Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Anne Fleur Goedegebuure: What can go wrong (and right) with third-party due diligence?

Working with third parties continues to be the single biggest corruption risk for business. Almost one in two enforcement actions concluded since the OECD Anti-Bribery Convention came into force in 1999 was the result of bribery through sales agents, intermediaries, distributors or brokers.

In the United States, 90 per cent of reported FCPA cases involve third party intermediaries.

Despite the clear risk, it remains one of the hardest anti-corruption areas to get right. The GoodCorporation White Paper Combating Corruption: are businesses doing enough? revealed that almost two thirds of the due diligence procedures assessed were graded as inadequate. 

For many international organizations, the complex web of third parties, fundamental to any global operation, presents significant challenges to effective due diligence. So what are the principle stumbling blocks and how can they be overcome?  

Stumbling block 1: Prioritizing third parties. For companies with a large number of suppliers and a highly complex supply chain, the prospect of conducting rigorous third party, anti-corruption due diligence may seem an impossible task. Some chose to conduct due diligence on all third parties, which can be superficial and ineffective, whilst others concentrate their efforts on those deemed to pose the greatest threat.

The most successful approach begins with a careful risk assessment to identify the third parties that pose a real risk to the organisation and allows for low risk parties not to be assessed. This approach ensures due diligence is manageable and directs resources where the effort is needed.  

Key high-risk third parties are those acting on the company’s behalf such as sales agents and intermediaries, joint venture partners, and organisations or individuals obtaining permits or licences. For general suppliers selling to the organization the risk is generally much lower and can be addressed via internal procurement, accounting processes and procedures related to the acceptance of goods and services.    

Focussing due diligence resources in this way will allow resource to be directed towards pre-selection risk profiling of those counterparties representing the highest risks. It will also allow the risk assessment process to be subject to appropriate controls and scrutiny.  

Stumbling block 2: Obtaining reliable data. Having prioritized those third parties that require due diligence, most companies send a questionnaire to obtain critical information.  

Such questionnaires should explore the business partner’s ownership, management structure, policies, mitigating ABC measures and controls, their sub-contracting of high risk activities as well as questions regarding any civil, criminal and regulatory matters. Whilst this will provide the company with comprehensive data, it is essential to verify this information.  

References must be followed up and all the information provided should be validated through internet searches and the use of due diligence tools.

Care should be taken, however, with the use of some due diligence tools. In some high-risk jurisdictions these tools may contain inaccurate, incomplete, out-of-date and sometimes self-reported information. In such circumstances it may be prudent to visit the counterparty, develop some other method of verifying information using local staff or, in cases of particular risk, consider hiring professional in-country investigators. It is essential that a record is kept that demonstrates due diligence has been applied in decision making.  

Stumbling block 3: Dealing with red flags. In many instances, the due diligence process, if done effectively, will raise a number of red flags. These could be requests for non-standard remuneration arrangements (such as cash, commission-only, payments to EU non-cooperative tax jurisdictions…) or close relationships with public officials or a political party.

The identification of red flags is not necessarily prohibitive of a future working relationship. In many instances, mitigation measures can be put into place, for example adding additional clauses such as audit rights or enhanced breach rights to the contact, conducting annual audits or supporting the third party to develop specific policies and training.

These should be monitored and properly documented to provide the necessary assurances that the potential risk has been minimized.

This is undoubtedly the hardest part of due diligence and some businesses, having assessed the risk, may choose this point to walk away, either from a region or a particular contract. This is by no means the only option and many decide to stay, confident that they can invest in the training, communication and monitoring resources necessary to ensure that business and corporate reputation remain protected.

This is where senior-level commitment is crucially important. Management must empower those conducting due diligence to act on the information received and support those difficult decisions that may need to be made as a result. This is a vital component of demonstrating a real commitment to establishing effective anti-corruption procedures.  

While this may seem onerous and time-consuming, there is a business advantage to be had. Companies with a reputation for their zero-tolerance to corruption will find it easier to attract the best suppliers, employees and increasingly capital. Not only that, in many parts of the world, the standards being set for public tenders are increasingly stringent as more countries seek to show their own opposition and intolerance of corruption.

Third party due diligence is likely to remain one of the hardest anti-corruption practice to get right. Businesses need to understand the risks and the decisions they can make to mitigate these risks. And while automation and software solutions may offer some form of filtering, which will benefit in particular those with highly complex and very long supply chains, there is no substitution for experience and good judgment when it comes to properly managing such risk.


Anne Fleur Goedegebuure is a consultant at business ethics advisers GoodCorporation specializing in anti-bribery and corruption. She has worked across a variety of sectors including oil and gas, logistics and financial services. She has a Master’s degree in International Law from the University of Utrecht and a postgraduate qualification in Corporate Social Responsibility from the Erasmus School of Accounting and Assurance. GoodCorporation offers ethical and anti-bribery and corruption due diligence services which enables clients to carry out risk-appropriate and robust due diligence on even the most complex supply chains.

Share this post



  1. In general, third party due diligence remains one of the hardest anti-corruption practice to get right, because the "local management" does not exercise a proper oversight on its third parties (e.g. resellers/dealers) failing with its obligations on assessing the risk management, control and governance process in a preventive manner. In certain cases, it should be noted that they tend to turn a blind eye motivated by pressure from business results, overriding the corporation culture of integrity.

    Silvio Souza, CIA, CRMA
    Sao Paulo, Brazil

  2. What do you think of the risk that the GDPR will make due diligence on third parties even more difficult and riskier? Anyone conducting due diligence should be aware of this risk of government misusing privacy regulations to interfere with anti-corruption efforts. Privacy bureaucrats in Europe seem not to care much about preventing corruption. Or maybe I am just a natural skeptic. Cheers, Joe

Comments are closed for this article!