-size-fits-all program doesn’t meet any regulatory expectations or best practices. There needs to be multiple levels of review, including open-source investigations led by people speaking the local language, as well as boots-on-the-ground checks for the highest risk third-parties. 

I have seen many companies try to save budget by not consistently ordering higher levels of reports because of the cost, but this is a short-term fix. Budget for reports is critical because a defensible program relies upon it.

One great way to manage budget is to have the business units that want to use the third-parties pay for the escalated reports. When they feel the pinch, they’ll reevaluate whether the third-party is really necessary.

For instance, the Dubai-based office of one of our clients asked to bring on 11 new distributors for the region. When they learned of the cost to process all of the reports (medium and high risk in the region), they trimmed the list to 3. This streamlined the business due diligence process as well as reduce the risk exposure of the company.

Human Capacity

And last but not least, human resources.

Many programs are over-ambitiously designed. The scope is “all third-parties” and the program is to expand to all regions immediately. While that sounds great in theory, in practice, it will be doomed unless there are enough dedicated people to clear the red flags, answer questions, and work with the business for mitigation of challenging third-parties.

The program needs to match the capacities of those working in compliance, otherwise more people need to be brought on to manage the issues. Gold-plated third-party programs that look great on paper can quickly fall apart if there isn’t capacity to run them.

Commandment 4: The Business Must have an Obligation to Participate

The mandate from the business must include the obligation for third-parties to go through due diligence for them to be paid. If this mandate does not exist, the program is basically voluntary.

The obligation must extend to the business’ willingness to terminate third-parties or suspend contracts. Without obligation, Compliance is asking for a favor as opposed to managing risk.

Commandment 5: You Must Apply the Program Consistency

The third-party program must be administered consistently to be defensible. There are so many bribery enforcement actions that include the company not administering due diligence on the third-party bad actor because the third-party was “too important to the business.”

Some companies, in order to save budget, make a case-by-case determination of how much third-party due diligence to apply even though their risk matrix has identified the level of risk posed by the third-party.

This approach is dangerous and could result in the compliance officer sitting across from a prosecutor trying to defend why the bad actor third-party was exempt from the level of due diligence clearly applied to other third-parties with the same risk rating.

Not smart.

Commandment 6: You Must Employ a Risk-Based Approach

Those that go into compliance as a career tend to be conservative in their risk outlook.  Lawyers, auditors, and financial controls folks tend to be attracted to the career.

Using a risk-based approach can be scary for those of us in the field because we’re all aware that employing one means we might miss something. And it’s true. We might miss something. But the need for a risk-based approach outweighs that fact. 

A risk-based approach should be employed throughout your program. This should include:

  • Scoping (which third-parties go through due diligence at all)

  • Level of review required

  • The requirement to complete a due diligence questionnaire

  • Approach to contract terms

  • Renewal cycle

Without a risk-based approach, the business will get fed up. If it takes as long to get a paperclip vendor in Denmark through due diligence as it takes a sales agent in Zimbabwe, your businesspeople will eventually find a workaround.

Read this step-by-step guide to developing a risk-based due diligence process.

Commandment 7: You Must Have a Single Source of Truth

Too many third-party programs are run via email. 

Attachments get deleted, people quit and their email gets shut down, and documents clearing red flags aren’t shared.

Likewise, in some companies, multiple people keep spreadsheets tracking third-parties.  These tend to become duplicative, out-of-date and corrupted.

Technology can solve this problem, but if you can’t get a good third-party platform, at least set up a Sharepoint, Google Drive, or another repository for all documentation.

Can your program succeed if it fails one of the commandments?

Probably, but it won’t be as strong as it should be.

  • Share these ideas with your leaders and ask for them to support the program.

  • Request that they publicly endorse it and stand behind compliance with a third-party presents too much risk to be engaged.

  • Show them the importance of a sufficient budget by demonstrating how much time and money is wasted on manual processes. 

Remember, more than 90% of FCPA-related cases involve third-parties. A good third-party program provides the bedrock of a good defense.

It’s worth the investment and the time to do it right.