Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Allan Matheson: Building an effective third party compliance program with limited resources

Most FCPA enforcement actions involve intermediaries. By prioritizing risk and harnessing inherent capabilities of a compliance program, it’s possible (and often necessary) to build an effective third party compliance program despite resource limitations.

The following steps can maximize program efficiency while saving time and effort:

1. Assess risk appetite and risk rating criteria for third party compliance. All third parties bring risks, and every business has a different risk tolerance. In the absence of a previously established risk rating mechanism, try to identify what significant and current risks exist in the organization across various risk categories. Then evaluate the company’s approach to risk tolerance, risk capacity and risk attitudes. How much risk is typically tolerated while meeting business goals? Decide where to draw the line for risk and what factors to use to evaluate risk?

Some risks are static — such as country of operations, CPI (Corruption Perceptions Index), nature of business, industry, type of business and magnitude of business relationship. Other risks are dynamic, including third parties. Are the executives of the third party currently under investigation for corruption? Is the third party currently dealing with foreign government officials? When provided with risk rating criteria, AI technologies can identify and highlight risks that may have been missed by a human eye, while also integrating seemingly disparate risk factors into a holistic risk report to provide a quick overview of third parties.

2. Adopt a risk-based approach to due diligence to mitigate high-level risks. Try to map out areas of highest third party risk. A risk-based approach entails identifying areas of high risk, then taking steps to reduce these risks and minimize the overall threat.

A risk-based approach focuses resources on specific, urgent issues rather than casting a wide net over all possible concerns. The ability to quickly generate a review of the highest risk third parties without spending an excessive amount of time becomes increasingly important as the volume of third parties increases.

A third party’s risk level may change suddenly and drastically. Therefore the ability for a technology to create red flags of urgent issues for immediate attention reduces the need for a labor-intensive review of information and allows prioritization followed by response, control, mitigation and eventually re-evaluation of high risk third parties.

3. Implement flexible workflow automations to save time. Even in the most sophisticated of third party compliance programs, an inordinate amount of time is often spent on purely administrative tasks. This administration typically adds little to no value to the program and introduces the possibility of administrative errors. Most third party compliance technologies can implement automations in workflows to reduce manual and repetitive processes, freeing up time to focus instead on central oversight or high-level decision making.

4. Examine the budget, eliminate excess and re-allocate resources. Consider where and how the budget is allocated in the compliance program. For a signed multi-year agreement with a vendor, what are the expected expenses? What additional costs will come from training new hires, adding automations or calibrating the platform, if any? Are there any other cost-effective solutions? Can administrative resources be redeployed to higher-level compliance functions by harnessing technology to manage lower-level tasks instead?


Allan Matheson, pictured above, is CEO of compliance research firm Blue Umbrella. He has more than a decade of experience in compliance risk management leadership, due diligence and pre-employment screening.

Blue Umbrella’s whitepaper, “How to Build an Effective Third Party Compliance Program with Limited Resources,” can be requested here.

Share this post



  1. Great tips Allan! Third-parties might represent a big risk once they can make decisions on behalf of your company.
    I’ve been talking about that very often in seminars here in Brazil, in special regarding one type of third-parties that many companies (and even compliance officers) are not paying proper attention: law firms. They are a third partie and they will act on your behalf. So, they need to be submitted to the due diligence, like others.
    Thanks for sharing these insights!

  2. Thanks Allan! for giving these wonderful insight!
    Actually when you start you business you have to do lot of things….

Comments are closed for this article!