The Basics of Due Diligence

Last month, Centry blog featured an article on identifying tells associated with Third Party Risk as it relates to your business. Today, we will dive into the basics of what comes next – conducting due diligence.

What is Due Diligence?

Due diligence is the act of making reasonable inquiries of an individual or entity that has been flagged as a potential risk.

The first step is to have a written policy, which ought to be followed with significant documentation – there should be a due diligence file for each individual investigation. However, when creating due diligence policy, there is no one size fits all solution. Thus, a business should engage in risk ranking and develop a policy according to it.

Where Do We Start?


Figure 1. Course of Action

This may sound like a lot to organize, especially around unique cases, but there is a step-by-step approach to implementing the due diligence program.

Step 1. Classify Third Parties

We established the different classifications of Third Parties in our Quick Tips to Recognize Third Party Risk article. For a quick refresher, these can be any of the following:

Commercial third parties (i.e. agents and distributors), regulatory third parties, vendors/suppliers, professionals, and local officials.

Decide where the object of interest falls in one of these categories and then you will be able to progress to the next step.

Step 2. Develop a Risk-Ranking Formula

It is important to create an objective system, rather than a subjective system of ranking, which relies on gut feelings and personal perspectives. The use of a consistent risk formula and policy is the best course of action to protect the due diligence system and your organization.

Value should be assigned to each category of risk in terms of how important it is. In order to define the value of each risk category, it is efficient to use a scale of 0 to 100, as seen in the following chart, where low risk level is 0-30, medium risk is 31-70, and high risk is 71-100. For the low risk threshold, only a basic level of due diligence is necessary. As the risk value escalates, more emphasis should be put into the inquiries, potentially ultimately leading to a formal investigation.

Risk chart example

Figure 2. Example Risk Value Graphic

In the chart below, you may visualize the weight of each risk category. It should also be considered that combinations of categories raise the risk level of the subject.

Third Party definition

Figure 3. Example Risk Classification Pie Chart

With the risk value of the individual/entity established, the due diligence process can continue.

Step 3. Monitoring and Auditing

The biggest thing to keep in mind is that due diligence is fluid. Things can change as new events and connections occur, and new information becomes available. In this case, it is best to have an annual auditing plan, which is developed using a specific risk formula. Depending on the business, the amount of auditing resources and risk criteria, specific steps can be taken based on thresholds of risk value. For example, one may issue spot-checks on specific issues when a certain threshold of risk is reached. There may also be transaction testing, desktop or phone audits, as well as formal audits.

Document Everything!

To safely conduct due diligence, the file for each investigation should be substantial. Consider it to be like keeping a running log of the due diligence process. The file should contain every piece of information related to the investigation and every action take. At appropriate points, it should also have attorney approvals for actions proposed and taken. In very high risk circumstances, it should include an Advice of Counsel letter.

If there are any questions on how to proceed further with due diligence, a representative at Centry would be happy to help. Feel free to contact us at info@centry.global.

This article was written by Kristina Weber, Content Supervisor of Centry. She holds a Bachelor’s Degree in History from the University of Calgary.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s