In the early 2000s, when a company was asked if there was a compliance program in force, the answer would be the existence of a Code of Ethics or Conduct. If that was the case and there was a compliance program, the company could boast this as a hallmark.
However, compliance programs have evolved, encouraged by continuous improvement, i.e., the need to search the market for innovations which add value to compliance programs. With that in mind, policies, procedures, training, internal monitoring and so on were developed. As companies solidified their programs, it was noted that third parties could be a weak point and that, more often than not, said third parties could act on behalf of the company, not having the same concern in consolidating a compliance culture. Thus, risk assessment of third parties with which companies interact began to gain strength.
Although assessing risks of vendors of goods and services for the expressive majority of market segments is a rule, the financial sector, on the other hand, needs to assess the risks of its customers and investors (know your customer – KYC), as they can also be held responsible for money laundering in case of neglect to check the source of secured resources.
And how should this risk assessment be carried out? Effectively, each company ends up establishing their own rules, typically through policies and/or procedures, establishing the manners in which the assessment should be carried out and its risk matrix, generally classifying third parties according to pre-established criteria.
And the initial process for preparing said assessment became due diligence. So, what is it?
According to Investopedia, as website whose definition I consider among the most appropriate, due diligence is an investigation, audit, or review carried out to confirm facts or details of a matter under consideration. Therefore, it is through due diligence that an investigation is carried out regarding a vendor, customer, or business partner, the extent of which is usually measured according to the classification assigned to said vendor, customer, or business partner.
To the joy of professionals working in this area and which need to check vendors, customers, or business partners in advance – the latter especially in the initial phase of a merger or acquisition – the market understood the growing and stifled demand of this activity. Thus, a plethora of very efficient tools were made available to the market for the use of those tasked with risk assessment when contracting vendors or interacting with customers or business partners.
Indeed, due diligence tools access several databases that, according to user demand, can vary significantly, checking acts of bribery or corruption, fraud, and even personal problems of partners and their respective corporate relationships. Other tools go further, examining financial aspects, potential loss of intellectual property, insurances or lack thereof, cyber risks, reputational risks, etc.
Below are the main tools currently available on the market: