In our previous article, we discussed the importance of third-party due diligence processes within organisations. In this article, we offer suggestions, drawn from best practice guidelines, on establishing an effective TPDD process.
Setting up an approval matrix
While many organisations adopt a linear approach to designing a TPDD process, the review and approval processes should be collaborative and cross-functional. This involves a diverse group of stakeholders within the organisation providing input and approving the sub-processes, and ensuring a comprehensive and well-rounded assessment.
Designated, interested parties should include the following:
- An initiator, responsible for completing an initial assessment of the third party;
- The operational department that will be the beneficiary of the services provided by the third party ("the End User");
- The department that is responsible for the process through
which the third party will be engaged ("the Process
Owner") – as examples:
- The Procurement department, where the third party is a vendor/supplier;
- The Sales department, where the third party is a customer;
- Designated specialists as required – including the Finance department and the Legal department;
- The Compliance department, which plays an integral role in guiding the interested parties through the processes, providing advice and input to them, and at certain levels may be used to review the process before final approval and sign–off of the third party; and
- Various management levels will be responsible for the ultimate sign-off and approval of the decision to engage with the third party ("the Approver"). For higher risk-rated third parties there should be multiple Approvers.
At each stage of the process, designated, interested parties should provide their input, and motivation for accepting the third party, and flag any issues / red flags or concerns identified. In appropriate circumstances, they should escalate the assessment to a higher level for further attention, as well as recommend additional procedures and consider mitigating factors.
It is therefore important that, from the outset, a clear matrix of responsibilities is developed for the parties to be involved in the TPDD preparation, evaluation and approval processes.
The input, issues / red flags identified, concerns raised, recommendations made and mitigating factors identified, should all be appropriately documented throughout the process, providing a clear and discernible audit trail for a reviewer to follow. Reliance on external information should be appended to the process – for example, publicly available documentation, online media reports, responses and documentation received from the third party etc.
A methodical approach to the TPDD process
Commonly the TPDD process would entail the following steps:
Step 1: Information gathering process;
Step 2: Initial Assessment, applying a scorecard, resulting in an initial risk scoring for the third party;
Step 3: Review process;
Step 4: Enhanced due diligence procedures, where the initial risk scoring warrants this;
Step 5: Consideration of additional mitigating measures where the risk score remains above the comfort zone of the organization;
Step 6: Approval of the third party; and
Step 7: Monitoring of third-party.
Step 1: Information gathering process
For most organisations, the information-gathering process commences with the End User providing a questionnaire to the third party for completion. This third-party questionnaire, with specific questions, should be designed to alert the organisation to potential red flags.
Best practice examples require disclosure by, and clarity over, the third party including the following:
- The jurisdiction in which the third party operates/provides services;
- The type of services that the third party will be providing;
- Ownership structure, including details of ultimate beneficial ownership;
- Names of directors and key management that will represent the third party in its dealings with the organisation;
- Names of any of the owners/shareholders, directors and key management that may be regarded as politically – exposed persons (PEPs) / government officials or who may be close relatives of PEPs/government officials;
- Whether the third party has ever been the subject of public allegations, investigations, regulatory or court actions for bribery, corruption, fraud, money laundering, sanctions, human rights and other serious violations that impact the integrity of the third party;
- Details of all key subcontractors that the third party will engage to comply with its business commitments to the organisation should it be engaged
- An overview of the culture and ethics of the third party, including requests for the third party to provide its code of conduct/ethics, an overview of its ABAC compliance programme, its ABAC and other related policies.
- Whether the third party will be interacting with government officials on behalf of the client;
- Whether the third party will be sub-contracting out any services they provide to the client; and
- Whether the third party will be paid a commission or retainer.
The questionnaire may also deal with suitable anti-corruption compliance declarations from the third party that the organization wishes to secure before the commencement of business – for example, a declaration that the third party agrees to adhere to the code of conduct and ABAC policies of the organization, as well as audit rights.
Step 2: Initial risk assessment of the third party
Pre-screening
Step 2 may be broken into two sub-steps:
1) A pre-screening to determine whether the third party should be subject to the TPDD process; and 2) If deemed subject to the process, the initial risk assessment of the third party.
An organisation with a significant amount of third parties may consider pre-screening the third party and decide to exclude them from the risk assessment if it does not pose a corruption risk to the organisation. In determining whether a third party should be excluded from the initial risk assessment, the organisation should establish whether the intended transactions with the third party fall within the risk areas identified. The organization may also wish to consider whether one or a combination of the following factors are present:
- The total value of the goods or services to be provided is low or inconsequential;
- Commonly available standard goods or services will be provided, the pricing of which can easily be benchmarked to the market
- The third party will be an occasional supplier of low-value goods or services.
It is nevertheless imperative that the reason for excluding a third party from the initial risk assessment is properly documented and signed off.
The initial risk assessment
Where the third party is deemed to be in scope, the initial assessment process is commenced. In performing the initial assessment, the Initiator should duly consider the responses to the third-party questionnaire received under Step 1 above, as well as the pre-screening process. The Initiator should apply due scepticism and common sense to the responses received from the third party, and verify the responses, where possible. This can be done by the Initiator accessing and gathering publicly available information.
Examples of such information that can be easily accessed include the following:
- Extracts from the corporate register, to verify answers relating to ownership and management;
- Information from the website of the third party - for example, if the third party is a JSE-listed entity, it is obliged to publish an annual integrated report, which should contain several elements related to the questions answered by the third party, including governance and compliance programmes; and
- Scrutiny of available "blacklists" of sanctions and debarments, and general searches of online media for reputational issues, by using the third party name and combining this with general search terms such as fraud, corruption, bribery, kickbacks, investigation, money laundering etc. This role is often outsourced to a third-party provider [ENS provides clients with background checks and welcomes further discussion, should an organisation require such services].
The initial risk assessment should be performed against relevant high-risk areas identified by the organization during its overall ABAC risk assessment process.
Commonly, these areas include:
- Legal and regulatory risk – particularly where the organisation is subject to extra-territorial legislation;
- Country risk – where the third party is domiciled in another country with reported high levels of bribery and corruption;
- Sectoral risk – for example where the organisation requires government licenses and permits for it to operate, and the third party will be providing services relating to the obtaining of these necessary licenses or permits;
- Operational risk – where certain operations of the organization have been identified as areas with a high risk of corrupt activity, for example where the organisation engages agents to assist in the sales process with state-owned entities;
- Structure and ownership risk – where the third party or its shareholders are domiciled in an offshore / tax haven with opaque beneficial ownership disclosure;
- Reputational risk – for example where the third party has been the subject of adverse reports regarding the integrity of its management;
- Business partnership risk – certain third parties are commonly regarded as high, particularly where they intermediate for the organisation – examples include distributors and agents; and
- Business opportunity risk – where the third party will participate in a high-value project or business transaction involving multiple business partners.
The Initiator should consider obtaining input from the End User on many of these issues.
To guide the Initiator and other interested parties, the organisation should also consider putting together a list of potential red flags for consideration and comment.
A scoring mechanism should be set up for the initial assessment process, which provides an initial risk rating for the third party – this is most often set up as low, medium or high risk.
Step 3: risk assessment review
Once the risk rating has been performed, motivated and signed off by the Initiator (and the End User), the risk rating is critically reviewed by the Approver(s), depending on the initial rating. This review process must be robust, applying appropriate scepticism and common sense to the responses, motivations and risk scoring attributed during the initial assessment.
The TPDD process needs to be flexible so that initial ratings can be adjusted upwards or downwards by the Approver(s), for example, a decision to introduce certain mitigating measures despite a low-risk rating, can be documented and be introduced in the contracting process – as example, the inclusion of a right – to – audit clause. ENS recommends that all third-party contracts include standard ABAC-related clauses and can advise further should an organisation require assistance with such.
Any override of the initial risk rating should be properly motivated and documented in the TPDD process, irrespective of whether the decision is to increase or lower the initial risk rating attributed to the third party.
Step 4: Enhanced due diligence procedures
Where the third party has been assessed as having a higher risk rating than LOW, it is recommended that additional or enhanced procedures are performed.
These additional procedures may include the following:
- Screenings by 3rd party providers of due diligence procedures;
- Deep dive site visits / Country visits;
- Interviews with management and employees of the prospective third party;
- The review of certain books and records; and/or
- The review of certain ABC compliance material such as code of conduct, ABC policy, gifts and entertainment policy, conflict of interest policy and ABC training material.
Once these additional procedures have been performed, the higher-risk third party is reassessed and a new risk rating is attributed to it, based on these additional procedures. This should be approved by a next-level Approver – we recommend consultation with and input from the Compliance department, and to be agreed by the head of the End User department.
Step 5: additional mitigating controls
Should the risk rating of the third party remain unacceptably high, but there are appropriate reasons as to why the organisation wishes to progress with a business relationship, then the final step will be to determine whether the imposition of mitigating controls will provide the organisation with peace of mind to still enter into the business relationship.
Some examples of mitigating controls to be considered include the following:
- Regular and critical monitoring of all transactions with the Third party;
- Additional financial controls, for example by adding a layer of approvals;
- Additional contractual provisions, for example: right - to - audit clauses ;
- Additional compliance requirements, for example, the attendance by third-party personnel of compulsory ABAC training provided by the organisation and
- Ongoing monitoring of media regarding the Third Party.
The mitigating controls envisaged should be documented in the TPDD process with input from the specialists (for example Legal or Finance department), reviewed by the Compliance department and approved by a level more senior than the Approver in Step 4. We suggest that it would be prudent to also obtain the approval of the Head of the End User department.
Step 6: Approval of third party
Finally, a decision should be made as to whether to enter into a business relationship or not with the third party. If the risk rating attributed to the third party remains high despite enhanced due diligence and mitigating controls, but the organisation remains committed to entering into the business relationship, then approval should be provided by senior management.
Step 7: Monitoring of third-party
Risks do change over time, due to internal factors (for example changes in the structure or operations of the organization) and external factors (changes in ownership of the third party, new legislation, increased regulation, etc.). New risks may emerge, and existing risks may diminish. The TPDD process should therefore continue over the third party throughout the life cycle of the business relationship.
Organisations should therefore as a minimum re-perform the TPDD process over its third parties considering the changes in risk and also according to regular schedules – for example annually for high-risk rated third parties, bi-annually for medium-risk rated third parties and every three years for low risk-rated third parties. Organisations should further consider developing a Third Party assessment risk calculator for this purpose with a scoring per category which will allow them to risk rank their Third Parties. ENS is able to support with the development of these risk calculators.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.