Skip to main content

On-demand webinar coming soon...

Blog

Best practices for conducting third-party due diligence for ethics and compliance

A well-designed compliance program should apply risk-based due diligence and have a process for the full lifecycle of third-party risk management

Kelly Maxwell
Content Marketing Specialist, OneTrust
December 8, 2022

photo of two office employees having a conversation on a flight of stairs in a lobby in front of a large glass windows.

When trying to stand out in the crowded marketplace, developing a strong brand and reputation are key. But have you considered how your third-party business relationships can help or hinder these efforts? If you don’t know who your partners are or how much risk they potentially expose your company to, how can you ever hope to rise above the competition as a reputable and trustworthy business?

The U.S. Department of Justice (DOJ) 2020 Update to the Evaluation of Corporate Compliance Programs made clear that regulators are officially on the lookout for well-designed “risk-based due diligence” programs, dedicating a whole section to third-party risk management.

Stick with us as we unpack:

  • The three levels of third-party due diligence
  • The concept of third-party triage
  • Third-party due diligence questionnaire use
  • How to handle red flags that arise during third-party due diligence, oversight, and ongoing third-party due diligence
  • How automating your processes can help make your third-party due diligence efforts successful

Looking for more ways to satisfy regulators, investors, customers, and the public? Lean how you can ensure that your ethics and compliance program is effectively managing third parties across the entire relationship lifecycle. Download the free CECO’s third party checklist today.
 

What are the three levels of third-party due diligence?

The 2020 DOJ Update, the DOJ’s Opinion Release 10.02, and the 2020 FCPA Resource Guide all touch on the concept of a three-level approach to conducting third-party due diligence.

The three levels of third-party due diligence help determine appropriate levels of due diligence and set your third-party risk management program up for successful triage (more on that below). Remember the bedrock principle of any due diligence effort is to always “document, document, document.” Whatever you uncover, any red flags that arise must be cleared and the evidence of such clearance must be documented. Let’s examine the three levels:

Level one

In this first level, individual names and company names are cross-checked through hundreds of global watch lists. These global lists, comprised of AML, anti-bribery and sanctions lists, and other financial corruption and criminal databases, help detect potential red flags and create a first-level screening tool. Examples of these watch lists include The US Office of Foreign Assets Control (OFAC) Blocked Persons and Specially Designated Nationals (SDN) List, The UK’s Office of Financial Sanctions Implementation (OFSI) UK Sanctions List, and the United Nations Security Council (UNSC) Consolidated List.

Do your research here because there is no single source of truth for red flag screening. This step may feel overly broad and general, but it demonstrates intent to comply with regulatory requirements. It is therefore extremely important for companies to support their due diligence efforts by cross-checking existing databases to ensure integrity across all third-party relationships.

  • Where there is a low risk of corruption, level one due diligence is sufficient.
     

Level two

In high-risk jurisdictions, the second level builds off the foundational information gathered in step one and helps you make informed decisions at scale. A deeper screening of newspapers, international media, and detailed web searches can reveal other forms of corruption-related information. By extending your fact-finding mission to include industry specific sources, in-country databases, international government records, press coverage, and mention of key executives and associated parties, your third-party due diligence inquiries may uncover undisclosed or hidden information.

  • If there are no red flags raised which require a deeper investigation, level two due diligence is sufficient.
     

Level three

Also known as enhanced due diligence, the third level represents the deepest dive with continuous monitoring of third parties. This level requires a hands-on, ‘boots-on-the-ground’ investigation in the field. Investigators who are fluent in the local language and are familiar with local politics can help fortify your investigations with site visits, onsite interviews, and in-depth background checks of executives and key players. Going beyond confirmation of what you’ve already uncovered in the previous two steps, this final step is focused on uncovering hidden and secret information.

  • Level three due diligence is a deep dive, localized investigation.
     

Third-party triage

The DOJ emphasis on “risk-based due diligence” means that the evaluation and management of each third party will look different, depending on the related nature and level of risk. The DOJ’s guidance also details how high-risk third parties and the corresponding ongoing relationship management must be prioritized before lower-risk relationships. Third-party triage establishes the ranking of each third party and determines what should be addressed first.

No two triage processes will look alike, but they do share the same goal of surfacing high-risk third parties. Determine your set of priority criteria that are unique to your company, industry, and geolocation, to effectively measure and design your process. Assign each third party, both current and potential, a risk-based priority level and then assess your highest-risk third parties first. The triage process shows the mechanisms by which each third party’s risk level is determined and the risk-based due diligence approach you follow thereafter, complying with DOJ guidance.

Third-party due diligence questionnaire

A third-party due diligence questionnaire is an incredibly useful tool in an investigation and will grant you a deeper understanding of whom you’re doing business with. A questionnaire, generally recognized as a useful investigative tool and mentioned several times in the FCPA Resource Guide, requires third party companies to commit to certain required information in writing. If a third party does not want to fill out the questionnaire or will not fill it out completely, don’t just walk – run away from doing business with them.

The scope and exact questions your questionnaire will contain depend on the risk assessed and that risk ranking will determine the level of information required. Data collection is key here, so make sure to tailor your questionnaire to gather information on background and experience, scope of services to be provided, relevant experience, a list of actual and beneficial owners, references, and compliance expertise.

Additional areas to explore in your questionnaire:

  • The ownership structure of the entity
  • The financial qualifications and stability of the company
  • Personnel and any related conflicts of interest
  • The physical facilities and exact address/s of the third party
  • Multiple references who can speak to the ethics and commercial reliability of the proposed third party
  • Any politically exposed persons (PEPs) or ultimate beneficial owners (UBOs)
  • The compliance regime of the proposed third party, including documentation for code of conduct, anti-corruption, and anti-bribery programs and related training materials
  • Compliance training and awareness from recognizable and reputable entities
     

How to handle red flags that arise during third-party due diligence

A red flag does not necessarily signal the end of a third-party business partnership. It does, however, require clearing. Plus, you need to document the red flag clearing and related decision-making process, should a regulator come knocking.

Not all red flags are created equal, and there is certainly no set formula for clearing them; there are multiple risk score drivers to consider and questions to ask:

  • How much is enough? Can your processes be effectively managed and still be sufficiently valuable for the business?
  • How deep do we dig? Consider all links in the supply chain and any subcontractors, digging deeper when high risks for bribery and corruption are exposed.
  • What did we learn? Don’t wait to clarify or gather any additional information. Any information that causes a red flag to appear must be cleared and documented.
     

Oversight and ongoing third-party due diligence

Just like in other areas of the ethics and compliance space, consistent monitoring and oversight is required here. A strategic approach to third-party risk management will help develop the scaffolding and guardrails necessary for oversight in the lifecycle management of third parties. Just like any healthy relationship, managing third-party relationships during the full lifecycle of a contract requires flexibility and focused attention as the relationship matures. Start by keeping tabs on all subcontracted work, maintaining visibility into contracts with subcontractors, and verifying that approved compliance terms and conditions are met.

If disaster strikes, you can be sure your company is legally protected by first fortifying your compliance terms and conditions. If your third party violates the FCPA and your company is dragged into an investigation, you must have full indemnity. Without it, there is no chance to recoup any related legal and investigative costs. Any FCPA violation is a material breach of contract, but without a clause detailing how such a violation will immediately terminate the contract without notice and cure, you will have to give written notice and the opportunity to cure. That process can be lengthy and may take too long to satisfy the DOJ or the Securities and Exchange Commission (SEC).

Keep track of your third parties’ financial health over time. It will grant you awareness of any upcoming financial disasters such as bankruptcy and any related bribery and corruption risks. Requiring that your third parties provide you with annual audited financial statements is a great way to address this. Formalize the incentives for third-party compliance by tying compensation into long-term compliance performance. Develop some key performance indicators (KPIs) to track performance. These KPIs can help rank your third parties, in addition to other factors. You can use performance, length of relationship, and other benchmarking metrics for ongoing risk ranking. You can further turbocharge your oversight by embracing automation.

Automating your third-party due diligence process

Third-party due diligence is the process of vetting and continuous monitoring of third parties (vendors, suppliers, partners, beneficial owners etc.) for critical red flags across ethics, compliance, legal, ESG, and other categories. The overarching laws and regulations are always changing, and compliance depends on real-time understanding of the shifting landscape. Additionally, areas for high risk for third parties are never set in stone. Rather than let the shifting landscape derail your third-party due diligence efforts, you can embrace change as a constant by automating your process.

The goal here is to reduce the risk of reputational damage and financial penalties, therefore the challenges that face your third-party due diligence program can spell disaster if left unchecked. Your program can be tanked by the inability to scale due to resource constraints, including the volume of third parties, the lack of processes and procedures, and false positives. Every component of your third-party due diligence workflow can benefit from automation. These include:

  • Inherent risk and triage
  • Automated screening
  • Risk-based assessment
  • Enhanced due diligence
  • Ongoing monitoring

Manage the scope of your third-party due diligence program with OneTrust Third-Party Due Diligence. Transform your compliance program and spend less time on manual assessments with domain-specific third-party management functionality, consolidated third-party lifecycle management, seamless risk mitigation, ongoing monitoring, audit-ready reporting, and contract management.

Compliance programs need an operationalized, scalable strategy for due diligence and beyond. Learn the steps to fully operationalize your third-party risk management program with this free checklist. Download the CECO’S third party checklist today.


You may also like

Webinar

Third-Party Risk

Third-Party risk management and due diligence: What's the difference and why does it matter?

In this webinar, we’ll discuss the unique competencies of third-party risk and due diligence programs and examine when and how to align them.

May 08, 2024

Learn more

Webinar

Third-Party Risk

Live demo EMEA: Building your third-party risk management program with OneTrust

Join our webinar to learn how you can build an well-rounded Third-Party Risk Management Program that works for your organisation

April 23, 2024

Learn more

Webinar

Supplier Sustainability & Responsibility

Modern slavery: Identifying exploitation and managing forced labor risks

In this webinar, OneTrust and Andrew Wallis, CEO at Unseen, will discuss the scale and impact of modern slavery on businesses' global supply chains.

March 14, 2024

Learn more

eBook

Ethics Program Management

Business messaging apps: A guide to corporate compliance

How can your business use third-party messaging apps while staying compliant? Dive into key usage considerations based on the DOJ’s 2023 guidance.

February 13, 2024

Learn more

Infographic

Third-Party Risk

4 top-of-mind challenges for CISOs in 2024

What key challenges do CISOs face going into the new year? Download this infographic to hear what experts from industries across the board have to say.

January 30, 2024

Learn more

Webinar

Third-Party Risk

A look back at 2023 & third-party management trends for the new year

Join this webinar as we discuss key trends for third-party management and lessons learned over the last year.

January 24, 2024

Learn more

Webinar

Third-Party Due Diligence

Best practices for conducting third-party due diligence for ethics & compliance​

Join this webinar for best practices for conducting third-party due diligence for ethics and compliance.

January 11, 2024

Learn more

Webinar

Ethics Program Management

Ethics Exchange: Third-party applications and ephemeral apps

Learn practical advice on how to navigate the risks of ephemeral apps and employee privacy in BYOD world.

December 05, 2023

Learn more

Webinar

Third-Party Risk

Elevating third-party safety: The art of TPRM and TPDD integration

Join our webinar to learn the primary goals of successful Third-Party Risk and Third-Party Due Diligence programs.

November 21, 2023

Learn more

Webinar

Speak-Up Program Management

Navigating the EU Whistleblower Protection Directive: New rules, new risks

Join our expert-led webinar where we explore the EU Whistleblower Protection Directive and practical steps towards compliance. 

November 02, 2023

Learn more

Webinar

Ethics Program Management

Ethics Exchange: Risk assessments

Join our risk assessments experts as we discuss best practices, program templates, and how provide an assessment that provides the best value for your organization.

October 25, 2023

Learn more

Webinar

Ethics Program Management

Ethics Exchange: Investigations

Join our live webinar and learn how to conduct comprehensive ethics investigations that are trustworthy and efficient.

September 07, 2023

Learn more

Infographic

Third-Party Risk

What are your third parties not telling you?

Learn how to actively screen and monitor your third parties in the OneTrust Third-Party Risk Exchange.

July 24, 2023

Learn more

Webinar

Third-Party Due Diligence

Driving excellence in third-party risk management: An in-depth look at different due diligence approaches

Join our in-depth webinar and learn how to define third-party due dilligence levels and when to apply them during your vendor management lifecycle.

July 20, 2023

Learn more

Webinar

Third-Party Due Diligence

A shortcut to third party due diligence fundamentals

In this webinar, we examine the scope of third-party due dilligence, best practices, and industry trends driving greater scrutiny on third parties.

July 13, 2023

Learn more

Webinar

Third-Party Due Diligence

Sanctions and export controls: Ensuring compliance

Watch our live expert webinar on understanding global sanctions and export controls and how to reduce your organiztion's risk exposure and ensure compliance.

June 29, 2023

Learn more

Video

Third-Party Risk

Third-party management demo

See how OneTrust's third-party management solution can help scale your third-party lifecycle and evaluate vendors with real-time risk intelligence.

June 27, 2023

Learn more

Webinar

Third-Party Risk

Bridging the gap: How procurement and InfoSec can work together to reduce third-party risks

Join our upcoming webinar as we explore the pivotal ways procurement and InfoSec teams can collaborate to reduce third-party risks.

June 08, 2023

Learn more

Webinar

Third-Party Risk

Unpacking the third-party risk regulatory landscape in the Nordic region and beyond

In this live webinar, our expert panel discuss emerging third-party risk regulatory trends in the Nordic region and show how OneTrust can help your business stay complaint.

May 30, 2023

Learn more

eBook

Third-Party Due Diligence

The global regulations driving third-party due diligence

Download our eBook learn how to start building a robust third-party due dilligence (TPDD) strategy that protects your brand and minimizes risk.

May 30, 2023

Learn more

Webinar

Third-Party Due Diligence

Ethics live Demo: Third Party Due Diligence webinar

Learn how OneTrust's Third-Party Due Dilligence, backed by Dow Jones, can help provide your business the data it needs to find trustworthy third parties and mitigate risk.

May 18, 2023

Learn more

In-Person Event

Ethics & Compliance

Ethics Exchange: Practical deep dive for third-party due diligence

Organizations are accountable for third-party actions, so they need robust due diligence to protect their reputation. Learn more at our ethics exchange event.

May 11, 2023

Learn more

Checklist

Ethics Program Management

Policy on development and administration of policies template

Get a head start on your ethics program and create a policy on development and administration of policies with our customizable template.

May 10, 2023

Learn more

Webinar

Third-Party Due Diligence

Maturing your third-party due diligence program: Process, data & technology

Experts at OneTrust and Dow Jones discuss third-party due diligence, covering industry trends, challenges, and how to streamline the process with technology.

April 27, 2023 1 min read

Learn more

Webinar

Third-Party Risk

Third-Party management secrets: Aligning risk management and due diligence

Watch this webinar to learn how to align your TPRM and TPDD programs to achieve workflow efficiencies and the distinction between the two discipline areas.

April 20, 2023

Learn more

Webinar

Ethics & Compliance

Unpacking the global third-party due diligence regulatory landscape

Learn how a strategic plan for compliance can help companies eliminate human rights and environmental violations and avoid costly consequences.

March 06, 2023

Learn more

Webinar

Ethics & Compliance

Third party due diligence – A practical deep dive

In this session, we'll look into the scope of third-party due diligence and a deep dive into practical implementation aspects and best practices for organizations.

December 13, 2022

Learn more

Report

Trust Intelligence

Trending toward trust

The "Trending toward trust" report from OneTrust highlights seven key trends that organizations need to know.

December 12, 2022

Learn more

Webinar

Ethics & Compliance

The number one metric for effective compliance programs: Continuous improvement

Join our webinar to learn how to develop and/or maintain a High-Quality E&C Program and what role data analytics play in improving your compliance program.

November 27, 2022

Learn more

Webinar

Ethics & Compliance

Best practices for conducting third-party due diligence for ethics & compliance

In this session, we'll explore the scope of third-party due diligence and best practices, such as industry trends driving greater scrutiny on third parties.

November 16, 2022

Learn more

Webinar

Ethics Program Management

Live demo: Conflicts of interest management webinar

Learn how to develop a holistic disclosure program, how to make it part of your risk assessment, and how to use it to meet regulatory obligations.

November 01, 2022

Learn more

Checklist

Ethics & Compliance

The CECO’s third party checklist

Use this checklist to ensure that your ethics and compliance program is effectively managing third parties across the entire relationship lifecycle.

October 28, 2022

Learn more

eBook

ESG & Sustainability

The CECO’s guide to managing third parties eBook

Download this eBook to learn the six steps in the lifecycle of risk-based third-party due diligence, compliance terms, and conditions, payment terms, etc.

October 27, 2022

Learn more

White Paper

Ethics & Compliance

Central vs. local intake and case management under the EU Whistleblowing Directive white paper

Download this white paper to learn the specific intake and case management requirements for local subsidiaries and offices across Europe.

October 25, 2022

Learn more

Webinar

Ethics & Compliance

The role of disclosures in risk assessment and management

In this webinar, we’ll discuss developing a holistic disclosure program, making it part of your risk assessment, and using it to meet regulatory obligations.

October 04, 2022

Learn more

White Paper

Ethics & Compliance

What CCOs need to know about the DOJ compliance certification requirement white paper

Download our white paper to learn how the DOJ’s new policy will empower CCOs, and discover what opportunities this new policy presents for your program.

September 01, 2022

Learn more

Webinar

Ethics & Compliance

How to transform your ethics management program through effective employee engagement

In this webinar, we’ll discuss how to develop a successful ethics management program and how to promote trust by developing awareness.

July 28, 2022

Learn more

White Paper

Ethics & Compliance

DOJ’s 2020 update to the evaluation of corporate compliance programs

This white paper explores the 2020 DOJ Compliance Guidance Update and where it takes corporate compliance programs this year and beyond.

July 15, 2022

Learn more

Checklist

Ethics & Compliance

DOJ self-assessment checklist

This enhanced DOJ guidance sets out a baseline, or the minimum standards, to demonstrate an effective ethics & compliance (E&C) program.

July 08, 2022

Learn more

Webinar

Ethics & Compliance

Conflicts of interest and disclosures

Join this roundtable with your peers and experts in ethics and compliance to discuss how to build a successful conflict of interest management program.

July 08, 2022

Learn more

Webinar

Ethics & Compliance

Effective policy governance and distribution

Join this roundtable to discuss how to create effective policies, run effective campaigns and report on each policy’s performance and influence. 

July 08, 2022

Learn more

Webinar

Ethics & Compliance

GDPR and the EU Whistleblower Protection Directive webinar

Join this webinar to learn how to review your whistleblowing processes to comply with the EU Whistleblower Protection Directive, the GDPR and others.

July 06, 2022

Learn more

Webinar

Ethics & Compliance

Hotline reporting under the EU Whistleblower Protection Directive: Unseen consequences, issues & practicalities

While there have been many articles and discussions around the EU Whistleblower Protection Directive, several significant issues have largely gone unnoticed. 

July 06, 2022

Learn more

Webinar

Ethics & Compliance

A hotline innovation masterclass: communications, awareness & confidentiality

Learn how to effectively train and raise awareness on your hotline and how to share information on the Directive so that your company remains compliant.

July 06, 2022

Learn more

Webinar

Ethics & Compliance

Evaluating hotline vendor compliance with the EU Whistleblower Protection Directive

Join us to learn how to choose a hotline vendor, and we also cover the onboarding and implementation process so that you can meet the Directive's deadline.

July 06, 2022

Learn more

Interactive Tool

Ethics & Compliance

Compliance KPIs worksheet interactive tool

Use this worksheet to understand what data you currently have, what you're lacking that may be important, and what certain data points may indicate.

July 05, 2022

Learn more

Webinar

Ethics & Compliance

Whistleblower retaliation under the EU Whistleblower Protection Directive: the reverse burden of proof

Learn how to implement anti-retaliation measures, and how to detect retaliation throughout the whistleblowing process using some new and novel techniques.

July 05, 2022

Learn more

eBook

Ethics & Compliance

14 key requirements to effective conflicts of interest management

Read this eBook to learn the key requirements that are fundamental to building a successful conflict of interest management program.

June 30, 2022

Learn more

Checklist

Ethics & Compliance

Annual compliance program checklist

Download our annual review compliance checklist to evaluate your E&C compliance program, identify key gaps, and prepare for the future.

June 30, 2022

Learn more

Webinar

Trust Intelligence

Become a trusted brand: 7 ways to promote your security, privacy, ethics and ESG programs

We discuss key points, such as choosing which certifications count the most to your business and how to save time when answering questionnaires.

June 20, 2022

Learn more

Checklist

Ethics & Compliance

Anti-retaliation checklist for compliance programs

Use these 19 questions to take a holistic look at how your program can improve training, investigations, policies, & more to prevent retaliation before it occurs.

June 17, 2022

Learn more

Checklist

Ethics & Compliance

EU Whistleblower Directive checklist

Assess your company's EU Whistleblower Directive compliance with this interactive checklist. 

June 16, 2022

Learn more

eBook

Ethics & Compliance

Ultimate guide to the EU Whistleblower Protection Directive

Download our free eBook on the EU Whistleblower Protection Directive learn its key requirements, who's protected, and answers to common questions. 

June 07, 2022

Learn more

Webinar

Privacy & Data Governance

7 ways trusted brands promote their security, privacy, ethics, and ESG programs

Watch this free webinar and learn 7 ways trusted brands promote their security, privacy, ethics, and ESG programs.

May 17, 2022

Learn more

eBook

Ethics & Compliance

The secret to effective policy management

Download this eBook and discover how a centralized policy management system helps drive compliance and ethics policy effectiveness. 

May 11, 2022

Learn more

eBook

Ethics & Compliance

How to build a speak-up culture

Download this step-by-step guide on building a speak-up culture and improve reporting rates. 

April 25, 2022

Learn more

eBook

Ethics & Compliance

Quick guide to the EU Whistleblower Directive

Use this guide to learn how the new EU Whistleblower Directive will be enforced, who is subject to it, and how to comply with it.

April 20, 2022

Learn more

Infographic

Ethics & Compliance

Infographic: The impact of an effective helpline on speak-up culture

Download this infographic and learn how an effective helpline is key to building a speak-up culture. 

April 08, 2022

Learn more

Interactive Tool

Ethics & Compliance

A simple conflict of interest disclosure form template

Download and customize this conflict of interest disclosure template to begin collecting voluntary disclosures at your organization.

April 05, 2022

Learn more

Webinar

Third-Party Due Diligence

7 best practices for conducting third-party due diligence for ethics & compliance

Watch this webinar and learn the seven best practices for third-party due diligence. 

January 03, 2022

Learn more

Webinar

Privacy & Data Governance

Data breach vs. ethics breach: How to prepare for both

In this webinar, we review case studies and tips from recent breaches and analyze which situations qualify as an "ethics breach."

July 07, 2021

Learn more

eBook

Ethics & Compliance

Creating an effective code of conduct

In this eBook, learn how to create an effective code of conduct with six key steps. 

June 01, 2002

Learn more