The Tough Stuff: Handling Legacy Third Parties, Part II

Text on a blue industrial background reads "The Tough Stuff: Handling Legacy Third Parties Part II." Overlay includes icons of gears, buildings, and technology.

You need to put the third parties the company has been working with for years (known as legacy third parties) through due diligence. Nothing in the regulatory guidance says they are immune from review. Heck – they may be the highest risk third parties of all.

Many times, you’ll find third parties with handshake deals from a decade or more ago. No anti-corruption terms. No supplier code of conduct. No terms at all, except “this is how we always have done it.”

Part II

This is part two of a two part series of blogs examining what to do with legacy third parties. The first part dealt with pushback, resourcing, mandate, and commitment. It can be found HERE.

This post deals with the thorny question of how to roll out your third party due diligence program onto your legacy third parties.

Options for Roll-Out

Different companies will take different approaches to rolling out their legacy third party due diligence program. Here are some options.

Start High

One approach is to start with the high-risk third parties and then work your way down to the lower-risk ones.

Pros: This approach matches regulatory guidance endorsing a risk-based approach. It is easily defensible to the business, as you’re taking a strategic approach that interrupts only high-risk relationships early on.

Cons: Some in the business won’t agree with your definition of “high risk.” This approach prolongs the pain of putting all third parties through due diligence because it spaces them out over time.

By Role

Another approach is to start by role, meaning the actions taken by the third party on behalf of the company. For example, the process could start by evaluating distributors, consultants, resellers, or professional service providers.

The best application of this approach is to review which roles/types/categories of third parties have high-risk activity (e.g., likely interaction with government officials on the company’s behalf, or presence in a heavily sanctioned country).

Pros: If the company ranks third party roles/types by risk level, it will be taking the risk-based approach favored by regulators. There are likely only a small number of employees choosing any specific type of third party, so it may be easy to roll out the program to this small group.

Cons: This approach prolongs the pain of putting all third parties through due diligence, which can create ill will.

By Spend

Legacy third parties can be reviewed using the amount of money spent with or on them as a determiner of who goes first. Afterall, it’s much easier to get in trouble spending $500 million with a third-party than $500.

Pros: This is a risk-based approach that is likely to uncover bad actors with the least amount of continuing financial pain for the company.

Cons: Many of these high dollar third parties may be in countries with low risk for bribery, corruption, and/or sanctions issues. The value of the contract is often not the most important driver of third party risk.

Digital illustration of network connections with abstract human figures. Central figure is highlighted with glowing lines, symbolizing tech connectivity.

By Country or Business Unit

Another approach is to review legacy third parties by country or business unit.

Pros: The entire country or business unit is disrupted at one time, which allows you to focus your efforts without getting too overwhelmed. You can finish one before starting another. You can also start with/focus on higher-risk countries from a bribery, sanctions, and/or modern slavery perspective.

Cons: If a country or business unit has too many legacy third parties, it may be too much to handle at one time.

At Contract Renewal

Many companies choose to put their legacy third parties through due diligence only at contract renewal.

Pros: Since the contract is being renewed, there isn’t the challenge of unilaterally trying to get more information than is typically required under legacy contracts. Additionally, if negative information is found during the due diligence process, negotiations can typically be stopped to let the current contract expires, freeing the company from the third party.

Cons: If the company has evergreen contracts or handshake agreements, there may not be any cadence for renewal. This means that exceptions need to be made, or choices considered on a one-by-one basis. Additionally, higher risk third parties may wait months or years to be reviewed if they have a long-term contract.

All at Once

It’s possible to roll out the legacy third party due diligence program all at once.

Pros: This approach has the band aid effect – the pain comes all at once, but then it’s over. Dealing with complaints simultaneously may be easier than going through the challenges one country, business unit, or third party type at a time.

Cons: If there are hiccups in the process, you can’t fix them easily. Lessons learned in a staggered roll-out can’t be applied if the whole process is rolled out at once. Also, if too many third parties go through due diligence at the same time, the compliance team may be overwhelmed trying to clear all of the red flags, leading to frustration within the business.

What to Do

There isn’t one right answer when it comes to processing legacy third parties through due diligence. Choose an approach and go with it.

Pilots are Your Friend

Regardless of which path you take, we at Spark Compliance always recommend performing a small pilot to ensure the process is working. This will help you to identify any gaps or technological problems that need to be fixed before the wider roll-out.

A pilot allows you to consider feedback to make the process more palatable for your broader rollout.

It’s Not Easy

This series was called “the tough stuff” for a reason. Very few activities get businesspeople as riled up and defensive as second-guessing the third parties they work with already. Relationships run deep, and intruding upon them can create tremendous ill will, both with the businessperson and with the third party.

That being said, it’s necessary to protect the company with good due diligence. Just because a third party has been doing business with the company for years or even decades doesn’t mean that they‘re doing that business ethically and in compliance with the law. Due diligence will help prove that one way or the other.