2. 1
The generally accepted U.S.
and international guidelines
for conducting anti-corruption
reviews on third parties have
not changed significantly since
the U.S. Department of Justice
and the Securities and Exchange
Commission released its Resource
Guide to the U.S. Foreign Corrupt
Practices Act in November 2012.
Nonetheless, recent trends
indicate stricter scrutiny of supplier
and customer relationships
thus requiring some level of due
diligence. Figure 1 below highlights
a significant increase after 2014 in
the requirement of due diligence
reviews of suppliers, customers/
clients and third party agents or
consultants. In addition to anti-
corruption compliance, potential
drivers of this trend could be due
to an increased recognition of the
value of due diligence in managing
sanctions, supply chain and
reputational risk.
Third Party Risk Management
—What to Consider
M I C H A E L H E L L E R
D I R E C T O R , R I S K A N D C O M P L I A N C E
Figure 1. Source: 2016 Dow Jones Risk and Compliance Global Anti-Corruption Survey
More than 65% of respondents claim that M&A targets “always” require due
diligence, followed by senior level executives, sales agents and customers/
clients.
66%
60%
59%
58%
56%
50%
63%
57%
60%
63%
62%
51%
70%
52%
47%
43%
43%
28%
M&A targets
Senior level executives/
board members
Sales agents
Customers/clients
Third party agents or consultants
Suppliers
% Mentioning Each as Always Requiring Due Diligence
2016
2015
2014
T A R G E T S R E Q U I R I N G D U E D I L I G E N C E
3. As additional stakeholders
adopt due diligence procedures
to manage third party risk, it is
worth revisiting how to properly
identify and weigh different
factors to achieve a tailored
and efficient approach.
R I S K R A N K I N G
There is no expectation that every
due diligence review requires the
same depth of effort— not all third
parties are created equal. As noted
in the Resource Guide, “DOJ and
SEC will give meaningful credit
to a company that implements
in good faith a comprehensive,
risk-based compliance program,
even if that program does not
prevent an infraction in a low risk
area because greater attention
and resources had been devoted
to a higher risk area.” While there
is of course no ‘one size fits all’
model for companies to follow,
the factors below could influence
the allocation of time, budget, and
resources to the process.
1 . S I Z E O F O P P O R T U N I T Y
How much is the company willing
to spend on the opportunity and
how much revenue will it generate?
For example, is the contract for
$5,000 or $5,000,000? The business
endeavor would not make sense if
the cost of due diligence outweighs
the opportunity or revenue
gain (this includes intangible
advantages). The amount at stake
can impact how thorough the
investigation should be and how
much to invest in the review.
2 . P R O X I M I T Y T O
T H E G O V E R N M E N T
Identify whether the relationship
involves a government agency or
determine how much ownership,
influence or control, if any, can
be attributed to the government.
Independently identifying this type
of information can be challenging,
though fortunately, there are
databases that contain lists of
state-owned enterprises, which
are typically defined by percentage
of government ownership or other
measures of influence such as
control of the board of directors.
Strategic and heavily regulated
industries tend to be the subject
of greater influence by the state.
The Resource Guide notes factors
to consider include “level of
involvement with governments,
amount of government regulation
and oversight and exposure to
customs and immigration in
conducting business affairs.”
3 . C O U N T R Y R I S K
The corruption risk in the country
or countries of the transaction
or relationship should also play a
significant role in the calculation.
Seen in the 2016 Annual Anti-
Corruption Survey conducted by Dow
Jones, 83% of respondents risk-rank
the countries of their third parties as
part of their review process—a 10%
increase from 2015. The survey found
that 72% of corporate compliance
staffers use Transparency
International’s Corruption Perception
Index, and 56% use a compilation of
internal data.
4. A COMBIN AT ION T HEREOF
Government regulators are pretty
clear that the risk rating for all
three of the aforementioned
factors (size of opportunity,
proximity to the government,
and country risk) should have a
significant bearing on the requisite
due diligence. According to the
Resource Guide, “a $50 million
contract with a government agency
in a high-risk country warrants
greater scrutiny than modest and
routine gifts and entertainment.”
5. T Y P E S OF T HIR D PA R T IE S
The nature of the third party
relationship should also factor
into the risk ranking equation. For
instance, corruption and other
risk exposure can be different
when dealing with customers,
vendors, agents, channel partners,
acquisitions, joint ventures or
other business relationships.
Bear in mind that the FCPA “was
enacted for the purpose of making
it unlawful for certain classes
of persons and entities to make
payments to foreign government
officials to assist in obtaining or
retaining business.” Accordingly, it
is important to ask what types of
relationships play the most direct
role in achieving this result.
Seen in the
2016 Annual
Anti-Corruption
Survey
conducted by
Dow Jones, 83%
of respondents
risk-rank the
countries of their
third parties
as part of their
review process—
a 10% increase
from 2015.
2
4. I N D U S T R Y
Certain industries, for a variety
of different factors, can require
additional due diligence measures
to manage third party risk. Recent
enforcement trends in a particular
sector as well as high risk industries
such as defense and oil and gas
can indicate the need for stricter
scrutiny of third party relationships.
O T H E R C O N S I D E R AT I O N S
Any legal, regulatory, or reputational
information already known about
the third party or uncovered
during the relationship and the
questionnaire process should also
be taken into account. Another risk
factor includes payment requests
in countries not related to the
jurisdiction where the transaction
takes place or where the third party
is based, which is especially an
issue when that country has lax
anti-money laundering controls in
the banking sector or is a tax haven.
T H E “ R I G H T ” L E V E L
O F D U E D I L I G E N C E
Risk ranking driven by the
variables outlined above, as
well as the organization’s risk
tolerance, will dictate the time,
budget and resources allocated
to investigative due diligence.
As seen in the 2016 Annual Anti-
Corruption Survey, investigative
due diligence typically can
uncover information including
beneficial ownership, negative
news, financial stability and
performance, reputation,
regulatory issues, and information
on senior executives (including
political affiliation) to name a few
(for details, see Figure 3.)
3
72% 73%
83%
0%
20%
40%
60%
80%
100%
Currently Risk-Rank Countries
72%
56%
33%
10%
67%
61%
40%
8%
75%
49%
30%
9%
Transparency International CPI
Country risk data compiled internally
Subscription to country risk data
Other
Information Sources Used To Risk-Rank Countries
(among companies that risk-rank countries)
2016
2015
20142014 2015 2016
72% 73%
83%
0%
20%
40%
60%
80%
100%
Currently Risk-Rank Countries
72%
56%
33%
10%
67%
61%
40%
8%
75
49%
30%
9%
Transparency International CPI
Country risk data compiled internally
Subscription to country risk data
Other
Information Sources Used To Risk-Rank Countries
(among companies that risk-rank countries)
2016
2015
20142014 2015 2016
86%
79%
76%
70%
64%
62%
59%
42%
81%
73%
76%
71%
63%
65%
64%
43%
85%
79%
76%
79%
71%
59%
58%
44%
Company ownership
Financial stability/performance
Media search for negative news
Reputation
Senior executives
Government connections
Involvement in regulatory issues
Use of third parties
2016
2015
2014
The proportion of respondents from companies that risk-rank countries
increases to more than 80%. Transparency International’s Index continues to
be the most-used information source for risk-ranking countries, followed by
internally compiled risk data.
Research on company ownership, financial performance, negative news and
reputation continue to be the types of preliminary due diligence conducted most often.
C O U N T R Y R I S K R A N K I N G
R E S E A R C H T Y P I C A L LY C O N D U C T E D I N P R E L I M I N A R Y D U E D I L I G E N C E
Figure 2. Source: 2016 Dow Jones Risk and Compliance Global Anti-Corruption Survey
Figure 3. Source: 2016 Dow Jones Risk and Compliance Global Anti-Corruption Survey
5. Information is often obtained
from the third party via a
questionnaire process before
being independently verified or
developed during the subsequent
diligence process. There are
multiple ways to identify this
information through simple
screening against structured
risk data to conducting desktop
research in-house or outsourcing
that research. In certain high-risk
scenarios, it might be necessary
to conduct an in-depth active
investigation in-country.
R I S K M O N I T O R I N G
A N D U P D AT I N G
Risk ranking also drives the type
and frequency of monitoring and
updating of due diligence on third
parties. The graphic above provides
insight to the different approaches.
C O N C L U S I O N
Risk ranking, at the very least,
shows the regulators that time
and thought went into a third party
diligence program and, as stated
in the Resource Guide, meaningful
credit will be given for a good faith,
comprehensive effort.
B I O G R A P H Y
Michael Heller
Director, Risk and Compliance
Michael has held multiple consulting
roles focused on risk management
and enhanced due diligence over his
career. He worked as a consultant
with the Business Intelligence Group,
the Anti-Money Laundering Group
at Goldman Sachs & Co in New York
City, and served as CCO and Internal
Counsel at Abacus Wealth Partners.
Michael holds a Juris Doctor from
the University of San Diego School
of Law and is a member of the State
Bar of California.
4%
4% 6%
35%
36%
37%
15%
9%
10%
6%
4%
5%
9%
9%
7%
28%
38% 34%
Annually
Every two years
Every three years
Event-driven
Varies by target risk
Other
Never
2014 2015 2016
Nearly 35% of respondents report their companies conduct annual due diligence
updates; a similar proportion bases the frequency of updates on target risk levels.
F R E Q U E N C Y O F D U E D I L I G E N C E U P D A T I N G
Figure 4. Source: 2016 Dow Jones Risk and Compliance Global Anti-Corruption Survey
6. Dow Jones Risk and Compliance
Dow Jones Risk and Compliance is a global provider of risk management and regulatory
compliance information, delivering targeted content to organizations around the world.
Our market-leading data helps financial institutions and businesses have greater
control managing Anti-Money Laundering, Anti-Bribery and Corruption, Economic
Sanctions, Third Party Due Diligence and Commercial Risk operations. With a global
team of expert researchers covering more than 60 languages, our risk and compliance
data is information rich, accurate and timely, enabling our clients to make better quality
decisions faster and with greater confidence.
For more information, visit www.dowjones.com/risk
RISK AND
COMPLIANCE