Your third parties and their business integrity are constantly fluctuating. One moment they look totally fine and the next they are caught up in some regulatory issue, litigation or a customer recall issue. Most of the time this is happening under your nose and no one is monitoring the situation. In most companies, ‘monitoring’ the situation is about checking a sanctions watchlist. That would be good if the likely change is being put on a sanctions list, but this almost never happens. The change in integrity of a supplier or third party is almost always more nuanced and is not going to appear on a ‘list’ or ‘database’.
In our view, your monitoring programme MUST include a repeat of the due diligence at regular intervals. There is simply no other effective way of monitoring the potential changes in their integrity. Your monitoring programme needs to focus on new compliance risks, new business risks, new misconduct or a change in the third party’s operational status since the previous due diligence was conducted that would materially impact your business. This can only be done by repeating the due diligence.
The following are the top reasons why you should be doing repeated due diligence as part of your monitoring programme:
Check on things you identified the first time around. It is likely as part of the original due diligence that you identified limited or minor compliance risks when you onboarded. It could be an on-going legal dispute, pending investigation, labour dispute or debt recovery incident, that had no direct or immediate impact in your business relations with your third party. Doing another due diligence will help you to appropriately manage these risks.
New inclusions on blacklists and sanctions lists. It is possible that the companies could be included in new watchlists and blacklists. Unlikely, but possible. It is always worth a check daily to see if these have been changed. These lists are always checked as part of due diligence but are also easily checked through a subscription to a database.
Shareholder or ownership changes. Your third party may go through a management buyout or change its ultimate beneficial owner. When such happens, you need to know all the controlling authorities in your third parties. You do not want your business partner to be controlled by a blacklisted individual or sanctioned entity. What about if a competitor took an interest in the company? What about if one of your procurement executives or their family members took an interest? Conducting periodic due diligence renewals on your existing third parties and checking specifically their corporate registry changes will help you know if there are any new risks.
Potential change in their business strategy. Your third party or supplier may have changed their distribution capabilities in certain markets. Doing another due diligence review may determine whether the company is capable of handling increased quantities of your product. It would be costly on your brand if your third party is not able to meet demand due to its inability to handle large quantities. The cost here is even greater if there is a recall because you may be required to compensate the consumers and spend a fortune on fixes. This will also have a negative effect your brand and reputation.
Changes in geopolitical environment. Your third parties may be operating in a market that is dependent on geopolitics. You could be undertaking oil and gas explorations in a market where decisions are determined by local politics and geography. It is for this reason that you will be required to renew due diligence on your existing agents to ensure that certain geopolitical circumstances - change of government, policy change or discovery of new crude oil reserves within or outside your designated exploration zones. In some markets, a change of government means a change in policies. This means that you risk losing your investments in an event that a rogue administration decides to abruptly revoke your exploration or mining rights. That is why it is worth a second check on a regular basis.
Reassess their financial stability. Your third party may be experiencing financial difficulties or in the process of filing for bankruptcy. This could happen without your knowledge. Therefore, conducting another due diligence will avail you an opportunity to reassess your partner’s financial position. You do not want to engage in business dealings with a third party whose balance sheet is uncertain. Your third party should have a stable financial base so that you are assured of business continuity.
Evaluate their compliance programme. Your third party may have its own compliance and risk management system. However, to assess its efficacy, you need to repeat due diligence so that you can evaluate and confirm its effectiveness. You will also want to review their code of conduct and check if they provide compliance training to their employees. Failure to evaluate and monitor your third party’s risk management process is an assumption of risk and you could be prosecuted, fined or even blacklisted for the misconduct committed by your third parties.
Check if they are outsourcing or subcontracting. Your third party may be engaging subcontractors to undertake certain projects on your behalf without your knowledge. This is often common in underdeveloped and risky markets. Therefore, to ensure that you are not found liable, you need to perform due diligence review to ensure that your third party’s subcontractors meet your expectations and compliance requirements. One of the biggest risks you want to avoid at all cost is one that is committed by your third party’s subcontractors because if it is exposed, you lose the confidence and trust of your clients who now know that your third parties outsource some of your projects.
Review their performance. Performing repeated due diligence on your third parties is a good way to assess their performance and suitability for contract renewal. When you do another due diligence review, you will be able to determine whether to terminate or continue your business relationship with your third party without being held liable for breach of contract. The downside of not performing performance appraisals on your third parties is that you may end up working with a partner that is unable to meet your KPIs. This will eventually affect on your revenue targets.
Gather additional business intelligence and new data. When you repeat due diligence, you will be able to collect new intelligence on your third parties and update your records accordingly. Repeat due diligence review will help you to ascertain whether your third party has the necessary licences and certifications or if it has renewed the ones that require annual renewals. You constantly need to have updated intelligence and records on your third parties as part of your audit process and good business practice.
Identify and manage risks before they escalate. Risks can spread like wildfire if not effectively managed. You need to identify any potential risks and manage them before they ruin your reputation, brand and integrity. Repeat due diligence review can help you identify and manage new risks. What you want to avoid is a case where an issue is identified and left to escalate to a level where you are forced to make self-disclosures, get fined or sanctioned.
It is part of third party ongoing monitoring. Conducting repeat due diligence is one of several strategies to keep an eye on your third parties. It is very important that you do another due diligence review so that you maintain regular checks on your partners as required by regulators. Not maintaining regular checks on your partners is a breach of good business practice and can expose you to business risks. Hence you need to repeat due diligence on regular intervals.
The Red Flag Group helps multinational companies manage their due diligence renewal programmes, third party due diligence and ongoing monitoring through our expert team of SCCE-certified compliance professionals.