Last month, Centry blog featured an article on identifying tells associated with Third Party Risk as it relates to your business. Today, we will dive into the basics of what comes next – conducting due diligence.
What is Due Diligence?
Due diligence is the act of making reasonable inquiries of an individual or entity that has been flagged as a potential risk.
The first step is to have a written policy, which ought to be followed with significant documentation – there should be a due diligence file for each individual investigation. However, when creating due diligence policy, there is no one size fits all solution. Thus, a business should engage in risk ranking and develop a policy according to it.
Where Do We Start?
Figure 1. Course of Action
This may sound like a lot to organize, especially around unique cases, but there is a step-by-step approach to implementing the due diligence program.
Step 1. Classify Third Parties
We established the different classifications of Third Parties in our Quick Tips to Recognize Third Party Risk article. For a quick refresher, these can be any of the following:
Commercial third parties (i.e. agents and distributors), regulatory third parties, vendors/suppliers, professionals, and local officials.
Decide where the object of interest falls in one of these categories and then you will be able to progress to the next step.
Step 2. Develop a Risk-Ranking Formula
It is important to create an objective system, rather than a subjective system of ranking, which relies on gut feelings and personal perspectives. The use of a consistent risk formula and policy is the best course of action to protect the due diligence system and your organization.
Value should be assigned to each category of risk in terms of how important it is. In order to define the value of each risk category, it is efficient to use a scale of 0 to 100, as seen in the following chart, where low risk level is 0-30, medium risk is 31-70, and high risk is 71-100. For the low risk threshold, only a basic level of due diligence is necessary. As the risk value escalates, more emphasis should be put into the inquiries, potentially ultimately leading to a formal investigation.
Figure 2. Example Risk Value Graphic
In the chart below, you may visualize the weight of each risk category. It should also be considered that combinations of categories raise the risk level of the subject.
Figure 3. Example Risk Classification Pie Chart
With the risk value of the individual/entity established, the due diligence process can continue.
Step 3. Monitoring and Auditing
The biggest thing to keep in mind is that due diligence is fluid. Things can change as new events and connections occur, and new information becomes available. In this case, it is best to have an annual auditing plan, which is developed using a specific risk formula. Depending on the business, the amount of auditing resources and risk criteria, specific steps can be taken based on thresholds of risk value. For example, one may issue spot-checks on specific issues when a certain threshold of risk is reached. There may also be transaction testing, desktop or phone audits, as well as formal audits.
To safely conduct due diligence, the file for each investigation should be substantial. Consider it to be like keeping a running log of the due diligence process. The file should contain every piece of information related to the investigation and every action take. At appropriate points, it should also have attorney approvals for actions proposed and taken. In very high risk circumstances, it should include an Advice of Counsel letter.
If there are any questions on how to proceed further with due diligence, a representative at Centry would be happy to help. Feel free to contact us at firstname.lastname@example.org.
This article was written by Kristina Weber, Content Supervisor of Centry. She holds a Bachelor’s Degree in History from the University of Calgary.