Five Key Questions for Assessing Integrated Third Party Due Diligence Systems
By Michael Volkov, CEO and Owner, The Volkov Law Group, LLC
Compliance professionals are routinely asked to do more with less. It is the burden of the profession—juggle as many balls as you can and do not make any mistakes.
That trend is beginning to change. Compliance professionals are getting more resources and more responsibilities to manage more functions and more information. In this Internet Age, there is nearly an infinite amount of easily-accessible information available on third parties.The efficient management of that information is an industry in its infancy.
In the past, compliance professionals focused on gathering data and worried about whether or not they had enough. That dynamic is being replaced by a set of new concerns—do you know what to do with all the information you have and how to best use it?
INTEGRATED DUE DILIGENCE SYSTEMS
At the heart of the third party due diligence process is the ability to analyze and sift vast amounts of data to focus on relevant issues, weigh risks and then make informed decisions based on an assessment of those risks. Companies are facing a critical need to adopt a universal approach that integrates risk identification and better manage their due diligence processes.
Luckily, the compliance marketplace is responding to this need and is fast developing a technology-based solution: integrated due diligence systems.
Integrated due diligence systems provide a full picture of the due diligence process at every step of the process. They are designed with a sophisticated understanding of technology combined with a thorough understanding of risk—and the need for a documented, risk-based due diligence process. Such systems will be a critical part of deploying compliance resources efficiently and ensuring a customized approach to meeting organizations' unique needs.
The industry is moving rapidly to develop these solutions, and there are a number of companies that claim they can provide such services. Those claims have to be tested. Compliance professionals need to assess these claims carefully and vet such systems to make sure the vendors meet their needs now and in the future.
KEY QUESTIONS TO ASK WHEN EVALUATING AN INTEGRATED THIRD PARTY DUE DILIGENCE SYSTEM
When choosing among the offerings in the marketplace, the following five questions are critical to selecting an integrated due diligence system:
1 - Does the system offer a dashboard access point for all due diligence workflows and reports?
A strong system should have a single access point that provides you with a summary of all ongoing compliance processes and flags any areas of concern that need your attention. The ability to filter alerts based on your organization’s needs is critical to ensure that you do not waste time responding to “false” alerts.
2 - Does the system offer comprehensive, automated, ongoing risk screening?
This question raises two important issues—comprehensive screening and monitoring functions. It is one thing to take a snapshot and get a result—it is another to monitor the picture to see if any changes in circumstances occur. If a change in status of a party occurs, the system should notify you so that you can update the due diligence results and respond to the changed circumstances in whatever way is appropriate.
3 - Does the system automate risk management with a risk analysis algorithm or similar tool— and does it allow for analyst-led activity when needed (and only when needed)?
When evaluating a due diligence provider’s approach to risk management, consider the total cost of ownership. Many third party due diligence providers claim to offer an integrated due diligence system, but then push you toward analyst-led due diligence—which is expensive and time-consuming (and can ultimately be risky). Compliance professionals need a product that will automate the risk analysis process using sophisticated algorithms based on experience and expertise. That will ensure that more costly analyst-led due diligence will only be needed when it is really needed.
When analyst-led due diligence is necessary, a cutting edge due diligence system will provide an integrated, automated mechanism for the analysts to update a third party’s record with their report reviews and enhanced due diligence output. Integrating the workflow between analyst and the system is key to creating operational efficiencies and ensuring compliance professionals spend their time on analysis and research— not administration. Furthermore, a risk evaluation method that produces frequent false positives that require analyst-led due diligence is a waste of resources and should be avoided.
4 - Does the system allow you to align your internal processes to the process management system?
An integrated due diligence system is only useful to your organization if it can align with best practice processes. A third party due diligence provider should be flexible and able to configure its options and report types to meet your needs. This is true for both the inputs your compliance process needs (e.g. questionnaires, commercial data or internal forms) and the outputs (e.g. risk ranking results, reports at each decision point or upon request by a manager).
Some related questions you’ll want to ask include:
- Are all materials produced in the local languages where your organization does business?
- Do managers and employees in your organization generate reports using an automated system to facilitate review and approval?
- Can third party questionnaires be customized to reflect specific information or unique circumstances in your organization?
5 - Does the due diligence system meet documentation requirements— documenting all due diligence, monitoring and auditing processes?
As any compliance professional knows, documentation of each step in the process, each piece of information, each analysis and each reasoned decision is critical to an effective compliance program. If it isn’t written down how do you prove it happened later?
An effective third party due diligence provider understands this requirement and will ensure that each step is not just documented when it happens, but will be available to look at in the future. This should include the ability to make each report easy to find and accessible to all managers and employees who need the information. It is important to make sure a potential due diligence provider understands this issue and has worked to make the documentation and retrieval process simple for you.
Companies face significant challenges in managing their third party agents, distributors, vendors and suppliers. A culture of ethics and compliance can only be embedded in a company when its third parties adhere to a company’s policies and procedures. In the absence of an effective and efficient third party management system, companies will continue to risk significant breakdowns in compliance and face the real prospect of government enforcement actions.
ABOUT THE AUTHOR
Michael Volkov, CEO and Owner, The Volkov Law Group, LLC
Michael Volkov, CEO and Owner of The Volkov Law Group, LLC, maintains an FCPA blog—Corruption, Crime & Compliance. He is a regular speaker at events around the globe, and is frequently cited in the media for his expertise on criminal issues, enforcement matters, compliance and corporate governance. In February 2013, Michael Volkov created the Volkov Law Group, a firm specializing in compliance, internal investigations and white collar defense.
The Volkov Law Group is affiliated with NAVEX Global. The views expressed in this article, however, reflect its own assessment and opinions of the integrated due diligence industry.
About NAVEX Global, Inc.
NAVEX Global is the worldwide leader in integrated risk and compliance management software and services. Trusted by more than 14,500 customers, our solutions help organizations manage risk, address complex regulatory compliance requirements and foster an ethical, highly productive workplace culture.