The document discusses achieving 100% third party due diligence. It notes that traditionally many organizations take a risk-based approach, focusing vetting efforts on high-risk third parties and leaving most unchecked. However, regulators now expect transparency and sound decision making regarding all third party relationships. The document outlines steps to conduct baseline screening of 100% of third parties, categorize risk, escalate review of higher-risk parties, and monitor all parties ongoing. It promotes using regulatory technology to enable comprehensive yet manageable third party due diligence.

1. ANTI-CORRUPTION
COMPLIANCE
100%THIRD PARTY
DUE DILIGENCE
ACHIEVING

2. Many organisations have historically
applied a ‘risk-based approach’ to third party
due diligence and compliance management...
It is logical to spend more time and energy on
third parties with a perceived ‘higher’ risk...
In practice though the risk-based approach
has meant that a large proportion of time and
money has been spent on vetting just a very
small percentage of an organisation’s third
parties, leaving the vast majority unchecked,
and exposing the organisation to unknown
corruption risks.
THE CHALLENGE: THE COMPLEXITY OF THE MODERN SUPPLY CHAIN
“
”

3. THE CHALLENGE: THE COMPLEXITY OF THE MODERN
SUPPLY CHAIN
THE EXPECTATION: WHAT DO REGULATORS LIKE TO SEE?
REDEFINING BEST PRACTICES:
STEPS TO ACHIEVE 100% THIRD PARTY DUE DILIGENCE
1
3
3
4
8CHECKLIST: ACHIEVING 100% THIRD PARTY
DUE DILIGENCE WITH ETHIXBASE 2.0
ACHIEVING A CONSISTENT 100% THIRD PARTY DUE DILIGENCE PROGRAM —
IT DOESN’T HAVE TO BE DAUNTING OR EXPENSIVE
9
CONTENTS
INTRODUCTION

4. 2016 MAJOR CORRUPTION SCANDALS
HEADLINES
WORLD’S BIGGEST
BRIBE SCANDAL,
UNAOIL: THE
COMPANY THAT
BRIBED THE WORLD
FIFA COMPLIANCE CHIEF QUITS,
SAYING CORRUPTION FIGHT
THREATENED
PANAMA PAPERS:
LEAK EXPOSES
TAX HAVENS OF
WORLD LEADERS
AND CELEBS
An investigation into the documents by more
than 100 media groups, described as one of
the largest such probes in history, revealed
the hidden offshore dealings in the assets of
around 140 political figures – including 12
current or former heads of states.
PETROBRAS FACES
CLASS-ACTION
LAWSUIT IN BRIBERY
AND POLITICAL
KICKBACKS SCANDAL
A US judge has ordered Petrobras, the state-run
Brazilian oil company, to face class-action litigation by
investors seeking to recoup billions of dollars in losses
stemming from a bribery and political
kickback scandal.
WAL-MART MUST
FACE U.S. CLASS
ACTION OVER
ALLEGED MEXICAN
BRIBERY
LOTTE SIGNALS $4.5 BILLION
HOTEL IPO IS SHELVED
AMID CRISIS
OCH-ZIFF UNIT SAID TO PLAN TO
PLEAD GUILTY OVER BRIBES

5. The last twelve to eighteen months has seen a dramatic eruption of corruption scandals, catapulting corruption,
and equally anti-corruption efforts, to the forefront of the business and social consciousness. Increasingly corruption issues
have become mainstream, with coverage across major media outlets and a consistent, and increasingly visible, crackdown by
regulators and enforcement agencies on corporates. Consumers, the media, shareholders and governments are
calling for a level of transparency, and accountability never seen before. Market expectations are similarly changing with
corporations now being held to a higher standard. 2016 will also see the release of the very first international standard on
anti-bribery management systems ISO37001 – standardising global anti-corruption requirements and allowing
organisations to certify their programs.
As organisations look to grow and seize new business or cost saving opportunities through an increasingly international web
of suppliers, vendors, resellers, agents and intermediaries their exposure to corruption risk through these third party
relationships similarly increases. With the economic, social and (increasingly) personal cost of ‘getting it wrong’ now so high,
gone are the days of metaphorically placing third party files in a drawer for later attention, or conducting one time due
diligence on just a small percentage of third parties deemed ‘high risk’. If history, and recent media coverage, has taught us
anything it is that risk actively hides. Should an issue ever arise from any third party authorities will enquire about policies and
processes related to third party management and due diligence. If there is a lack of documented decision making the situation
could become uncomfortable. Naivety is a luxury that few are able to afford and ignorance, in terms of compliance and third
party management, has been outlawed.
Given increasing regulatory and enforcement pressure, as well as heightened global and regional trade activity, it is
understandable that many compliance, legal and procurement professionals feel overwhelmed by the prospect of managing
each and every third party relationship within their supply chain. Managing 100% of third party relationships however, need
not be daunting, nor expensive.
www.ethixbase.com/2-0 1
News headlines:
World’s biggest bribe scandal. Part 1 of their report, entitled ‘World’s Biggest Bribe Scandal, Unaoil: The Company That Bribed the World’ can be found at theage.com.au
FIFA Compliance Chief Quits, Saying Corruption Fight Threatened. The full original article can be found at bloomberg.com
Och-Ziff Unit Said to Plan to Plead Guilty Over Bribes. The full original article can be found at bloomberg.com
Petrobras faces class-action lawsuit in bribery and political kickbacks scandal. The full original article can be found at theguardian.com
Panama Papers: Leak exposes tax havens of world leaders and celebs. The full original article can be found at straitstimes.com
Wal-Mart must face U.S. class action over alleged Mexican bribery. The full original article can be found at reuters.com
Lotte Signals $4.5 Billion Hotel IPO Is Shelved Amid Crisis. The full original article can be at can be found at bloomberg.com
.
INTRODUCTION
This whitepaper aims to outline the current third party management landscape and redefine best practice steps to achieve
cost-effective 100% third party due diligence by leveraging advances within regulatory technology (RegTech) made possible
by the rapid evolution of data and due diligence.

6. “
”THE CHALLENGE: THE COMPLEXITY OF THE MODERN SUPPLY CHAIN
Third parties deemed ‘low-risk’ in an initial
assessment cannot simply be ignored -
at a minimum regulators will look for
transparency and sound decision making for
all third party relationships, supported by a
consistently applied baseline process that is
rooted in the context of relevant regulation.

7. THE CHALLENGE: THE COMPLEXITY OF THE
MODERN SUPPLY CHAIN
If we think of, as an example, an organisation that retails
its products in 130 countries, operating 153 distribution
centres and 39 manufacturing locations, its supply chain
will have an extensive and constantly changing list of
For this reason many organisations have previously
applied a ‘risk-based approach’ to third party due diligence
and compliance management. A risk-based approach
recognises that it is impossible to subject all relationships
Additionally in a large number of cases, the vast majority of
an organisation’s third parties deemed ‘low’ risk in an initial
assessment will have little, to no, due diligence conducted
Regulators around the world may have different priorities and focus areas in terms of anti-corruption compliance, but when
it comes to third party risk there are a number of commonalities. Regulators want to see compliance frameworks that are
‘In 2010, a Swedish logistics service was found to have
paid bribes on behalf of six of its clients, resulting in the
clients being fined over USD 150 million because they had
failed to conduct proper due diligence on the company.’
Is the ability to conduct due diligence on 100% of third parties, with inbuilt risk-based escalation workflows and ongoing
monitoring, all within a singular repository the ideal?
A point that is becoming increasingly important is that the risk profile of a third party can change over time, so a process that
monitors and re-categorises third parties if necessary is important.
should substantially reduce an organisation’s corruption
risk exposure. In practice though the risk-based approach
has meant that a large proportion of time and money has
been spent on vetting just a very small percentage of an
organisation’s third parties, leaving the vast majority
unchecked, and exposing the organisation to unknown
corruption risks.
on them. Third parties deemed ‘low-risk’ cannot simply be
ignored - at a minimum regulators will look for transparency
and sound decision making for all third party relationships,
supported by a consistently applied baseline process that
is rooted in the context of relevant regulation.
THE EXPECTATION: WHAT DO REGULATORS
LIKE TO SEE?
suppliers, vendors, distributors, resellers, agents and
intermediaries.
In an ideal world, full due diligence would be conducted on
every third party, but historically very few organisations, if
any, have had the capacity for such an extensive program
due to previously high due diligence costs, difficulties in
accessing public data, huge numbers of false positives
and long turn-around times, let alone the challenges of
monitoring all of these third parties on an ongoing basis.
carefully considered, based on sound decision making amid documented evidence, and rooted in relevant regulation. They
also prefer a consistent approach and a process of continual monitoring with structured and regular reviews.
to the same level of scrutiny, so decisions have to be
made about where to direct the bulk of organisational
resources. It is logical to spend more time and energy on
third parties with a perceived ‘higher’ risk. In theory, this
www.ethixbase.com/2-0 3

8. The goal of any third party risk management program is to
reduce risk by knowing who you are doing business with –
establishing the true identity of the third party,
understanding their activities and assessing the risk
that they pose depending on the criteria that has been
chosen. It is also important to understand, given their
circumstances, how likely they are to participate in corrupt
activity. This information can then be sorted into different
REDEFINING BEST
PRACTICES: STEPS TO
ACHIEVE 100% THIRD
PARTY DUE DILIGENCE
Below outlines a number of
practical and achievable
steps that can be taken in
order to attain 100% third
party due diligence:
1 UNDERSTANDING
THE SCOPE OF
YOUR THIRD PARTY
NETWORK
2 CONDUCTING
BASELINE
SCREENING FOR
100% OF THIRD PARTIES
3 REVIEW POTENTIAL
THIRD PARTY RISK
INDICATORS AND
CATEGORISE RISK
potential risk levels, with defined workflows and clear
lines of accountability to escalate third parties that require
further review.
4 ESCALATION AND
REVIEW
5 ONGOING
MONITORING
Regulators look favourably on a systematic process,
one that is consistent and reviewed on a regular basis.
Reporting and documentation is very important – if not
properly documented, the best due diligence will be a
waste of time and effort. It is strongly advisable to record
all activity related to the processing of third party risk in a
single, accessible repository.
These best practice steps redefine the approach to third
party due diligence by leveraging regulatory technology
(RegTech) and advanced data to provide previously
unparalleled visibility of third party risk across 100% of an
organisation’s third party network.
www.ethixbase.com/2-0 4

9. “
”
100% of third parties should undergo a
consistent baseline screening process which
includes, at a minimum, checks against
REDEFINING BEST PRACTICES: STEPS TO ACHIEVE 100% THIRD PARTY DUE DILIGENCE
sanctions and enforcements. Where
available ascertaining a third party
organisation’s registry details is also
important along with obtaining directorship
details and the background of associates
if possible. Results of this process should
be documented and ideally saved in a
singular repository for ongoing monitoring
and future reference.

10. REDEFINING BEST PRACTICES: STEPS TO ACHIEVE
100% THIRD PARTY DUE DILIGENCE
UNDERSTANDING THE SCOPE OF
YOUR THIRD PARTY NETWORK
At the beginning of any effective program is a
discussion about the scope of the project, its
limitations and definitions. Review objectives, define
what a third party is to your organisation, how many
you have and where information on these third party
relationships is currently saved.
CONDUCT BASELINE SCREENING
FOR 100% OF THIRD PARTIES
100% of third parties should undergo a consistent
baseline screening process which includes, at a minimum,
checks against key sanctions and enforcements. Where
REVIEW POTENTIAL THIRD PARTY RISK INDICATORS & CATEGORISE RISK
Following first level screening third parties should be assessed and categorised into low, moderate and high risk based
on the potential corruption risk they may pose to your business using various criteria such as:
COUNTRY RISK – a third party that is located in a country
that is known to have lax financial and risk controls or a
higher perception of corrupt activity may require further
scrutiny.
SIGNIFICANCE TO SUPPLY CHAIN – it goes without
saying that the bigger the impact a third party has on your
organisation the bigger the risk that third party poses
should anything go wrong. Making a judgement call,
either based on the size of the transaction, revenue stream
or the integral role a third party plays in your supply chain
is important.
RESULTS OF BASELINE SCREENING – should baseline
screening in Step 2 indicate potential matches against
sanctions and enforcements that cannot be immediately
ruled out as a false positive then additional due diligence
is required in order to adequately assess risk and decide
whether to continue the business relationship.
LEVEL OF TRANSPARENCY – the accessibility of the
ownership of an organisation will help to determine its
riskprofile.Anorganisationwheretheleadershipiseasily
identifiable, as are their assets and interests, is less
risky than one where the owners are difficult to trace.
INDUSTRY/SECTOR RISK – some sectors, especially
those that require substantial budgets and some
level of state involvement, can be more susceptible to
corruption than others.
PUBLIC PROFILE – in the internet age public information
on allegations of the third parties’ potential involvement
in key risk areas such as corruption, human rights issues,
financial crimes and other key risk areas should be
reviewed as part of the categorisation process.
if possible. Results of this process should be
documented and ideally saved in a singular repository
for future reference.
available ascertaining a third party organisation’s
registry details is also important along with obtaining
directorship details and the background of associates
1
3
2
www.ethixbase.com/2-0 6

11. REDEFINING BEST PRACTICES: STEPS TO ACHIEVE
100% THIRD PARTY DUE DILIGENCE
ESCALATION & REVIEW
Following a review of potential risk indicators and subsequent categorisation third parties which are deemed
higher risk are the priority, but a risk-based approach is not a licence to ignore third parties categorised as
moderate or low risk. Devise a strategy based on regulators’ expectations and organisational goals and schedule a
regular review of this process – regulatory updates are increasingly frequent and third party information is subject to
change.
ONGOING MONITORING
It is well known that a third party’s risk profile can change over time. For this reason it is increasingly important to
monitor third parties on an ongoing basis with alerts to any changes in their risk profile. Should a third party’s profile
change then they may need to be re-categorised and therefore require escalation to a higher level of due diligence
than previously performed.
LOW RISK
legitimacy of the company
and directorship details.
MODERATE RISK
(PEP) checks of associated
individuals and a detailed
adverse media search of
specific risk areas such as
corruption, financial crime,
criminality, human rights,
environmental crimes etc.
HIGH RISK
Initial baseline due diligence
applied to 100% of third
parties against sanctions
and enforcements along
with verification of the
Where third parties are
flagged as moderate risk
they can be escalated to
online due diligenceincluding
not only sanctions and
enforcements but also
politically exposed persons
Enhanced due diligence that
includes a review of civil
litigation, regulatory, criminal
and bankruptcy records (in
English and local language)
along with verifying financial
ownership records and the
TAKE A LOOK AT ETHIXBASE 2.0 to conduct due diligence on 100% of third parties, with inbuilt risk-based escalation
workflows and ongoing monitoring, all within a singular repository.
4
background of key associates
such as directors and
senior management. It is
also important to review local
language media searches and
conduct on-site inspections
and interviews if necessary.
An example of the ethiXbase 2.0 risk-based escalation workflow can be found below:
5
www.ethixbase.com/2-0 7

12. www.ethixbase.com 8
CHECKLIST: ACHIEVING 100% THIRD PARTY
DUE DILIGENCE WITH ETHIXBASE 2.0
Is baseline due diligence performed on 100% of third party relationships?
Are defined criteria used to assess and categorise third party risk?
Is there a standard escalation workflow for moderate and high risk third parties?
Is the program consistently applied?
Are 100% of third parties stored in a singular repository with proper recording and
documentation procedures in place?
Are 100% of third parties saved for ongoing monitoring?
Are procedures reviewed regularly and updated if required?
Are third party due diligence reports and an overview of 100% of third party
relationships readily available to provide to management, internal audit and
regulators?
www.ethixbase.com/2-0 8

13. ACHIEVING A CONSISTENT 100% THIRD PARTY DUE
DILIGENCE PROGRAM – IT DOESN’T HAVE TO BE
DAUNTING OR EXPENSIVE
Managing 100% of third party relationships does not have
to be daunting or expensive. Take a look at ethiXbase 2.0,
100% third party due diligence – 100% of the time.
‘As reported by the Organisation for Economic
Co-operation and Development, of the 427
corruption cases resolved globally since 1999, 75
percent involved improper payments made through
third-party intermediaries. The continuation of this
trend also underscores the importance of
risk-based due diligence for third-party business
partners, including background investigations,
contractual protections, training and ongoing
monitoring.’
FCPA Trends From The Last 6 Months, Law 360
2016 brings the first free to use third party
due diligence platform combining technology and
data to address RegTech challenges, providing free
to access sanctions and enforcements screening
Regulators have increased their focus on the management Third party compliance is of course about more than just
due diligence and monitoring – there are multiple other
components that can and should be considered as
part of a comprehensive program such as training,
communications, onboarding surveys, attestations to
policies and codes, the list goes on.
of third party risk, with fines now in the hundreds of
millions of dollars. Reputational damage can be more
costly in the long term than a fine, and the incredible reach
of social media means that public opinion matters today
more than any other time in history. Where once a scandal
may have only been a distraction for a local audience, now
it has the ability to be a running narrative around the world
in minutes.
Regulators recognise that today’s compliance objectives
are not easy to achieve, and that the task is increasingly
challenging. What they want to see is that there has been
an effort made to interpret the regulator’s guidelines in
an appropriate manner – that the approach is consistent,
systematic, carefully considered and supported by
documented evidence.
Historically the cost and complexity of due diligence had
prohibited many organisations from adopting 100% third
party due diligence. Times have changed however and as
outlined in this whitepaper, a consistent approach does
not have to be daunting, or expensive.
Taking an initial step towards managing due diligence
for 100% of third party relationships is however a very
important step forward for many organisations who
previously may have conducted only one-time due
diligence on third parties deemed high risk, or, in the case
of many, no third party due diligence at all. This is also a
strong and visible way that organisations can be seen to
be taking a strong stance against corruption to every third
party within their supply chain, their regulators and the
market, not to mention an important step towards 100%
third party compliance.
parties. Acting as a singular third party repository
ethiXbase 2.0 enables organisations to adopt
100% third party due diligence and ongoing
monitoring - drastically reducing traditional due
diligence costs and providing assurance that 100%
of third parties are being monitored and managed.
for baseline due diligence along with cost-effective
escalation options for moderate and high risk third
www.ethixbase.com/2-0 9

14. ACHIEVING A CONSISTENT 100% THIRD PARTY DUE DILIGENCE PROGRAM –
IT DOESN’T HAVE TO BE DAUNTING OR EXPENSIVE
Taking an initial step towards managing due
diligence for 100% of third party relationships
is however a very important step forward for
many organisations who previously may have
conducted only one-time due diligence on
third parties deemed high risk, or, in the case
of many, no third party due diligence at all.
This is also a strong and visible way that
organisations can be seen to be taking a
strong stance against corruption to every
third party within their supply chain, their
regulators and the market, not to mention
an important step towards 100% third party
compliance.
“
”

15. TAKE A LOOK
MAKE THE CHANGE
ETHIXBASE 2.0
ZERO COST INSTANT DUE DILIGENCE.
100% THIRD PARTY COMPLIANCE.
LEARN MORE AT WWW.ETHIXBASE.COM/2-0

16. ABOUT ETHIXBASE
ethiXbase assists organisations, no matter
their size or budget, to shield themselves from
allegations of bribery or corruption in their
third party network through cost-effective due
diligence, ongoing monitoring and ethics and
compliance education.
To learn more please visit
www.ethiXbase.com/2-0