Last spring, the Department of Justice issued a guidance document, which outlines the specific factors prosecutors consider in evaluating a company’s compliance program and deciding whether to bring charges, negotiating plea agreements, or offering leniency in assessing penalties. The guidance makes clear that a “well designed compliance program should apply risk-based due diligence to [a company’s] third-party relationships.” That is, a company must have a process in place to perform an appropriate level of due diligence before engaging a new third-party. This process must be current, effective, and risk-based.
While the expectation is clear, the process by which a company meets this expectation is not as straightforward. As with most things in compliance, there is no one-size-fits-all solution to satisfying this standard. Indeed, a company must develop an approach to third-party due diligence that fits the company’s size, structure, industry, geographical presence, and risk profile.
So how does a company go-about designing a third-party due diligence process that will meet the expectations described in the DOJ’s guidance document? In this two-part series, we will share some guidelines and best practices for undertaking this effort. In this part I of the series, we will discuss how to define the scope of a third-party due diligence program. In part II, we will explain how to develop a risk-based process to effectively screen the in-scope third-parties for compliance-related risks.
Defining the Scope of a Third-Party Due Diligence Program
The first step in designing a third-party due diligence program is to define the scope of the program. To do this, a company must take a risk-based approach to (1) selecting the risk areas for which the due diligence program will screen, and (2) identifying the third-party relationships that will be subject to due diligence scrutiny. Each of these elements will be discussed in turn.
Selecting the Risk Areas. Not every compliance risk area should be included in a company’s third-party due diligence review. Instead, a company should review its risk assessment and determine which of the risk areas are most impacted by the company’s third-party relationships. The risk areas that are most commonly affected by using third-parties include bribery and corruption, data privacy, anti-trust, trade sanctions, and human trafficking. In addition, reputational risk can also be impacted by a company’s third-party relationships.
In selecting the risk areas to include in its due diligence review, a company should be guided by its risk assessment. Specifically, the high-priority risk areas that are substantially impacted by the company’s third-party relationships should be within the scope of the due diligence review.
Identifying the In-Scope Third-Party Relationships. After selecting the risk areas for which the due diligence program will screen, the company must determine which of its third-party relationships will be subject to due diligence scrutiny. Obviously, not all third-party relationships will present a risk in the selected risk area(s) of the due diligence program. For example, a company’s paper supplier presents little to no bribery and corruption risk and should not be required to undergo a due diligence review for that risk area (unless modern slavery has been included in the risk areas).
To narrow down the universe of third-party relationships to include in the due diligence process, a company should take the following approach:
1. Identify all categories of third-party relationships used by the company. This does not require the company to identify each individual third-party with whom it does business. Instead, it should identify the categories of third-parties based on the nature of the relationship with the company. Common third-party categories include customers, material suppliers, sales agents, distributors, marketing consultant, lobbyists, professional services providers, subcontractors, vendors, logistics providers, subsidiaries, joint venture partners, etc.
2. Evaluate the level of risk presented by each third-party category. After identifying all the third-party categories with whom the company does business, each category must be evaluated and risk scored. That is, each category must be evaluated to determine the level of risk it presents for the risk area(s) to be screened by the due diligence process. This evaluation and risk scoring do not have to be overly sophisticated and it is perfectly acceptable to use a simple 1 to 5 scoring scale or low-risk, medium-risk and high-risk designations. However, it is critical to use a defined criterion relevant to the risk area(s) to evaluate the third-party categories. For example, for a bribery and corruption due diligence program, the third-party categories may be evaluated and scored based on one or more of the following risk factors:
the type of work performed by the entities within the category
the regions of the world where the work is performed
the frequency of interactions with government officials, if any
the amount of control over the entities within the category
the compensation structure and whether the third-parties compensation is commission or performance-based
the types of existing safeguards or controls in place, if any
3. Rank the third-party categories. After evaluating and scoring each third-party category against the criterion, the third-party categories should be ranked from highest to lowest.
4. Determine your company’s risk tolerance. Recognizing that some third-party categories will present tolerable risk, determine the company’s risk tolerance, otherwise known as “risk-appetite.” In other words, what level of risk is the company willing to accept in its third-party relationships? Once this is determined, refer to the ranked list of third-party categories and draw a line where the company’s risk tolerance sits. All third-party categories above the line (i.e., those that are above and exceed the company’s risk tolerance) are “in-scope” and will be required to undergo the due diligence review process. Any third-party categories below the line (i.e., within the company’s risk tolerance) are “out of scope” and exempt from the due diligence review process.
5. Develop clear definitions for each in-scope third-party category. After identifying the in-scope third-party categories for the due diligence process, the next – and, perhaps, the most difficult – step is to develop clear and easily understood definitions for each in-scope third-party category to be distributed to the business teams (or those responsible for submitting the third-parties for due diligence review). The definitions should describe the type of work performed by entities in the category using non-legal and non-technical business terms. It is critical that all areas of the business have a common understanding of the types of business relationships that fit within each category so that all in-scope third-parties are consistently submitted for due diligence review.
6. Use qualifiers were appropriate. It is not unusual that the degree of risk for entities within a given third-party category can vary. In such circumstances, it is entirely appropriate to consider using qualifiers, thresholds or exemptions. In so doing, it is essential that the qualifier, threshold or exemption is based on an objective criterion (e.g., volume of business, contract size, number of transactions, size of the organization, etc.) that is related to the risk.
The Department of Justice’s recent guidance document clearly asserts its expectation that compliance programs include a risk-based due diligence review process for a company’s third-party relationships. As discussed above, the first step in this process is defining the scope of the due diligence program in terms of the risk areas to be reviewed and the third-party relationships to be screened. The next step, which will be discussed in part II of this series, is developing a risk-based process to screen the in-scope third-parties and respond to any adverse findings in a consistent, effective and efficient manner.