Choose your risk management tools wisely

There is a growing channel-sales compliance trend of conducting due diligence on all partners in the channel. This means that every partner gets effectively the same due diligence, or at least some due diligence on a sliding scale of risk and effort. This also means that companies roll out rigid global programmes that are not flexible enough to deal with situations that involve thought, assessment and a practical way of resolving a problem.

This issue becomes interesting when you have partners in your company whose roles are more like customers. These partners are often companies that buy your product and integrate it with their own (original equipment manufacturers or companies that integrate your software unknowingly to the end consumer) and are sometimes called service providers or strategic partners. Your name, your brand and your product is rarely involved with the end consumer, you don’t have any co-selling, no marketing funds are shared with the partner, and you certainly have no role in pricing the end product. So, in almost every way, they are a customer.

Many companies contract these organisations as part of their partner programmes as they are entitled to some benefits for being a ‘partner’, such as special pricing and access to systems, confidential product roadmaps, source code and other trade secrets.

While these types of partners are not typically reselling your products as a value-added service or retailer, they are subject to many risks that are far beyond corruption risks.

There is no doubt that these partners should be subject to some form of risk assessment and review. However, the natural reaction for many companies is to send them a questionnaire and kick off a due diligence process. This approach doesn’t distinguish this sort of partner from other partners and is therefore flawed. While a partner like this might be a lower risk for corruption, they are not without risk in other areas. These partners should be the subject of risk assessments to identify the potential problem before rushing to a solution.

While everyone thinks about corruption risks, reputational risks are probably the highest risk in this partner type. The perception of being associated with someone of poor integrity is significant. By bringing this company into your partner programme, you have approved, endorsed and announced to the market that you trust them. When you include a company in your partner programme, you are letting them into the inner sanctum of your company. Before you do that, the question you need to ask is: What could that company do to hurt us?

The way you manage the risks will be highly dependent on the risks and the actual situation.

Traditional due diligence (i.e. background checks) is just one tool you can use to manage certain types of risk (such as sanctions and corruption risks). This traditional due diligence is not going to help you at all if some of the risks are about confidential information, trade secrets or intellectual property infringement issues. It won’t help you if you are worried about your reputation being tarnished by association if your product is used in a defective or dangerous product.

There are plenty of other ways beyond standard due diligence to manage the risks identified for a partner. You need to look at the company, what they are doing for you and how you interact with them to see the potential risks and think about how to deal with them.

You may need to find out:

  • how they will use your product
  • what experience they have in integration (find out if have they had major product recalls, and what their recall strategy is)
  • if they have been involved in any industries or countries that have a negative reputation
  • if they have had any major pollution or environmental issues
  • if they have a reputation for fraud, deception or poor customer handling
  • if there is a risk that they will be banned by a country
  • which jurisdictions they are operating or selling in
  • how they will protect your source code and who will access it
  • if they will hold product licences on your behalf in certain countries
  • if they sell competing products, and, if so, whether they could reverse engineer your product
  • if they will have access to and control of your confidential information
  • if they have any links to foreign government
  • what relationships they have with other major companies
  • whether they are listed on a recognised exchange
  • if they have compliance programmes and resources in place.

Depending on the answers to these questions, you might need to put a risk-management plan in place (which may or may not include due diligence). This could include additional contract provisions in some cases, and in others it might include employee screening, due diligence or perhaps a conversation with the compliance officer. Depending on the risks identified, you may conduct an audit. Or you may conduct a review of their financials, major customer contracts (to disclose their heavy military customers, for example) or corporate social responsibility plan to see how they manage the risk of being involved in poor labour conditions. All of these are options (or tools) that you can use to manage risks in a partner.

Going beyond due diligence

Companies need to think broadly about partner relationships. They need to think about the problem – not the solution.

The ‘problem’ that companies have is trying to identify and manage risk. The ‘solution’ can be a whole host of things, of which due diligence is just one.

While conducting due diligence in the form of a background check is useful, it only gives you a current or retrospective picture of the company and only as it applies to certain risk areas. The clear direction is that there are different tools needed to solve different problems. Having a once-size-fits-all approach is not likely to work and that ‘one size’ is unlikely to always be due diligence in the form of a background check.

To find out more about our products and services, please visit If you have any enquiries, please contact


Previous Article
Much ado about nothing in EU decision on monitoring of workplace electronic communications
Much ado about nothing in EU decision on monitoring of workplace electronic communications

‘Private Messages at Work can be Read by EU Employers’ blared the BBC online recently in the sort of alarmi...

Next Article
What ‘Safe harbour’ means for compliance
What ‘Safe harbour’ means for compliance

The EU’s Data Protection Directive 95/46/EC establishes minimum data-privacy requirements that all EU Membe...