Understanding data and insight

March 10, 2016
By Scott Lane, The Red Flag Group®
Big data is in the news every day, with the world apparently infatuated with its potential to transform the way we live, work and even think. But the big data revolution has also spawned a plethora of providers in the due diligence space, making it increasingly difficult for companies to separate the wheat from the chaff. Compliance Insider®’s Editor-in-Chief Scott Lane provides some clarity.
Since the days of the United States Department of Justice and Securities and Exchange Commission requiring companies to conduct adequate due diligence on third parties in order to meet their compliance obligations under the Foreign Corrupt Practices Act and other similar legislation, there has been an explosion of due diligence providers entering the market. These providers have come from all walks of life – from ex-police officers and military intelligence people through to magazine and newspaper publishers – who have vast amounts of data that they have repackaged as ‘due diligence’. As a provider of such due diligence, I have seen the good and the bad pass before The Red Flag Group and its clients with varying degrees of sophistication. It is very tough for a company to really understand what they are buying and how to sort out the good from the bad.

In most large companies, the legal and compliance departments will ask the procurement department to help select a new provider for this sort of due diligence. While involving procurement is generally seen as a real advantage from a process perspective, it does create some challenges where the department doesn’t really understand the depth of advice that they are purchasing or how to differentiate from various providers.

Procurement teams have been on a steep learning curve as a result of their relative inexperience. Due diligence is a crowded marketplace, with many people referring to themselves as ‘due diligence providers’; however, the term has several different meanings.

Without going into every competitor and assessing every product, the due diligence marketplace can be divided broadly into three main categories (excluding the categories that are really software companies). These categories are:

  • those that provide data
  • those that provide data with some insight
  • those that provide data, insight, and some meaningful and specific advice.

Buying data

The data obtained in a common due diligence report from most providers is just that: data. For a company to actually use that data, it has to be built into something valuable: the insight and advice that you and your internal clients need to make actionable decisions. The due diligence providers that are just providing data are not providing any insight or analysis; they are just providing access to a large dataset through an annual subscription, or perhaps through a cheap and simple computer-generated due diligence report. You will need to provide that insight and analysis.

To use an oil industry example, you are buying crude oil by the barrel load. To make that purchase effective, you will need to refine that oil and then use it in one of your products. You should exercise caution about the effort required to refine that information. To do this, your in-house team needs experience with corporate risk tolerance, legal issues and multiple compliance areas, as well as the risks, trends and enforcement regimes of over 150 countries and 40-odd languages.

Buying data through some form of web subscription is certainly one option, but it comes with a large burden to make that data useful. The data providers are typically just providing lists of sanctioned companies, for example.

Data with some insight

Due diligence data is often just consolidated data from public websites and lacks any real value until insight is developed from reviewing that data and applying it to a business decision. This next level of service is often still a bit of a commodity and, to use our example above, is probably akin to refined crude oil: it has been refined in some way but is still broadly a commodity.

An example of the type of insight that could be gained is discovering from the data that a subject company has significant litigation in a country. Some may be concerned and think that this piece of data is a red flag; however, when that data point is given in context (size of business in that market versus other markets, type of litigation, size of claims, size of company, country itself etc.), it is likely that the issue was not in fact a red flag and may well be seen as a positive.

The data needs to be turned into insight to be useful. That insight is usually only provided by a specialist who is experienced in compliance and risk. The providers in this space tend to provide written due diligence reports that contain a large amount of data but with minimal insight into that data.

Meaningful and specific advice

Even a refined piece of data with some insight must be placed in the context of the company and the industry in which they work, their risk tolerance, and how they are engaging that third party and for what purpose.

A memorable quote attributed to Howard Schultz, the founder and CEO of Starbucks, demonstrated that a key insight for his business was ‘We are not in the coffee business serving people, but in the people business serving coffee’. That one concept changed everything that Starbucks did. It helped the company to understand that it was not about the coffee, but about the experience that it offered people. The same applies to the due diligence business when giving meaningful advice. ‘We are about serving people great compliance advice; we don’t simply send out due diligence reports’ is a common mantra heard in the corridors at The Red Flag Group.

The hardest thing about this category is that it not only requires experience in compliance risk, but also demands knowledge of the specific company and use of the third party. While this is generally referred to as ‘experience’, it is probably better expressed as ‘judgement’ – a rare ability.


Companies that are looking to buy into the due diligence market should really understand the different products that are available, and then make an assessment as to what category they fall into and what they are specifically after. There are absolutely valid needs for all three of the above categories and many companies actually need to buy products and services from all three. However, all three have very different price points and, as you move from category one to category three, you are moving from commoditised data to professional services. The challenge with these is that they have obviously quite different price points and procurement officers could become easily confused by the jargon used by many providers.



Previous Article
Webinar: Data protection for third party programmes
Webinar: Data protection for third party programmes

A common question when dealing with global third party programmes is how they are impacted by data protecti...

Next Article
Sony Corporation: once bitten twice shy?
Sony Corporation: once bitten twice shy?

Sony Computer Entertainment was forced to shut down its online gaming service, PlayStation Network (PSN), i...

Do your suppliers meet the expectations of your integrity & compliance programme?

Tell me more