In most large companies, the legal and compliance departments will ask the procurement department to help select a new provider for this sort of due diligence. While involving procurement is generally seen as a real advantage from a process perspective, it does create some challenges where the department doesn’t really understand the depth of advice that they are purchasing or how to differentiate from various providers.
Procurement teams have been on a steep learning curve as a result of their relative inexperience. Due diligence is a crowded marketplace, with many people referring to themselves as ‘due diligence providers’; however, the term has several different meanings.
Without going into every competitor and assessing every product, the due diligence marketplace can be divided broadly into three main categories (excluding the categories that are really software companies). These categories are:
- those that provide data
- those that provide data with some insight
- those that provide data, insight, and some meaningful and specific advice.
The data obtained in a common due diligence report from most providers is just that: data. For a company to actually use that data, it has to be built into something valuable: the insight and advice that you and your internal clients need to make actionable decisions. The due diligence providers that are just providing data are not providing any insight or analysis; they are just providing access to a large dataset through an annual subscription, or perhaps through a cheap and simple computer-generated due diligence report. You will need to provide that insight and analysis.
To use an oil industry example, you are buying crude oil by the barrel load. To make that purchase effective, you will need to refine that oil and then use it in one of your products. You should exercise caution about the effort required to refine that information. To do this, your in-house team needs experience with corporate risk tolerance, legal issues and multiple compliance areas, as well as the risks, trends and enforcement regimes of over 150 countries and 40-odd languages.
Buying data through some form of web subscription is certainly one option, but it comes with a large burden to make that data useful. The data providers are typically just providing lists of sanctioned companies, for example.
Data with some insight
Due diligence data is often just consolidated data from public websites and lacks any real value until insight is developed from reviewing that data and applying it to a business decision. This next level of service is often still a bit of a commodity and, to use our example above, is probably akin to refined crude oil: it has been refined in some way but is still broadly a commodity.
An example of the type of insight that could be gained is discovering from the data that a subject company has significant litigation in a country. Some may be concerned and think that this piece of data is a red flag; however, when that data point is given in context (size of business in that market versus other markets, type of litigation, size of claims, size of company, country itself etc.), it is likely that the issue was not in fact a red flag and may well be seen as a positive.
The data needs to be turned into insight to be useful. That insight is usually only provided by a specialist who is experienced in compliance and risk. The providers in this space tend to provide written due diligence reports that contain a large amount of data but with minimal insight into that data.
Meaningful and specific advice
Even a refined piece of data with some insight must be placed in the context of the company and the industry in which they work, their risk tolerance, and how they are engaging that third party and for what purpose.
A memorable quote attributed to Howard Schultz, the founder and CEO of Starbucks, demonstrated that a key insight for his business was ‘We are not in the coffee business serving people, but in the people business serving coffee’. That one concept changed everything that Starbucks did. It helped the company to understand that it was not about the coffee, but about the experience that it offered people. The same applies to the due diligence business when giving meaningful advice. ‘We are about serving people great compliance advice; we don’t simply send out due diligence reports’ is a common mantra heard in the corridors at The Red Flag Group.
The hardest thing about this category is that it not only requires experience in compliance risk, but also demands knowledge of the specific company and use of the third party. While this is generally referred to as ‘experience’, it is probably better expressed as ‘judgement’ – a rare ability.
Companies that are looking to buy into the due diligence market should really understand the different products that are available, and then make an assessment as to what category they fall into and what they are specifically after. There are absolutely valid needs for all three of the above categories and many companies actually need to buy products and services from all three. However, all three have very different price points and, as you move from category one to category three, you are moving from commoditised data to professional services. The challenge with these is that they have obviously quite different price points and procurement officers could become easily confused by the jargon used by many providers.