By Kristy Grant-Hart
“Wait, they want three months of the CEO’s personal bank statements? Are they insane?” This was a real request to one of my clients via a due diligence questionnaire. When I called to inquire with the requesting company why they needed this, they said that they wanted to ensure that the CEO wasn’t receiving “unusual payments” that could be a bribe.
Due diligence questionnaires are a critical tool for understanding third-parties. But they can quickly get out of control, putting unreasonable burdens on the answering party, and at worst, invading the privacy of individuals in wholly unnecessary ways.
How do you balance the legitimate need for information with the reality that no questionnaire can fully protect the company from the possibility that the third-party will misbehave? Here are three do’s and don’ts when it comes to due diligence questionnaires.
Don’t Ask For Information That Won’t Stop The Third-Party From Being Approved
Most due diligence questionnaires are far too overreaching. The rule should be this: if you wouldn’t deny a third-party if the answer is negative, don’t ask the question.
Some questionnaires ask if any employee has ever been convicted of a misdemeanor. First of all, as many companies have thousands of employees, how could they possibly answer this in good faith? Secondly, if a key manager had a shoplifting offense or marijuana conviction from twenty years ago, would this stop the third-party from being engaged by your company? If the answer is yes, ask the question. If the answer is no, don’t.
Do Ask All Questions Your Require for Your Risk Ranking and Approval
You probably need to know information about the ultimate beneficial owner(s) of any higher-risk third-party working with your company. You also probably need to know the names and titles of key managers, as well as if the company has ever been convicted of bribery or other compliance-related offense. Ask all of the questions you need up front so you’re not going back to the third-party again and again. Have an “if yes” methodology that allows the third-party to explain itself if it answers important questions in the affirmative.
Don’t Neglect to Coordinate with Other Functions
Many third-parties are inundated with multiple questionnaires by a company. Information Security, Information Technology, Sustainability, Corporate Social Responsibility, whoever is in charge of modern slavery and human rights, Privacy… the list goes on and on. Don’t finalize your due diligence questionnaire without contacting all of the departments that may need information from the third-party. Instead…
Do Contact Other Functions to Find Out What Information They Need
If at all possible, all third-parties should only have to answer ONE questionnaire from your company. Talk to Procurement, IT, IS, Sustainability and anyone else that may interact with the third-party so that only one questionnaire goes out.
Don’t Make Everyone Go Through The Same Level of Scrutiny
No regulator expect that all third-parties go through the same level of due diligence. For example, a re-seller in Denmark should be subject to less due diligence than a sales agent in Mozambique. Your methodology could dictate that supplier from Denmark undergo only a sanctions check, while the sales agent from Mozambique undergo a full enhanced due diligence review. Create a pragmatic risk-ranking methodology that would stand up to regulatory scrutiny.
Do Consider Certifications or the Companies’ Report
More and more organizations are streamlining the due diligence by working with a collective organization or undergoing certification. Organizations like SEDEX pool independent third-party audits onto a single platform so the third-parties don’t have to go through multiple audits from multiple companies. Likewise, TRACE International offers members the capacity to see the results of the TRACE certification process and the answers provided by third-parties to a lengthy due diligence questionnaire. An ISO 37001 certification by an accredited certification body shows true adherence to all regulatory anti-bribery due diligence requirements.
Do any of these certifications or aggregated audits mean that you should do no due diligence on the third-party? Of course not. You should always ask questions to understand what the third-party will be doing for your company and to understand their background. However, if the third-party has chosen to put itself through a certification or audit process, consider this to reduce the burden of due diligence both on your company and on the third-party.
By rationalizing the due diligence process and employing a proper risk-ranking methodology, you can ensure the security of your company while simultaneously implementing a pragmatic and rational due diligence process.
Kristy Grant-Hart the author of the book “How to be a Wildly Effective Compliance Officer.” She is CEO of Spark Compliance Consulting. She can be found at www.ComplianceKristy.com, @KristyGrantHart and emailed at KristyGH@SparkCompliance.com.