Third-party due diligence: Are supplier questionnaire(s) the answer?

Patrick Wellens

Patrick Wellens

Patrick Wellens (patrickwellens@hotmail.com) is currently working as a Compliance Manager for a division of a multinational pharma company based in Zurich, Switzerland. He is the Vice-Chair of Ethics and Compliance Switzerland, co-chair of the working groups “life science” and “anti-corruption,” and Head of Governance of the Association of Corporate Investigators.
8 minute read

By Patrick Wellens, CCEP-I, CIA, CFE, CRMA, MBA

Numerous laws (U.K. Bribery Act guidance document,[1] German Supply Chain Act,[2] Foreign Corrupt Practices Act resource guide,[3] OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas,[4] French vigilance law,[5] U.K.’s Modern Slavery Act,[6] EU’s Corporate Sustainability Directive[7] ) require companies to conduct due diligence in their supply chains to prevent forced labor, child labor, violations of human rights, or prevent corruption in third parties. Also, when outsourcing certain data-processing activities to third parties, the company must make sure that these parties abide by General Data Protection Regulation standards and, hence, must conduct some due diligence to ensure this is the case.

Companies can do an initial risk assessment of these third parties and, based on each risk domain (corruption, human rights, sustainability, IT security, data privacy), define methodologies to create “low,” “medium,” or “high-risk” third parties. The higher the inherent risk, the more due diligence is needed.

None of the previously mentioned laws explicitly define what documents need to be reviewed as part of due diligence. The following evaluates the various scenarios companies could apply to conduct (enhanced) due diligence.

Due diligence scenarios

The aim of conducting due diligence is to prevent reputational risks and fines by working with third parties that abide by the company’s supplier code of conduct, laws, and regulations. What options do companies have to conduct due diligence? In the case of third parties with medium or high risk, the company could select from the following options.

Option 1

A company sends out a questionnaire to a third party and asks the third party to provide some information.

Depending on the risk domain (corruption, sustainability, data privacy) being evaluated, the questions sent to the third party/supplier will be different. The questionnaire can request the third party to provide information about the length of the business relationship with your company, whether the they have had any other company name in the last 10 years, who the ultimate beneficial owner or main shareholders are, whether the management of the company contains any politically exposed persons, whether the company has been involved the last five years in any criminal investigations, etc. In addition, the third party might also be asked to provide certain evidence to support the answers given in the questionnaire. The third party might have to upload evidence that they have an anti-corruption policy, a policy on sustainability, a data privacy policy, or an International Organization for Standardization (ISO) certification.

Where the answers provided by the third party are not corroborated with any other data, there is little assurance that the answers are correct. In such scenarios, the company almost entirely relies on the honesty of the answers provided by the third party. If, on the other hand, the external third party supports answers by providing evidence, then the assurance of honesty is higher.

Option 2

A company does not use questionnaires but relies on the third party’s certification.

A company does not conduct due diligence on the supplier because the supplier has an ISO 37301 (compliance management system) or 37001 (anti-bribery and corruption) certification or has gone through an EcoVadis sustainability assessment.

Option 3

A company does not use questionnaires but uses external data sources.

On the market, there are numerous research and data providers that companies can use to screen a company and/or its directors against sanction lists, law enforcement or terrorist lists, or adverse media (e.g., whether a company was ever involved in or was convicted for money laundering, tax evasion, antitrust violations, child labor violations).

Whereas some data providers specialize in particular risk domains, they might not be strong in others. A company that is highly specialized in IT security data points (for instance, BitSight) might not have a large database on human rights, environmental, corruption, or regulatory news.

Given that most of the data providers have research analysts in almost all countries and regularly screen the press and add articles to their databases, the external data sources are of course more independent and possibly more reliable than the answers given by companies in the questionnaires. However, if a company does not come up in the news for corruption, money laundering, and/or tax evasion, it does not mean the third party has a robust compliance program that prevents such corruption cases from happening.

A disadvantage of using external data to conduct due diligence is that each screening of a third party against the database costs money. Screening each third party for a multinational company with 100,000 suppliers and 10,000 commercial third parties (e.g., distributors, wholesalers, resellers, sales agents) is not realistic or recommended.

Option 4

A company uses questionnaires and external databases.

Using a combination of external databases and questionnaires covers more ground. External databases allow the company to evaluate the third party’s reputation by screening the company name, main shareholders, ultimate beneficial owners, or main directors against sanctions and adverse media lists. At the same time, the questionnaire evaluates the effectiveness and validity of a company’s claims about its policies and training to mitigate risk.

Option 5

In addition to Option 3 or Option 4, the local compliance officers are involved in conducting due diligence.

A compliance officer in countries where a new, high-risk third party will be selected could reach out to fellow local compliance officers and inquire about the reputation of the third party and/or conduct additional due diligence activities (e.g., verification of documents at local courts).

Option 6

Enhanced due diligence by an external service provider in combination with Options 1–4.

Prior to selecting a new high-risk third party—usually in countries or emerging markets where the company does not have a presence—companies might use the services of external parties to conduct so-called “enhanced due diligence.” The external companies offering such services would then verify whether the third party indeed exists at the given address and inquire in the local market about the third party’s reputation by talking to customers or suppliers. Option 6 might be very useful for high-risk transactions.

Even though external providers might conduct due diligence activities more efficiently than if they were conducted in house, it is important to highlight that the legal obligation to conduct proper due diligence cannot be delegated to external providers but remains with the company that engages the third parties.

What are best practice scenarios?

The following are best practices for conducting third party due diligence.

Risk profiling

The risk profile is different depending on the type of services the third party is providing, whether the third-party is acting on behalf of the company, and to which countries the services are being provided.

For each of the risk domains that are in the scope of third-party due diligence (e.g., sanctions, anti-bribery and corruption, human rights, sustainability, data privacy, IT security), the factors that determine whether a given third party has a low, medium, or high risk is different.

Proportionate due diligence activities

The higher the inherent risk profile of a given third party—or the more red flags that pop up during the due diligence process—the more due diligence activities must take place to ensure that none of the initial red flags pose a risk.

Continuous monitoring

Third parties must be managed over their life cycles. This means that due diligence must not only happen for the onboarding of new third parties but also on a regular basis.

Optimize supplier questionnaires

Different risk domains (e.g., corruption, data privacy, IT security) require different questions when using supplier questionnaires.

Companies should limit the number of questions by risk domain and avoid situations where a third party must complete 50-plus questions across numerous risk domains.

Ideally, a third party receives only one questionnaire from your company that includes the relevant questions for the risk domains in scope.

Due diligence is embedded in business processes

A contract with a supplier would typically exist for larger services or goods procured. However, for procured values below a certain threshold, purchase orders are often used in the place of contracts.

Due diligence must be conducted prior to engaging with a given third party. The question is then whether the due diligence is conducted before:

  • Creating vendor master data

  • Creating a purchase order

  • Contract signing with the vendor

  • Contract extension with the vendor, etc.

Ideally, the due diligence of third parties is built in as a logical process step in the source-to-pay or order-to-cash processes. If there is no structured process that defines when due diligence must take place, then companies risk that due diligence will be overlooked or only partially conducted (e.g., due diligence is conducted when a new contract is signed but not when the contract is extended).

Use of automation

Large multinational companies that work with thousands of third parties across numerous risk domains can only do so by employing an advanced automation level.

Sending the questionnaires to suppliers, sending reminders to suppliers, and screening certain supplier names against databases can preferably be done automatically.

Conclusion

Companies have numerous options to conduct due diligence (questionnaires, external database, enhanced due diligence) of third parties, but they’re not all equally effective or efficient. Ideally, a risk-based methodology is applied to separate low-risk from medium/high-risk third parties. Given that large multinational companies have thousands of third parties, a certain level of process automation is desired. A more in-depth enhanced due diligence might be worthwhile for high-value or high-risk transactions.

Takeaways

  • Numerous laws require companies to conduct due diligence on some of the third parties they work with. The laws do not describe in detail what elements/information must be verified to conduct due diligence.

  • The due diligence activities must be proportionate to the risk profile; the higher the risk, the more due diligence activities must happen.

  • Rather than relying on answers from third parties in questionnaires, a company might also want to screen the company, main shareholders, and ultimate beneficial owners against certain databases to exclude reputational risks.

  • In high-value or high-reputational transactions, the company might conduct an enhanced due diligence whereby a local, in-depth background check on the third party is done.

  • Due diligence of new or existing third parties is ideally embedded as a process step in a source-to-pay or order-to-cash process. Stand-alone due diligence applications are less effective since users tend to forget that due diligence is to be conducted.

 
2 Federal Ministry of Labour and Social Affairs (Germany), “Supply Chain Act: Act on Corporate Due Diligence Obligations in Supply Chains,” accessed December 4, 2023, https://www.bmas.de/EN/Europe-and-the-World/International/Supply-Chain-Act/supply-chain-act.html.
3 U.S. Department of Justice, Criminal Division, and the U.S. Securities and Exchange Commission, Enforcement Division, A Resource Guide to the U.S. Foreign Corrupt Practices Act, Second Edition, July 2020, https://www.justice.gov/media/1106611/dl?inline.
4 Organisation for Economic Co-operation and Development, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Third Edition, 2016, https://www.oecd.org/daf/inv/mne/OECD-Due-Diligence-Guidance-Minerals-Edition3.pdf.
5 LOI n° 2017-399 du 27 mars 2017 relative au devoir de vigilance des sociétés mères et des entreprises donneuses d'ordre [Law 2017-399 of March 27, 2017 relating to the duty of vigilance of parent companies and ordering companies], Journal Officiel de la République Française [J.O.] [Official Gazette of France], March 27, 2017, https://www.legifrance.gouv.fr/dossierlegislatif/JORFDOLE000030421923.
7 European Commission, “Corporate sustainability due diligence,” accessed December 4, 2023, https://commission.europa.eu/business-economy-euro/doing-business-eu/corporate-sustainability-due-diligence_en.

What to read next...

Takeaways for companies from DOJ’s recent FCPA enforcement actions and guidance


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings