Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Scott Shaffer: When things go wrong, your due diligence was never enough

The Unaoil scandal has again brought FCPA due diligence to the forefront. Specifically, the question asked of compliance officers is, “How much due diligence is enough?” 

The answer, still, is “it depends.” 

But when things go wrong, the due diligence that was done is always “not enough.” It’s very easy to play armchair quarterback and second-guess the situation after the fact, but the truth of the matter is that due diligence is a very complex and challenging undertaking.  

Determining the extent and depth of the diligence has continued to be a source of frustration for compliance officers. Not only should each third party relationship be appropriately risk rated on a macro range of factors including, but not limited to: location, exposure, government connectivity, use of subagents, services performed, etcetera; but also specific internal factors that may expose the necessity of categorizing the third party at an increased level of risk.

The phrase, “don’t boil the ocean” has been used (and overused) at several FCPA meetings over the past year. Interpretation: spend your time, your resources and your money on those third party risks that warrant an enhanced level of scrutiny. For instance, if you are selling widgets in small volume through a sales agent in Norway with no government exposure and very little perceived risk, the level of due diligence would be quite different than those of a high volume sales agent in Nigeria with obvious government connectivity.

Once the risk has been categorized, you need to determine what level of research is commensurate with the risk. For the Norwegian example, minimal due diligence is required. However, even the lowest risk transactions should incorporate baseline due diligence to include completion of a questionnaire/application along with denied party list screening.

In regards to the Nigerian example, more diligence required, but how much? Over the past 20 years, I have worked with hundreds of companies trying to address this seemingly basic question, but there is no definitive answer. Ultimately, you must feel confident that the level of due diligence is in line with the perceived risk that was calculated at the onset of the pending relationship.

If something was to go wrong and both your compliance program and, more specifically, your due diligence were reviewed by a regulator, do you feel as though you adequately addressed the risk?  There is no better measure of future behavior than past behavior. If a thorough analysis showed a consistent track record of litigation, adverse media, unsavory business connections and/or undisclosed government relationships; you may have a hard time justifying your position. Conversely, if there was no indication of questionable business practices, your decision was justified. Although this may not prevent government action, it passes the smell test of reasonability based on perceived risk and the appropriate level of due diligence.

Over the past ten years, the realm of due diligence has grown from a few licensed investigative firms specializing in FCPA, to now, countless firms who offer everything from immediate access databases and desktop research to direct source firms with boots on the ground. If you utilize an outside firm to assist with your due diligence, screen the potential vendor to insure the due diligence being conducted is in-line with the risk ranking.

Fifteen years ago I attended FCPA conferences with audiences made up entirely of oil and gas companies, defense contractors, and a few other multinationals. Now, companies across the board are participating due to their understanding of the significance of the FCPA and other international legislation. The constants have always been: know your foreign partners and third parties, understand the risk, address red flags and make an informed decision based on the research you have compiled.


Scott Shaffer, pictured above, is the Managing Director for the Kreller Group in Cincinnati, Ohio. For the past 21 years he has consulted with clients to address due diligence objectives, customizing due diligence programs for new clients, and analyzing current trends regarding regulatory compliance.

Share this post


Comments are closed for this article!