How do you decide what is an appropriate level of due diligence to conduct on your third parties – of which there may be thousands – without having first conducted the due diligence to know how risky each counterparty is?
The answer to this chicken and egg conundrum adopted by most companies with dedicated compliance functions is to conduct an initial risk assessment triage exercise to rank or score counterparties and so determine an appropriate level of due diligence.
Any such triage-based approach will always be a blunt instrument, but rather than hand wringing over the inadequacies of such an approach, treat it as a tool to allocate scarce resources more precisely, and remember that it need not – and cannot – be right all of the time.
In this short article on taking a risk-based approach to due diligence, Jonathan Siklos, Diligencia’s UAE-based Regional Director, offers the following three pieces of advice on establishing or honing a reasonable and proportionate programme which is fit for purpose.
Keep it simple, stupid!
This much-cited (and somewhat churlish) mantra coined by the US Navy in the 1960s equally applies when designing a risk-based scoring methodology for determining levels of due diligence on third parties. Bear in mind that every additional layer of assessment is another factor making the process more complex, and – crucially – that more complexity rarely leads to a better risk assessment.
When setting up a framework to rank third parties for due diligence, start simple, think through your principles carefully, and then (and only then) add layers of sophistication, if needed. Most companies use the following three pillars as part of their frameworks:
2. The industry in which the third party operates. Some industries are undoubtedly more vulnerable to corruption than others, given factors such as government exposure, typical contract size and use of intermediaries. Sectors such as defence, aerospace and finance are simply more highly scrutinised than others like hospitality, tech and FMCG. That said, certain industries also carry a stigma of being more corrupt than others, either due to historic media focus or the memory of painful mistakes within the organisation. Many people have strong views on latent corruption levels within certain sectors, but there are sector specific tools which can help to weigh the corruption risks in a particular industry, and allow a compliance officer to make an objective assessment.
3. The incorporation type of the third party. It seems intuitive that companies which have been through the process of a public listing would present less of a compliance risk. So, presumably, at the other end of the spectrum would be the private limited liability company. But the devil is in the detail. In Germany, for example, the Gesellschaft mit beschränkter Haftung (handily shortened to GmbH; literally, a limited liability company), is the backbone of the economy and should provoke no kneejerk risk response; on the other hand, a compliance officer based in the UAE may raise eyebrows at a limited liability company incorporated offshore in one of the country’s freezones.
In addition to these three variables, there are other factors which may be considered, but which sit less comfortably in a risk ranking process. What is the nature of the work to be conducted, for example? Onboarding a consultancy to develop branding carries different risks to onboarding that same consultancy to manage corporate redundancies. And what is the value of the transaction with the third party? All things being equal, higher value transactions are more prone to corruption; but of course jurisdiction, sector and other factors play into this. In other words, all things are never equal!
Consistency is king
When establishing a risk-based sorting method for due diligence, the canny compliance officer will strive not for perfection, but for rigour, for consistency, and for a recognised industry standard.
Ultimately, a company may need to demonstrate to a regulator that meaningful efforts were made to do The Right Thing, and that these efforts were applied across the board. This means establishing and sticking to a methodology for both initial risk scoring and the due diligence itself, with the inherent flexibility that something initially flagged as low risk may end up as high risk, and vice versa.
Adopting a rigorous and consistent risk scoring framework may be more challenging in larger organisations whose risk functions have grown organically, and where different divisions have different approaches to due diligence. Here, there is no substitute for meeting with stakeholders to discuss what they see as the key sources of third party risks and their tolerance of them – while making sure that any differences in independent systems, their scoring tools and their due diligence processes are defensible at the corporate level.
To your own self (or organisation) be true
Lastly, it is a truism of compliance that, for better or worse, risk tolerance is unique to an organisation: put simply, different companies care about different things. A company that has been fined in the past for, say, involvement in the current US opioid crisis, or not detecting suspicious transactions involving a sanctioned country, or the mis-sale of dual-use products, may understandably be prickly about third parties from certain industries – and with good reason, with the public spotlight on that company and that industry anticipating the next slip up. The crucial element of risk rating third parties is not only to understand whether a company is broadly risk tolerant or risk averse, but what specifically makes it uncomfortable – and then to ask, in the abstract, is that reasonable?
On reasonableness: the possibility of human intervention should be permitted during the risk scoring process. It’s crucial that allowance is made for files to be eyeballed, especially during the nascent days of a programme, and for cases to be escalated to a higher risk bracket, if deemed appropriate. No programme, whether brand new or firmly established, should run on autopilot.
One final reason to be vigilant against being too mechanistic in such processes is that risk is organic. It shifts and evolves. So do country ratings. So do people’s perceptions. As the ancient saying goes, you never put your foot in the same river twice; in the same way, all of these components and their role in a framework should be reviewed periodically.
Conducting an initial risk scoring triage exercise in order to categorise a company’s third parties into different buckets for the purpose of KYC due diligence is the method adopted by most companies over a certain size with a dedicated risk function.
The system isn’t ideal. As Winston Churchill might have said, it’s the worst system, apart from all the other systems that have been tried before. But in the context of limited resources, as long as the programme is simple and understandable, is rigorous in its consistency without losing the human touch, is appropriate for the organisation and the industry, and is carried out in good faith, it should not only protect the organisation from regulatory scrutiny, but also add value to the business in terms of selecting the best partners for it to work with.