By Christopher Sindik, The Red Flag Group®
The Red Flag Group has amassed hundreds of thousands of due diligence reports in its 10-year history. During this time, the Firm has meticulously kept data on the major trends unearthed while doing research on suppliers, vendors, contractors, companies and individuals from around the world. The information provides insight into the real risk patterns of third parties, and identifying these trends and sharing it with other companies helps shape compliance programmes to better address third party risk.
The following data is taken from actual due diligence reports from 2013 to 2016. Over tens of thousands of individual reports were analysed to identify significant trends. The reports focus on particular risks in the technology industry. Due to the unique set of risks faced by companies in this sector, The Red Flag Group’s team of subject matter specialists, lawyers, researchers and analysts have highlighted the following areas so that companies can benchmark and compare their own due diligence programmes.
The goal of conducting due diligence is simple: to discover how working with a third party can potentially harm your company. Many organisations choose to rank the risk level presented by companies in summary levels of low, medium and high. This summary rating is typically based on many factors of the relationship between the third party and the company along with dozens of individual risk levels in many separate areas.
In the technology industry, The Red Flag Group has found that the majority of due diligence reports (78 percent) resulted in low risk ratings. Around 20 percent resulted in medium risk ratings and less than two percent were classified as high risk. The technology industry, on average, has a high degree of low-level risk ratings compared to other industries examined by The Red Flag Group.
One of the reasons there could be a large portion of low-level risk ratings is that companies in the technology industry often order low levels of due diligence reports on what could potentially be high-risk targets. While low-level due diligence is appropriate in some situations for some third parties, a more in-depth scope is needed to ferret out hidden or well-concealed compliance problems. It could also be because a larger percentage of the entire supplier population is put through the due diligence process and this population, by and large, presents a lower risk than other industries.
It is essential for companies to remember the main goal when examining risk levels by conducting and ordering due diligence reports from vendors or conducting them in-house. For many companies, the main purpose should be to answer this question:
How can actions involving this third party potentially harm my company?
Answering this question can be very simple or very complex depending on the unique work that the third party is doing for the company. Some potential answers are:
- The third party is a state-owned entity and we have increased exposure to bribery and corruption risks
- Work will be done in parts of the world where underage and forced labour is common
- It is unclear if our intellectual property will be properly safeguarded
- There have been rumours and stories in the media about potentially hazardous working conditions at the factories where our products will be manufactured
- Our supplier’s factory has been fined and cited for multiple environmental infractions in the past two years
- Our agents have been found to have close connections with the ruling family
- The law firm with whom we are partnering has been closely involved in a scandal regarding tax havens and shell companies
- The principal owners of the company are not clear, so the beneficiaries of awarding a contract to them could be anyone, including criminals or government officials
- The materials used in the manufacture of our products are not clearly defined so it is possible that gold, tungsten, tin and tantalum from the Congo will be used
- The company is headquartered in a residential neighbourhood and on-the-ground investigations show it to be abandoned
- The company has limited data security measures in place and our company is sharing confidential information with them.
These are only a small sampling of possible findings from a due diligence report. However, many companies do not examine these areas because they opted for cursory due diligence on a third party that could ultimately create a liability.
Over the past five years, The Red Flag Group has seen a dramatic increase in the amount of low-level reports ordered by companies. This can be attributed to the harsh economic conditions that force companies to reduce compliance spending. However, this trend is particularly alarming given the many high profile scandals involving third parties and the reputational damage caused to companies.
Most common issues found
According to statistics from The Red Flag Group, potential issues most commonly found in due diligence reports compiled on technology companies are:
- Government connections/contracts
- Politically-exposed persons and state-owned entities
- Regulatory breaches
While government connections and contracts could present only potential issues (and not clear red flags), they are still relevant and should be kept in mind considering the many underlying issues related to such dealings. Litigation is, again, somewhat of a common issue with companies but there needs to be an examination of what the litigation actually is. It could be a frivolous lawsuit, something of merit, or the first sign that the company will fold. A regulatory breach, however, is typically something that is not as much of a grey area but should be reviewed to determine the seriousness of any misconduct. Most larger companies will have some kinds of issues. However, it is important to know what kinds of violations have occurred and whether they will be relevant to your business dealings with the company.