The consequences of improper due diligence

Operating a global business today requires efficiently managing a network of external partners who supply product components, execute operations in foreign markets, operate call centers, or act as external consultants or agents.

The wide range of specialized capabilities and skill sets of a well-maintained third-party network makes operations easier for both the organization and its customers. But many organizations, from small businesses to multinational corporations, rarely can afford the time and effort required internally to manage these often complex third-party relationships.

Because of this, the risk of unethical business practices, bribery, and other types of business corruption potentially increases if improper due diligence is carried out on external partners. The ramifications of a scandal involving an outside partner can easily bring an organization down, resulting in risks such as a damaged reputation and brand devaluation, regulatory violations, legal proceedings, and potential fines and jail time for directors. The only way to fully protect the assets of the corporation, therefore, is through a robust and viable third-party risk management program.

Creating a third-party risk management program is not a passive process. It takes time and effort on an ongoing basis, as the risks associated with third-party partnerships are constantly evolving.

Consider the events of this past summer, during which legislators from three separate nations signed new regulations and enforcement standards into the law. Certainly, if your organization’s third-party risk management program cannot quickly adjust to these new regulations (or is not designed to anticipate future legislative moves), your organization is truly at risk.

Cutting corners: not worth the risk

Still, too many organizations are willing to tempt fate by taking shortcuts in developing and implementing their third-party risk management program. Certainly, building a robust risk management program requires a significant investment of time and resources (both internal and external), but the consequences of not getting it right could be dramatically dire.

One way that organizations try to cut corners is by relying on stagnant or outdated tools to monitor, detect, and prevent risks. Almost always, it is necessary to hire outside industry professionals with a proven track record of successful due diligence experience.

Relying too much on “desk” due diligence is another dangerous shortcut. Desk due diligence is an important initial step of the investigation process, which includes background checks, link searches, regulatory filing investigations, and environmental reports. And while it is a vital component of any effective due diligence program, it is not enough to thoroughly evaluate a third party.

Truly understanding a potential partner’s business requires a considerable amount of face-to-face time with external organization leadership, operations management, and even current clients. This “boot in the field” process will detect potential risks that are often hidden from a distance and undetectable by web-based discovery tools.

The “boots on the ground” approach also helps establish the relational dynamics necessary for ongoing negotiations and provides insight into two of the fastest growing issues in third-party risk management: bribery and labor management. .

Bribery as a compliance issue

Compliance against bribery and corruption is a fast-moving goal. New anti-bribery laws and regulations are being enacted around the world at a relentless pace. To further complicate matters, many countries may have laws in place, but lack the capacity to properly enforce them. When this is the case, the onus falls on your organization’s due diligence program to ensure detection and protection.

High-profile investigations in recent years have contributed to the rapid emergence of bribery and corruption as a social problem. Never before has such a dramatic contrast been established on a global stage between those who engage in bribery and those who suffer as a result. Any organization embroiled in a bribery scandal has to deal with more than just a legal mess. It has a long battle to regain the trust of its shareholders, employees, customers and the public.

Conducting sufficient due diligence surrounded by such varied factors is a job that must be done in person. Gaining insight into a potential partner’s company culture requires a level of immersion with the organization’s leadership, management, and staff. When it comes to assessing bribery risk, some red flags can only be discovered on the spot.

Labor issues and compliance

From overtime problems and underage workers, to unsafe working conditions and poorly documented accidents, job compliance represents an important component of any robust third-party risk management program.

Again, inadequate attention to risks related to job compliance can lead to hefty penalties. Understanding which industries, geographic regions, and management structures raise the organization’s risk is key to efficiently operating an effective due diligence program. This understanding is almost impossible to guarantee through “desk” due diligence. Spending the necessary time in person is the only way to ensure that a potential supplier is adequately compensating and managing employees while providing a safe work environment.

Make no mistake, even if your agreement with an external partner places the responsibility for payroll issues firmly on the supplier, your organization, as a joint employer, may still be responsible in many countries. After all, the work done at your partner’s facility benefits your organization’s bottom line.

Better practices

The demands of identifying and measuring third-party risk, monitoring those potential risks on an ongoing basis, and making recommendations based on empirical research are best met by a dedicated team of outside professionals. And while no two organizations are the same in terms of risk profiles, several factors have become consistent in building a strong and effective due diligence program:

Planning. Without a well thought out plan outlining ongoing monitoring efforts with assigned roles and responsibilities, efforts to mitigate risk will be messy at best and sluggish at worst. With a well-established and management-advocated program that identifies membership-specific risk factors, a process to address red flags, and a mechanism in place for ongoing review, the organization will remain vigilant in its efforts to protect itself from liability.

Documentation. Due diligence efforts are only as good as the information and data collected and secured. Thorough documentation and reporting enables the organization to recognize trends, communicate analysis, and sustain efforts during any future personnel changes. Effective risk management programs have established guidelines to capture data, contracts, and investigations with consistency.

Culture. An organization where the leadership, management and workforce do not take third party risk seriously will never be adequately protected against risk. Successful organizations in this sense are dedicated to building a culture in which each employee feels personally involved in the risk management of the operation. Employees must feel empowered and encouraged to report the red flags. Passive commitment is simply not enough.

Done properly, third-party risk management can effectively save your organization from risk, liability, and other dangers often associated with outside entities wanting to engage and transact with your business.