1. Which problem are we trying to fix?
The main thing to think about is what are you trying to achieve from this initiative, and why?
- Does the legal or compliance department require some anti-corruption due diligence measures to cover suppliers to meet a requirement of anti-corruption policies and procedures?
- Is this a broader model where you are looking at the “quality” of your suppliers as part of a solid procurement process, so the background and integrity of the supplier is part of the assessment and decision-making process?
If it is the latter, then this due diligence process must be considered as part of the overall procurement process, and not seen as just a compliance initiative.
2. Who owns the project?
Depending on what you are trying to achieve from conducting supplier due diligence, the internal ownership of the project needs to be clarified. Many projects are commenced by the legal or compliance team, but the project is never fully executed as they realise that it will require significant help from a procurement function to be effective. Whoever owns the initiative, keep in mind that the process is not as simple as just a watchlist screen.
3. Does this cover only new suppliers, or does it cover existing suppliers as well?
Make a decision whether this is just an initiative for new suppliers or whether it also covers the existing ones. Even if it covers the existing suppliers, what does that actually mean?
- All suppliers purchased from in the last year or the last two years?
- What about the small ones that were “one off” suppliers?
- How do you know if a supplier is a one off supplier?
4. Do we have complete data for our suppliers?
If you do decide to look at existing suppliers you can almost guarantee that a massive cleansing project will need to be carried out before you go any further with the due diligence process. The cleansing process will answer some of the questions above, but will also look at overall data quality, completeness of data, accuracy of data, duplicates, related companies of suppliers, and suppliers that operate in multiple countries. While this can be a simple task for some companies, simply getting a list of all suppliers can be a real struggle, particularly in multinational corporations where there are multiple systems.
5. How do we collect incomplete data?
Assuming that you now have clarity on what the initiative involves and you have an agreement on the range of included suppliers, you need to consider whether you have enough data already in the system to conduct any real due diligence.
- Are you going to conduct due diligence on the just suppliers themselves, or also on the people that work for the suppliers?
- If you have details in the system of the owners or managers of the suppliers, can you access that data easily and is it up to date?
At this point, many companies will find that they do not have a very clear or accurate supplier list and they will be forced to use some form of data collection mechanism to collect more information.
The data collection piece could be a simple questionnaire, or it may be a comprehensive questionnaire that seeks to do some form of a re-qualification process, ask for financials, conduct certifications or conduct training, etc.
6. Can we integrate into other systems?
At this juncture, you might want to think about how you will collect data from your suppliers and manage the complete profiles from a systems perspective. Should you use a portal on your website to access such information, or an external system like the ComplianceDesktop® Technology Platform? You should also think about how the procurement or external systems can connect to the vendor master files that you have in your accounting system. This might require some integration; for example, a message could be sent to the accounting system when a supplier passes the due diligence process so that orders can be placed with that company.
7. Which suppliers does the project focus on?
Focusing on the important suppliers is common sense. The challenge for most companies is understanding these suppliers’ risk areas and risk tolerance, and also ensuring that things change with the times.
- Are you looking at suppliers from a human rights perspective?
- Are you considering the suppliers’ facilities, safety of buildings, and overall work practices? For many companies, safety practices are an absolute priority.
A large amount of time needs to be spent deciding on the key areas of focus for the company and then cross referencing that against the types of suppliers. In some countries, building standards or work conditions might be important, whereas in other areas in the supply chain it might be safety (for example, where a supplier is working with your assets in dangerous environments). In other countries which are known for corrupt practices, it might be useful to look at the supplier practices and how they connect with government. However, this would only be useful for those suppliers that are likely to be in an area that deals with government or is seeking government approvals on your behalf. The key here is that you need a mechanism to know all these risk areas and also know your supplier base, commodity codes, and where your suppliers are located and where they are conducting business.
If you don’t know this information, then you need to go back and obtain any missing information before proceeding further. The last thing that you want to do is to start asking questions (or, even worse, conducting expensive due diligence and background checks) of somewhere such as a law firm when you are looking at human rights and conflict mineral risks. Clearly a law firm is going to be low risk in those areas, but might be higher risk on a government engagement (i.e. corruption) side. It is essential that you work all that out before applying the model for screening or due diligence.
8. How do we proceed through the “screening”?
Screening is only part of due diligence. This part of the process is often erroneously seen as the whole process. Some practitioners are led to believe that checking names against a watchlist is all the due diligence that they need to do and that the process is completed when this screening has finished. Firstly, as has been shown above, getting to the screening phase itself is difficult. Although not complicated in most areas, screening does require some further analysis, and, in many cases, the screen itself will only be as good as the data upon which it is being filtered out. Many watchlist services simply don’t have the depth of focus in the areas that were earlier identified as important. They have been developed purely as money laundering screening processes or to screen for politically exposed persons. In many cases, they are export control driven and focus on arms trafficking and weapon of mass destruction usage. A modern day set of risks needs a modern day content set that looks at much broader risks that affect global companies.
Even assuming that your list is strong and the screening process is conducted accurately, there are still a few things to think about. Which names are you going to screen – just the company name or the individuals? How will you identify false positives? Who will be responsible for reading the responses and deciding whether or not there is are issues or red flags in the results? How can this be done globally and what resources will be required to make this process work consistently? What is the escalation process if a red flag does exist?
9. How do we conduct due diligence and risk analyses?
In many situations, a screening process is simply not sufficient or adequate to assess risk, and certainly is not sufficient to decide whether or not a red flag exists. While databases are growing stronger, there is simply no list of people in the world that will address all of the risk areas that may be relevant to your company. This means you will have to conduct further research and analysis into the company and its risk areas. This very often means gathering any corporate information that is available for the company and looking at their reputation in the media and in the business community where they are registered and in which they operate. This sort of due diligence can be expensive and complex. While it absolutely essential in some parts of the world and in some risk areas), thought needs to be given to how the due diligence should be done, at what level and at what budget, and also how the results should be assessed. If this assessment is being done in a decentralised environment, the challenges this raises are significant and should be thought through before conducting screening. The last thing you want is a bunch of potential hits with no structure to follow up with due diligence.
10. How do we follow up the due diligence?
The post due diligence process is important. The supplier due diligence should not end after the screening and due diligence is completed and the supplier has been assessed as approved. The following matters should be considered:
- Do you seek additional controls to be put in place given the red flags that arose in the due diligence?
- What on-going monitoring will be put in place and how often?
- What contractual steps can assist in managing risks and becoming aware of changes in the subject company?
Companies should also think about whether they want the supplier to attend training, whether they want the supplier to agree to their code of conduct and provide a certification as such, and how they can monitor the supplier to check compliance with the obligations agreed to in their contracts.