September 4, 2020
Due diligence, is it working?
After each scandal or revelation involving a third-party, there tends to be an examination as to why due diligence (DD) failed. Agents involved in tax dodges and offshore fronts, suppliers flouting human rights, distributors bribing end-users, logistics providers paying officials… the list is endless.
In many of these cases DD was done, so why is more DD the answer. Are you happy with your due diligence? Should we keep repeating the same experiment expecting different results? Or is it time to reform and reframe it?
D’you due diligence?
How do you view DD? In many of the organizations I deal with, it’s a real headache. Compliance teams are swamped. Business teams (tasked with obtaining data) are resistant. Why?
- Paperwork (and cost)
- Places the third-party and you in a somewhat adversarial position (a common gripe in this region)
- It’s a retrospective exercise (certifications and ‘red flags’), not attitudes to future (likely) ethical challenges
There are good counters to these complaints, but don’t dismiss them. Ignoring objections seldom further any cause. There’s truth on both sides of the DD debate.
The smoke ‘n’ mirrors ‘background check’
I should disclose that I spent years conducting integrity DD assignments. It didn’t always feel like a good use of time and resources. Typically the ask was for “Level 1, 2, or 3” reports:
- Putting names of prospective/actual third-parties (business partners, clients for KYC purposes, suppliers, vendors, agents, etc.) and sometimes the names of key managers and owners through various ‘dirty word’* searches and ‘blacklists’**.
- The above, with more research of (social) media and the internet to give more nuance beyond the binary “Was there a negative hit: Y/N” approach in Level 1 reports.
- Level 2, with “source enquiries”.***
* Dirty word searches mean adding things like “corrupt” to the business name, running a search, and seeing what comes up.
** Blacklists are databases cataloguing people and organizations places on sanctions lists, debarment lists, etc. They’re notoriously limited or misused. For example, going through the process of checking the FBI’s most-wanted terrorists database for every third party, including widget manufacturing companies in Shenzen.
*** Source enquiries are catch-all for anything from reference checks, to some genuinely insightful accessing of individuals who know (or know of) the subject(s) of the due diligence. Not all DD providers are created equal here (reliable networks are about people and trust, that sits with individuals within companies, not the companies themselves).
What’s wrong with this approach?
Many firms profile to decide which third-parties should be subject to which level of DD. Profiling is often done along ethnographic lines, considering “high-risk markets”.
This needs to change. Some organisations have fantastic systems to risk-rank, using nuanced data (including analytics), but others opt for a corruption or money laundering global ranking (or equivalent) as a starter for 10.
If analytics isn’t here for you yet, some better ways to triage your due diligence data:
- Business case: Why are you considering the third-party? A surprisingly obvious one, and when the response is things like, “because this official told us we had to,” or “they’re the only provider in the market,” “because we need the business,” or, my favourite, “They’ve got great access to government officials,” ask more questions!
- Exposure: Are they handling high-stakes negotiations? Interacting with public officials? Representing your brand? Sourcing resources in areas where there is heightened slavery exposure?
- Insight: Do you REALLY know how they do what they do? Do you understand the tax process that your accountant is representing you in? Do you know the importation rules and Customs tariffs?
A few why, what, and how questions are a better place to start when risk-ranking/profiling. If this sounds like even more work, have a look at your average onboarding form. 10 (max. 20) of these questions (a 10-20min chat) would save hectares of forests (or kilowatts of energy powering cloud servers) from becoming DD disclosure forms.
What about due diligence technology?
The A.I. and data analytics ninja disruptors out there don’t need me to do their advertising. There are some fantastic disruptors shaking-up the traditional DD market. But, again, not all are created equal.
If the tech is mapping connections or crunching (smart) DD questionnaires to better risk-rank, great. But, if it’s still just about profiling (using the corporate equivalents of facial recognition and location-tagging) you’re missing a trick.
Make sure you’re capturing business case, exposure, and insight indicators, before working with, not on, your third-parties…
But doesn’t due diligence sift out bad apples?
Risk-ranking and rationalizing of your third-parties is important, it should (and does, sometimes) sift out the more problematic (potential) partnerships.
But good people do bad things, and bad things happen to good people, often driven by a desire to help. For example, the freight forwarder who you’re chasing to deliver a piece of heavy equipment, who then pays of the Customs official to expedite the shipment. Or the supplier with the regular (and vetted) sub-supplier of a commodity who suddenly goes out of business, just as a big order comes in from you with late delivery penalties.
Supporting vs. ‘screening’
As a small business owner I am regularly filling out “vendor onboarding” forms. Given the line of work I’m in, it can be reassuring, but it can also just feel like a formality, a process for the sake of process. It’s also seldom ever checked or followed-up on.
Instead of CYA (Google it) forms, work with your key third-parties to:
- Explore: attitudes and familiarity with ethics & compliance
- Explain: your expectations and the onboarding process
- Educate: (if needed)
…an effective E&C program is attainable, even at small scale. Many of the larger organizations have content (policies, procedures, etc.) that could help your third-parties get from zero to hero quicker.
If that presents legal (or logistical) challenges, ask us. We’re working with third-parties of large organizations, using our platform to benchmark and then upskill their E&C programs. We’ve developed tools, implementable content, guides, and policies to help SMEs rapidly up their E&C game.
What’s in it for them?
There is (sometimes) this view that companies in developing markets, or SMEs in general, are too immature, don’t care or have the headspace for E&C. It’s a big kid’s problem, not for babies. Big kids playing on the big stage with big rules. Not true. Your third-parties will care and be appreciative of any support for two reasons:
- It’s a competitive advantage to have progressive E&C credentials and to be your client (passing your strict selection criteria is marketing collateral for future clients).
- The ills you’re trying to avoid (corruption, fraud, etc.) feel VERY real to folks in SMEs and/or emerging markets; they’re a serious risk factor and often a blight on their daily lives (outside work).
Stop wasting money on DD for the sake of DD, for CYA. Especially if it’s a reluctant purchase. Make it risk-based, make it intelligence-led, make it a collaborative process.
Do your DD on your DD to avoid getting into DD (doo-doo).