Beyond the checklist - due diligence on 3rd parties

I have recently joined a team on a compliance consulting project for a growth-stage business, in process to expand internationally and also preparing a significant Series A funding. It was supposed to be a simple, straightforward small engagement, focused on the reviewing the database of 3rd  party service providers and defining a due diligence approach, efficient in managing the risks and  cost – effective. 3rd party risk in the client company has just been elevated to high priority level, as part of strengthening the core prior to the funding round scrutiny.

While discussing the approach, it came clear that the client was uninformed about the significance of the existing regulations and, by consequence,  was rather unpleasantly surprised by the extent of work needed to perform the due diligence on all 3rd parties and by the associated accountability of the board.

As part of the business’ risk profile, reviewing the due diligence of 3rd party relationships would establish whether the business is assuming more risk than it can identify, monitor, manage and control.  The  board retains the accountability for the relationship with 3rd parties.

The due diligence on 3rd parties is common practice in global organizations where risk management is taken seriously, but since there is no minimum level of due diligence set by regulation,  a fair share of companies take this work lightly, keeping the compliance at checklist level.

With the vast improvements in technology and communications, it is now possible for small to medium size businesses to operate beyond their geographical boundaries. From a business risk management, with international partners come a number of challenges.

For growth-stage businesses, the ‘know-your-customer’ intense process is one of many growing pains. These expanding operations are more vulnerable since they operate with less resources, less legal advice and have less power to impose rigorous  due diligence on their new international partners . The growth-stage companies  would not necessarily prioritize 3rd party vetting automation and   audits.  Often, the vetting would come after the fact, once the transaction took place and the risk control became ineffective.

Growing with 3rd parties is a two-edge sword.  Employing agents and distributors reduces the initial investment needed to enter and test a new market. But relying on third parties also brings with it greater risks for bribery, money laundering and other improper conduct.  The growth imperative often dominates in the strategy execution, and the 3rd party risks remain underestimated. So it happens that the due diligence processes are not put in until late, when external pressure intervenes, such as supply chain crisis, regulatory reviews or shareholders demands.   At that stage, the efforts and cost implications are a very unpleasant surprise.  Also,  very  likely that some risks cannot be mitigated anymore.