What is the purpose of setting standard scopes when conducting due diligence?
When considering the level of diligence that is due for any particular activity, there tends to be a balance between the desire to look at the specific risks of that activity in detail and the need to build a process that is as efficient and cost effective as possible. For this reason, most companies will look at building workflows and processes that address high-volume activities – such as dealing with distributors, agents and suppliers – and tackling lower-volume activities separately.
High-volume activities will generally be assessed by their risk using standard factors, such as the service they provide, their location, the amount of business they represent, and maybe their interaction with government. Each of these factors can be categorised and from there workflow and scopes of diligence activities can be defined. However, it makes little sense to automatically apply the same scopes and workflows to activities that fall outside those high-volume risks, as the lower volume of the other activities allows for a more bespoke approach to addressing the risk.
Factors that signal the need for bespoke consideration
While the actual indicia will differ for every company, the factors that take an exercise outside the realm of standard scopes of work tend to be related to one or more of the following.
Allegations of wrongdoing against a partner or employee
Allegations might come from a whistleblower, arise after an internal audit, or be uncovered through normal management channels. Even if the partner or employee would normally be checked by a standard process, it makes sense to more thoroughly consider their background, focusing on the allegations, especially as allegations are often followed by a full-blown investigation that will require as much information as possible to be effective.
Unique or high-risk activities
Where the activity is thought to be of a different, higher risk than other activities it requires a specialised approach. This might be because:
- it is an acquisition or investment of a business (even for companies that are heavily acquisitive these cases are obviously unique in their location, business, scale of investment and plans for the future business)
- the activity takes place in a country where the company has no previous working knowledge, as even where the type of activity is normal (such as an agent or distributor), the lack of internal knowledge about how business works or what to expect makes it necessary to assess in a careful manner
- the activity is in in a new line of business – even when the type of activity and country is well known to your business, the first few times should be considered separately (after some time, it may well be that activities that form this new line of business can be treated as part of a high-volume process, but only after the institutional knowledge of the risks is gained)
- the scale of the business is significantly different to the normal, not just because the size of financial investment makes more funds available for diligence work, but also because the scale of a transaction often changes the type of partners that you need to deal with.
The business involves working with partners on a large scale and for a long period of time, such as in a joint venture or consortium
In this case, the business needs to give up some control over how the activities are conducted and needs to apply more rigour to understanding the identity of its partners.
When hiring people for very-high-risk positions
When hiring someone who could personally impact the business in a way that very few others could (such as a group president, country manager or finance chief) it is important to carry out a level of diligence beyond the standard screening to make sure you know exactly who you are hiring.
Where there is a cross-jurisdictional element to the activity
This significantly increases the complexity of any diligence tasks as the same work might need to be carried out many times in many places.
What information would be needed to meet the bespoke risks?
When building a scope of work to look at a specific risk, the main questions to ask are:
- What information is available?
- How does that information help to address the risk?
Even when building a bespoke case, similar elements are generally needed to those which would be used in the standardised due diligence. These consist of information such as:
- who owns, directs and manages a corporate entity and whether they belong to a group of sanctioned individuals or entities
- any obvious facts that the world knows, such as articles found in the mainstream media
- a history of litigation or bankruptcy
- the reality of their business presence in the type of location expected
- their reputation to the extent that is reasonably discoverable.
Elements that may be relevant in some circumstances, and can be added beyond that basic set of information, include topics such as the following.
Determining the full beneficial ownership of any corporate entity
This might involve unravelling a large number of opaque structures and can significantly add to the time and cost involved; however, it is essential to really understand who it is that you are dealing with in joint ventures or large transactions (where control is not held with individuals on the ground), from a commercial as much as a compliance viewpoint. Ownership can be found by recursively looking for who owns each link in the chain or sometimes by asking the subject company to provide the information and then verifying it.
Finding conflicts of interest between players in the transaction
Conflicts are common in business in many parts of the world. They could come up innocently when a spouse or friend has a job in a related entity, but often they are precursors to bribery or fraud. Examples of conflicts might be:
- a salesperson in your business sets up a company and sells products to himself at a price that he chooses
- a country manager owns multiple distributors and rigs commercial tenders by using them to bid against each other
- other parties to a joint venture have close relationships that impact the voting rights that you thought you had.
Conflicts of interest can have a significant commercial impact, which can often be discovered by diligent research. Finding conflicts can require a number of techniques, including ownership checks, social media checks, or building up circumstantial data that can be viewed as a whole (much as a journalist might do when building a story).
Cross-jurisdictional education and employment history
Where you are dealing with people who are going to be important to your business (because you are hiring them into a senior position or they come with an entity you are acquiring), it is vital to get a clear view of whether they can actually do the job, and make sure that they are not hiding ‘skeletons in their closets’. In some cases this might be a simple reference check; however, such senior people have often moved between countries and cities in their careers so any due diligence activity will require a thorough review of how they acted in each location.
The risk of downstream partners
In the case of an acquisition or joint venture the company is often buying into not only the assets of the subject, but also the subject’s supply and distribution network. As the risk of bribery or past activities carries on to the successor entity it is necessary to perform some level of diligence exercise on those partners. In some cases, their risk is standard enough for them to be treated by high-volume processes; however, often they are in a new country or line of business, or their risk needs to be understood prior to the transaction closing so that they need to be considered as a project in themselves.
Attitude to compliance
A company’s (or person’s) attitude to compliance – and how similar it is to your company’s – can provide a good guide as to how well a business relationship will proceed. While it is not always practical to perform a complete audit of an entity’s compliance programme, there are a number of methods that can be used to provide a sense of how they view compliance. These might include:
- conducting interviews with key personnel to provide important information by comparing what the subject person says or doesn’t say about what is expected for an entity of the same type, size and location
- reviewing codes of conduct, handbooks or policies to compare them to what you expect for the subject
- carrying out targeted audits, looking at specific areas that are known areas for bribery, such as gifts and entertainment.
These are just a small number of the many sources of information that are available, but they only make sense when they are paired with a specific need.
The most important point to remember when deciding the level of work required in any situation is to get the balance right between managing the specific risks of an activity with building a scalable, efficient and cost-effective process that you can actually manage. Being too bespoke for high-volume activities will increase the cost and make it less likely that the resources you have will be able to adequately assess the risks. On the other hand, trying to use processes that work for high-volume activities on those that are clearly different runs the chance of missing the actual risks that need addressing.