Best practices for conducting third-party due diligence for ethics and compliance

A well-designed compliance program should apply risk-based due diligence and have a process for the full lifecycle of third-party risk management

Kelly Maxwell
Content Marketing Specialist, OneTrust
December 8, 2022

photo of two office employees having a conversation on a flight of stairs in a lobby in front of a large glass windows.

When trying to stand out in the crowded marketplace, developing a strong brand and reputation are key. But have you considered how your third-party business relationships can help or hinder these efforts? If you don’t know who your partners are or how much risk they potentially expose your company to, how can you ever hope to rise above the competition as a reputable and trustworthy business?

The U.S. Department of Justice (DOJ) 2020 Update to the Evaluation of Corporate Compliance Programs made clear that regulators are officially on the lookout for well-designed “risk-based due diligence” programs, dedicating a whole section to third-party risk management.

Stick with us as we unpack:

  • The three levels of third-party due diligence
  • The concept of third-party triage
  • Third-party due diligence questionnaire use
  • How to handle red flags that arise during third-party due diligence, oversight, and ongoing third-party due diligence
  • How automating your processes can help make your third-party due diligence efforts successful

Looking for more ways to satisfy regulators, investors, customers, and the public? Lean how you can ensure that your ethics and compliance program is effectively managing third parties across the entire relationship lifecycle. Download the free CECO’s third party checklist today.

What are the three levels of third-party due diligence?

The 2020 DOJ Update, the DOJ’s Opinion Release 10.02, and the 2020 FCPA Resource Guide all touch on the concept of a three-level approach to conducting third-party due diligence.

The three levels of third-party due diligence help determine appropriate levels of due diligence and set your third-party risk management program up for successful triage (more on that below). Remember the bedrock principle of any due diligence effort is to always “document, document, document.” Whatever you uncover, any red flags that arise must be cleared and the evidence of such clearance must be documented. Let’s examine the three levels:

Level one

In this first level, individual names and company names are cross-checked through hundreds of global watch lists. These global lists, comprised of AML, anti-bribery and sanctions lists, and other financial corruption and criminal databases, help detect potential red flags and create a first-level screening tool. Examples of these watch lists include The US Office of Foreign Assets Control (OFAC) Blocked Persons and Specially Designated Nationals (SDN) List, The UK’s Office of Financial Sanctions Implementation (OFSI) UK Sanctions List, and the United Nations Security Council (UNSC) Consolidated List.

Do your research here because there is no single source of truth for red flag screening. This step may feel overly broad and general, but it demonstrates intent to comply with regulatory requirements. It is therefore extremely important for companies to support their due diligence efforts by cross-checking existing databases to ensure integrity across all third-party relationships.

  • Where there is a low risk of corruption, level one due diligence is sufficient.

Level two

In high-risk jurisdictions, the second level builds off the foundational information gathered in step one and helps you make informed decisions at scale. A deeper screening of newspapers, international media, and detailed web searches can reveal other forms of corruption-related information. By extending your fact-finding mission to include industry specific sources, in-country databases, international government records, press coverage, and mention of key executives and associated parties, your third-party due diligence inquiries may uncover undisclosed or hidden information.

  • If there are no red flags raised which require a deeper investigation, level two due diligence is sufficient.

Level three

Also known as enhanced due diligence, the third level represents the deepest dive with continuous monitoring of third parties. This level requires a hands-on, ‘boots-on-the-ground’ investigation in the field. Investigators who are fluent in the local language and are familiar with local politics can help fortify your investigations with site visits, onsite interviews, and in-depth background checks of executives and key players. Going beyond confirmation of what you’ve already uncovered in the previous two steps, this final step is focused on uncovering hidden and secret information.

  • Level three due diligence is a deep dive, localized investigation.

Third-party triage

The DOJ emphasis on “risk-based due diligence” means that the evaluation and management of each third party will look different, depending on the related nature and level of risk. The DOJ’s guidance also details how high-risk third parties and the corresponding ongoing relationship management must be prioritized before lower-risk relationships. Third-party triage establishes the ranking of each third party and determines what should be addressed first.

No two triage processes will look alike, but they do share the same goal of surfacing high-risk third parties. Determine your set of priority criteria that are unique to your company, industry, and geolocation, to effectively measure and design your process. Assign each third party, both current and potential, a risk-based priority level and then assess your highest-risk third parties first. The triage process shows the mechanisms by which each third party’s risk level is determined and the risk-based due diligence approach you follow thereafter, complying with DOJ guidance.

Third-party due diligence questionnaire

A third-party due diligence questionnaire is an incredibly useful tool in an investigation and will grant you a deeper understanding of whom you’re doing business with. A questionnaire, generally recognized as a useful investigative tool and mentioned several times in the FCPA Resource Guide, requires third party companies to commit to certain required information in writing. If a third party does not want to fill out the questionnaire or will not fill it out completely, don’t just walk – run away from doing business with them.

The scope and exact questions your questionnaire will contain depend on the risk assessed and that risk ranking will determine the level of information required. Data collection is key here, so make sure to tailor your questionnaire to gather information on background and experience, scope of services to be provided, relevant experience, a list of actual and beneficial owners, references, and compliance expertise.

Additional areas to explore in your questionnaire:

  • The ownership structure of the entity
  • The financial qualifications and stability of the company
  • Personnel and any related conflicts of interest
  • The physical facilities and exact address/s of the third party
  • Multiple references who can speak to the ethics and commercial reliability of the proposed third party
  • Any politically exposed persons (PEPs) or ultimate beneficial owners (UBOs)
  • The compliance regime of the proposed third party, including documentation for code of conduct, anti-corruption, and anti-bribery programs and related training materials
  • Compliance training and awareness from recognizable and reputable entities

How to handle red flags that arise during third-party due diligence

A red flag does not necessarily signal the end of a third-party business partnership. It does, however, require clearing. Plus, you need to document the red flag clearing and related decision-making process, should a regulator come knocking.

Not all red flags are created equal, and there is certainly no set formula for clearing them; there are multiple risk score drivers to consider and questions to ask:

  • How much is enough? Can your processes be effectively managed and still be sufficiently valuable for the business?
  • How deep do we dig? Consider all links in the supply chain and any subcontractors, digging deeper when high risks for bribery and corruption are exposed.
  • What did we learn? Don’t wait to clarify or gather any additional information. Any information that causes a red flag to appear must be cleared and documented.

Oversight and ongoing third-party due diligence

Just like in other areas of the ethics and compliance space, consistent monitoring and oversight is required here. A strategic approach to third-party risk management will help develop the scaffolding and guardrails necessary for oversight in the lifecycle management of third parties. Just like any healthy relationship, managing third-party relationships during the full lifecycle of a contract requires flexibility and focused attention as the relationship matures. Start by keeping tabs on all subcontracted work, maintaining visibility into contracts with subcontractors, and verifying that approved compliance terms and conditions are met.

If disaster strikes, you can be sure your company is legally protected by first fortifying your compliance terms and conditions. If your third party violates the FCPA and your company is dragged into an investigation, you must have full indemnity. Without it, there is no chance to recoup any related legal and investigative costs. Any FCPA violation is a material breach of contract, but without a clause detailing how such a violation will immediately terminate the contract without notice and cure, you will have to give written notice and the opportunity to cure. That process can be lengthy and may take too long to satisfy the DOJ or the Securities and Exchange Commission (SEC).

Keep track of your third parties’ financial health over time. It will grant you awareness of any upcoming financial disasters such as bankruptcy and any related bribery and corruption risks. Requiring that your third parties provide you with annual audited financial statements is a great way to address this. Formalize the incentives for third-party compliance by tying compensation into long-term compliance performance. Develop some key performance indicators (KPIs) to track performance. These KPIs can help rank your third parties, in addition to other factors. You can use performance, length of relationship, and other benchmarking metrics for ongoing risk ranking. You can further turbocharge your oversight by embracing automation.

Automating your third-party due diligence process

Third-party due diligence is the process of vetting and continuous monitoring of third parties (vendors, suppliers, partners, beneficial owners etc.) for critical red flags across ethics, compliance, legal, ESG, and other categories. The overarching laws and regulations are always changing, and compliance depends on real-time understanding of the shifting landscape. Additionally, areas for high risk for third parties are never set in stone. Rather than let the shifting landscape derail your third-party due diligence efforts, you can embrace change as a constant by automating your process.

The goal here is to reduce the risk of reputational damage and financial penalties, therefore the challenges that face your third-party due diligence program can spell disaster if left unchecked. Your program can be tanked by the inability to scale due to resource constraints, including the volume of third parties, the lack of processes and procedures, and false positives. Every component of your third-party due diligence workflow can benefit from automation. These include:

  • Inherent risk and triage
  • Automated screening
  • Risk-based assessment
  • Enhanced due diligence
  • Ongoing monitoring

Manage the scope of your third-party due diligence program with OneTrust Third-Party Due Diligence. Transform your compliance program and spend less time on manual assessments with domain-specific third-party management functionality, consolidated third-party lifecycle management, seamless risk mitigation, ongoing monitoring, audit-ready reporting, and contract management.

Compliance programs need an operationalized, scalable strategy for due diligence and beyond. Learn the steps to fully operationalize your third-party risk management program with this free checklist. Download the CECO’S third party checklist today.

You may also like


Third-Party Due Diligence

Sanctions and export controls: Ensuring compliance

Watch our live expert webinar on understanding global sanctions and export controls and how to reduce your organiztion's risk exposure and ensure compliance.

June 29, 2023

Learn more


Third-Party Due Diligence

A shortcut to third party due diligence fundamentals

In this webinar, we examine the scope of third-party due dilligence, best practices, and industry trends driving greater scrutiny on third parties.

June 20, 2023

Learn more


Third-Party Risk

Bridging the gap: How procurement and InfoSec can work together to reduce third-party risks

Join our upcoming webinar as we explore the pivotal ways procurement and InfoSec teams can collaborate to reduce third-party risks.

June 08, 2023

Learn more