Third-party due diligence is big business. For companies, it begins by considering a business relationship with a third party. The third party will perform some sort of service that the business either cannot or does not want to perform itself.
The due-diligence process typically begins before the company decides to enter into the relationship, as various third parties are screened for price, customer service and other business reasons. After the business decides to hire the third party, the company ideally collects additional compliance information — usually with some sort of questionnaire.
These questionnaires include all sorts of data points related to the compliance risk posed by the relationship. They range from information on foreign officials working at a particular company to the company’s trade compliance program. Some of the questionnaires have become ridiculously long, riddled with legalese, and collect data that is not necessarily relevant to a particular compliance risk posed by the relationship.
As your organization seeks to develop a risk-based compliance program and effectively address third-party risks, we have provided five rules to assist you in revising your compliance questionnaire.
Rule No. 1: Avoid legalese. Don’t draft your questionnaire so it looks like a law school exam or like it’s excerpted from the Code of Federal Regulations. Chances are the person filling out your due diligence form is not a lawyer. He or she may not know what your legal and compliance jargon means. If you want good answers, ask good questions.
Rule No. 2: Be reasonable. Do you really expect an organization with more than 100,000 employees in 100 countries to know if one particular manager in the United Kingdom is on some local community board part-time? Under the Department of Justice’s definition of foreign official, a local community-sports organizer may constitute a government official, because she technically does work for the city government. Who cares? Be reasonable and proportionate, and focus on the risk to your project and your relationship. Put the “due” back in “due diligence.”
Rule No. 3: Walk the walk. Don’t ask your third parties if they follow a particular compliance practice (e.g., prohibiting facilitation payments) if your company does not follow that practice. Likewise, don’t ask your vendors for something that you would object to providing to your own customers doing diligence on you.
If your compliance program is lacking in a particular area, ask if the third party has a program that addresses that risk. For instance, a few global logistics companies offer advisory trade-control compliance services to clients unfamiliar with trade-control compliance risk. Some sophisticated financial institutions will assist with anti-money laundering compliance. Often it is much cheaper than a professional-services firm. If you need help, ask.
Rule No. 4: Get to the point. One lengthy Foreign Corrupt Practices Act questionnaire that has become compliance officer lore looks like a Myers-Briggs personality test. Keep it simple. Ask what you need to know to evaluate the compliance risk for the relationship, and only collect data that’s necessary to evaluate that risk. If you’re not going to use the information, don’t ask for it.
Your compliance questionnaire should be short and to the point. It should focus on the experience the third party has with the particular service they will provide, the maturity of their compliance program and compliance risks related to the particular relationship. It also should give you information you will actually use. (If possible, automate: Put the questionnaire online to make it easy for the third party to fill out and for you to process, review, consider, track and compare.)
Rule No. 5: Pick up the phone. Even the best due-diligence response will get you only so far. The best way to find out information is to pick up the phone and call the third party. Call the references. Call your operations personnel who may know the vendor well. Explain the due-diligence process, the legal requirements and the risks you are evaluating. When third parties understand the process and your concerns, you get better information. As a bonus, you always find out something that was not in the questionnaire, and you can better gauge credibility.
If you follow these rules, you’ll make your due diligence process simpler, cleaner and more effective.