Blog Compliance

Risk assessment: What data do you really need for your due diligence?

|

Debate about the fifth Money Laundering Directive began before the fourth had even been implemented. You have to comply with EU directives, sanctions lists and other rules of the game. At the same time, some sets of rules are growing, others are being withdrawn and new ones are being added. The sheer number of regulations and the changes on the market are overwhelming, turning your company’s compliance into a minefield. Not to mention due diligence! Find out in this article the first step you need to take to steer your business into safe waters.

New directives, sanctions and embargoes appear every month, if not every week. What happens while compliance officers are trying to mitigate risk without slowing business growth? A data tsunami is brewing that threatens to bury painstakingly constructed processes underneath it, that’s what. Business partners, suppliers, customers and many other third parties can expose your company to risks both minor and major. For example: 90% of the bribery cases enforced by the FCPA over the last 40 years have involved third parties.

Yet 83% of companies do not perform ongoing due diligence on all third parties. This is where disaster prevention begins – as drastic as that may sound. So take the helm and row back a few steps. At the outset of any crisis management, the first thing you need to do is get an overview. That’s when you should start looking at a risk assessment / risk evaluation.

Dare to take a look inside and outside

There are plenty of data available on business partners. Thank you, data suppliers! The real question is, what are the most pertinent data among them? Address, hierarchy, ownership structure, beneficial owner, financial and payment data, trigger warnings – the list is endless. This is where a risk assessment can help. This step deals with the internal and external world of a company. It is founded on the risk-based approach you take. Depending on how severe you assess the risk for your company to be, a more or less intensive investigation may be required.

Internal company risk management

It’s worth taking a first look inside. A few questions about the company’s situation provide an insight into how high the potential risk from outside actually is. Classify the risks to your own company. This enables you to better assess the risk level posed by a third party (how “dangerous” this “third party” could become for you). This is easily illustrated by way of examples: If you work in the precious metals industry, you are exposed to a higher risk of money laundering as precious metals are common vehicles for this criminal activity. In the construction industry, late payments represent classic external risks.

Possible questions you should ask yourself about your situation include:

  • What sector does my company operate in?
  • What risks am I typically exposed to in my industry?
  • Do I operate internationally or locally?
  • If I only operate locally – what reputational risks might I be exposed to?

It may also be worthwhile to take a look at your company’s organisation. For example, do you mainly have an external sales force that is predominantly on the road visiting customers? Then the risk of bribery is much greater for you than if you conduct your business through telesales, for example.

External company risk management

In the next step, it’s time to deal with the third parties. Examine the environment in which your company finds itself. Identify your suppliers, vendors, customers, agents, subsidiaries and other partners.

Identify specific risk areas

You know what area you’re operating in and have also identified your environment – excellent! Do you feel like you’re on the verge of a data tsunami? Take a structured approach and work with these specific risk areas:

Legal requirements

First, get an overview of the rules and regulations that apply to your company: Am I subject to local or international regulations?

Then consider your third party: Does the third party have a history of criminal activity such as money laundering, terrorist financing, corruption or bribery?

For this area of risk, you need data to identify your third party, payment data and historical data of your third party as well as access to sanctions lists.

Country-specific risks

Which country do I operate in? And which country does my third party operate in? Are either of these high-risk countries?

Country-specific risks can also be identified using data that clearly identify the third party. A world heat map or specific country insights provide a quick overview.

Sector-specific risks

Do you or your third party operate in an industry that is vulnerable to late payments, corruption or reputational damage? How intertwined is the respective industry with politics?

You’ll have noticed that clear identification is also a topic here. Stay up to date on your industry and the industries of your key third parties. Set alerts with popular news services to keep you informed of the latest developments. Are you in an industry with high vulnerabilities? Use a tool that allows you to clearly identify your third party, including SIC code and business purpose.

Reputational risks

Can reputational damage inflicted by third parties lead to a loss of stakeholders or customers – and their trust?

If a damaged reputation poses a significant risk to your business, negative headlines are a good way of checking up on your third parties. Their corporate structure and shareholdings as well as their beneficial owners (also “ultimate beneficial owners” or “UBOs”) can also be important indicators here.

Financial risks

What about the liquidity of your third parties. What about their profitability?

Separate the wheat from the chaff and contain the risk to your business. When it comes to payments, investments or longer-term partnerships, payment data on your third parties are crucial.

Now assess the risk environment your business partners operate in. We recommend differentiating between high risk, medium risk, low risk and very low risk.

From identification to integrity – match your effort to the risk

Classify your business partners by their respective risk environment. Identify how risky this environment is. What seems like an obvious intermediate step is essential to third-party due diligence in practice. You can adjust your screening and monitoring efforts depending on the risk rating (while wielding the “time is money” club!).

Very low risk: These third parties

... supply services, products or goods with low risk,

... have a low level of disruption or negative events in their company history,

... do not have access to generally sensitive data or specific sensitive data from my company,

... and have no relationship with the end customer.

Low risk: These third parties

... supply services, products or goods with moderate risk,

... have a moderate level of disruption or negative events in their company history,

... have access to generally sensitive data or specific sensitive data from my company,

... and have no relationship with the end customer.

Moderate risk: These third parties

... supply services, products or goods with moderate to high risk,

... have a high level of disruption or negative events in their company history,

... have access to generally sensitive data or specific sensitive data from my company,

... and have a relationship with the end customer.

High risk: These third parties

... supply services, products or goods with high risk,

... have a critical level of disruption or negative events in their company history,

... have access to generally highly sensitive data or specific highly sensitive data from my company,

... and have a relationship with the end customer.

Note: Even if you assess third parties as low risk, you should monitor the entity and document your screenings. Time and resources can be saved on the depth of the audit.

You’re almost there – you have your checklists

It’s time for you to pat yourself on the back: You’ve worked through all the red flags that the data tsunami has thrown at you. Well done! Now you can break down your third-party due diligence into three checklists. Not only will this help you to reduce the risks your company is exposed to, but it can also contribute to increasing value by averting risks. You can boil your third-party due diligence down into three elementary questions:

Who are you?

Identity check using your master data and data on economic eligibility and ownership structure.

What is your level of integrity?

Integrity check using sanctions list screening, watchlist and blacklist screening, and adverse media screening.

How risky is it to enter into a relationship with you?

Risk check, based on the risk-based approach you have defined. Assess the risk and establish a decision tree.