Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Joseph Spinelli: How should a risk assessment process address third party risk?

Consistent with the DOJ’s Opinion Release 08-02, companies must risk-rank their third parties into high, medium and low risk categories and conduct the appropriate due diligence.

As 85-90% of all cases involve illegal activity conducted by a third party on behalf of an organization, this issue appears to be the biggest risk to multinational organizations. While 92% of respondents to Kroll’s ABC Report said they perform due diligence to hire or retain a third party, 48% never train third parties on antibribery and corruption issues.

An even more confounding statistic — especially when one considers that on average Kroll’s survey respondents had more than 2,900 third-party relationships — is that only 26% automate the vetting of third parties.

To adequately address these risks, an organization should develop, document and implement a risk-based, comprehensive third party risk scoring and due diligence protocol that identifies, isolates, investigates and remediates potential bribery and corruption risks.

Based on the findings of the risk assessment, global companies will conduct due diligence on sales intermediaries, agents, consultants, distributors and joint venture partners prior to the retention of these individuals and continue to monitor them every year.

Where pertinent, companies should include appropriate compliance-related terms and conditions in each contract with third parties.

Here are some questions a risk assessment addressing third party risk should speak to:

1. Does your company have a database of all your third parties and their information?

2. Have you risk-ranked your third parties according to high, medium and low risk?

—  Consider enhanced due diligence for high-risk third parties.

3. Are all terms and conditions concisely articulated in your contractual arrangement with your third parties?

4. Has your company designated someone to maintain the third party relationship? Who updates third party data, conducts audits and oversees the company’s contractual relationship with the third party?

These audits should consider whether or not a third party refuses to provide pertinent information. If there is difficulty verifying third party data, are the third party’s company and services verifiable. And is there evidence of business experience in the industry the third party is hired for.

This chart from Kroll’s ABC Report shows why third parties failed to meet respondents’ antibribery compliance standards:

Finally, consider if training has been provided to your third parties on your anti-bribery and corruption compliance program, and has the attendance at this training been certified by each third party.

The results of an organization’s risk assessment can assist the organization in determining the adequate level of compliance resources that may be necessary. Risk assessment results may assist an organization in determining the nature and timing of potential new product launches and/or geographic expansion.


Joseph Spinelli is a Senior Managing Director at Kroll. He was the first Inspector General for New York State and has enjoyed a career spanning more than 30 years in private and public service across many fields, including in FCPA, anti-bribery and corruption, monitorships and white collar investigations. He can be contacted here.

Share this post


Comments are closed for this article!