Declaring & Diagnosis
Two things usually happen when doing the diligence before investing in, appointing, or otherwise engaging a third-party.
1. We ask them to make a bunch of declarations
2. We assess the risk implications
On a recent project (interviewing impact investors), some preferred to have the proposed investee self-assess business integrity risks. Others favoured conducting that diligence in-house (document reviews, interviews with investee personnel, etc.). Each approach has pros and cons.
We’ve published several self-assessment tools (compliance maturity, fraud, investment fit, etc.). The output is often sobering. For instance, an entity safeguarding vital (potentially high-risk) national infrastructure scored 16% for fraud prevention. Anyone minded to conduct one of our assessments may want to know their actual risk exposure and take action. However, that is not true when the inherent conflict of money appears.
A few years back, we were doing the risk assessment and diligence (for an investor) into a financial institution. The investor suggested we ask the investee to complete a self-assessment before our work to benchmark against reality. It was an eye-opener. The investee gave themselves the best score I’ve ever seen. One that well-resourced MNCs seeking to satiate the Department of Justice would drool over. The ensuing reality was in stark contrast – one of the worst integrity risk frameworks I’ve ever seen. The investee needed the investment = a conflict.
When we ask someone who (typically) needs our money if they manage risks the way we expect them to, they usually respond with a flurry of ‘yes’ ticks.
Should we dispense with declarations and self-assessments? Most would say no, as they also serve an evidential and legal purpose (“true to the best of my knowledge, etc.”). Additionally, positive declarations can be interrogated (“please provide evidence”) or more gently questioned during the diligence process. For these reasons, I don’t mind whether you opt for asking third-parties (including investees) to self-declare or you go to the (considerable) effort of verifying for yourself (interviews, doc review, etc.).
But there is little learning opportunity if we’re only focused on declaration and diagnosis. The best projects I’ve worked on in recent years are with investors (and corporates, especially in energy and healthcare) who look at common pain points (lack of training, weak policies, missing guidance on managing issues X or Y) and do something about it. For example, a healthcare company reliant on 11 distributors serving 14 Asian markets identified weak controls around bid management (anti-competition, conflicts of interest, bribery) as a systemic issue (present in five of the 11). They duly held a workshop (open to all 11 but mandatory for the five) on managing this issue. They also shared a sanitised version of their internal SOP. They’d potentially saved considerable pain in those few hours it took to prep and deliver the workshop.
Suppose you lack the time or capacity to provide that kinetic level of support, fair enough. It’s a gap we hope to plug. We’re busy consolidating hundreds of pieces of content (guides to policies to training) into a repository that a less mature third-party could use to address potential gaps. Stay tuned…