Q&A: Managing third-party risks: due diligence and decision making

March 2020  |  SPECIAL REPORT: MANAGING RISK

Financier Worldwide Magazine

March 2020 Issue


FW moderates a discussion on managing third-party risks with due diligence and decision making between Pete Woglom and Joann Arweiler at BDO.

FW: Could you explain the key players responsible for managing third-party risks?

Arweiler: In today’s global market, organisations often leverage third-party intermediaries (TPIs) for a variety of business reasons. The use of TPIs can help with increasing revenue, reducing internal costs, accessing a specific expertise otherwise lacking internally, or gaining exposure to foreign markets in countries not yet explored. As a result, a board of directors and senior leaders’ decisions to use TPIs for a specific situation should be thoroughly analysed and discussed. More importantly, a part of the decision-making process should include discussions on how TPIs should be vetted and continuously monitored. To help executive teams mitigate risks posed with leveraging TPIs requires the need for a robust due diligence programme. An effective due diligence programme can support executive teams by developing information regarding the background, track record and reputation of key parties.

Woglom: This is a diverse market with a broad range of companies servicing the space. Each has its own areas of expertise, whether that is focusing on the initial high-volume screening of TPIs or specialising in delivering in-depth intelligence from in-country sources regarding TPIs that have been escalated as high risk. While a number of service providers seek to provide end-to-end solutions, most companies appear to still seek out geographic and subject-matter expertise for their highest risk TPIs.

FW: For companies facing the challenge of vetting thousands of third-party intermediaries (TPIs), has the artificial intelligence (AI) revolution really begun? How effective are new tools and platforms in helping companies mitigate the risks posed by TPIs?

Woglom: There is no doubt that artificial intelligence (AI)-driven diligence platforms have enabled companies to more cost effectively address that initial screening stage of the highest volume of TPIs. These platforms, however, still struggle to conduct the same level of effective diligence in non-Latin scripts and can cause companies to get bogged down in name matches despite the algorithms that should refine the search results. They absolutely have a place in the diligence process, but we emphasise with companies the need to understand at what point the judgment of an experienced analyst should be inserted into the process.

Arweiler: I believe that the AI revolution has begun, but with limitations. For an organisation to efficiently vet hundreds or even thousands of TPIs, a technology solution that incorporates AI should be a part of the due diligence process. Long gone are the days of using Excel spreadsheets in trying to track and vet TPIs. In this space, there are several automated research tools available today that provide search results, but lack the analysis needed for a company to make an informed decision. In the fast-paced economy that we live in, companies need accurate and targeted data rather than a data dump of search results. This is where certain of the automated technology solutions fall short. While AI tools can conduct rapid searches and provide quick results, what is lacking is the ability to make relevant connections and to conduct a thorough analysis. An effective due diligence programme still requires the need for professional researchers and investigators who incorporate an AI solution as a part of the overall research process, but still maintain a critical role in drafting the final product. An experienced researcher who can work with the company in understanding and explaining the search results, identify key pieces of information and discuss next steps, will only enhance a company’s ability to mitigate risks in a timely and thought-provoking manner.

One of the biggest gaps in the due diligence process relates to the lack of having a continuous monitoring solution and a consistent risk-based approach.
— Joann Arweiler

FW: In industries where companies typically have more mature anti-bribery and corruption programmes, are there still common gaps that you see in their approaches to investigative due diligence on TPIs?

Woglom: The most common gap is still a lack of effective ongoing monitoring of certain higher risk TPIs. Most frequently, we see companies that will do batch searching against sanctions and watchlists, but effective monitoring needs to go deeper on certain of the TPI population, taking into account adverse-focused media as well. Similarly, we do not see companies consistently applying external criteria to understanding how TPI risk profiles may change. For example, in politically volatile countries where new regimes come to power, how might those new dynamics impact a TPI’s operating profile? Even for TPIs that had excellent reputations but were politically connected to a regime no longer in power, what might this mean for a TPI’s risk exposure, including external considerations and not just the results of adverse-focused public record searches, is not consistently covered. It is also worth noting that clients often focus their most in-depth diligence on TPIs operating in markets deemed the highest risk using a metric like the Transparency International index or something similar. It is critical, however, to understand the specific use of or reliance on a TPI as the diligence can go under-scoped and leave significant risk exposure.

Arweiler: One of the biggest gaps in the due diligence process relates to the lack of having a continuous monitoring solution and a consistent risk-based approach. A company can take all the right steps in conducting initial searches such as sanctions and watchlists, but what happens after that initial review? What is the process to conduct due diligence on the higher risk TPI population? Often, additional proactive steps are not taken, leaving a gap to fall victim to adverse risks. This puts the company in reactive mode as opposed to proactive, and often the reactive mode is more costly to an organisation and the consequences can be detrimental. Incorporating an enhanced due diligence programme to further investigate the higher risk TPIs and engaging in a continuous monitoring solution can help companies mitigate risks and reduce costs. An effective continuous monitoring solution can provide updated information about key targets with the ability to track multiple targets for changes affecting their risk and compliance profile.

FW: What are some of the lessons learned about how companies respond to identifying critical risks relating to a TPI that they may already have engaged with or could be inheriting as part of an acquisition?

Arweiler: Enabling management’s ability to ask the right questions is aligned with having an effective due diligence programme. Ideally, due diligence should take place before an acquisition, but this may not always be the case. Due diligence goes beyond understanding the background and reputations of key individuals. Understanding an organisation’s IT systems, possible data breaches, internal policies and procedures and financial condition, represent a few of the items that should be evaluated and discussed. TPIs’ weaknesses could be leveraged as negotiation points working to the advantage of the acquirer. The planning process should once again include an evaluation of the relationships, value that it adds and understanding the potential risks. In order to make these types of assessments, companies need an existing due diligence process. If this does not exist and an acquisition takes place without taking the necessary steps, think of how costly it could become and the potential adverse risks that could follow, including headline risks. Not to mention that the level of risks will vary greatly based on industry type, business size and the type of company being acquired.

Woglom: The challenge for many companies is how they plan to effectively address the risks posed by those TPIs that they have designated as their highest risk TPI population. Often, these may be individuals or entities operating in markets where the public record is sparse and unreliable or where there may be significant geopolitical upheaval that can have a significant impact on a TPI’s operating capabilities and ability to navigate sensitive political dynamics. We do see clients that can be hesitant to go beyond desktop-based research in markets where human intelligence is essential to understanding and mitigating risks. The key is to work with a provider who understands that there is not a need to ‘boil the ocean’ and utilise a provider who has real subject-matter expertise for a market that allows them to conduct their diligence efficiently and cost-effectively. Many companies have numerous in-house language skills, but that does not necessarily mean they have the necessary on-the-ground network to do both cost effective and efficient diligence.

The challenge for many companies is how they plan to effectively address the risks posed by those TPIs that they have designated as their highest risk TPI population.
— Pete Woglom

FW: Alternatively, how can companies mitigate the types of risks potentially posed by TPIs in the first place?

Woglom: Sitting on the provider side, it is often interesting to see how companies may approach the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act to mitigate against potential successor liability issues. The key is always maintaining a consistent, risk-based approach. We see certain companies that do a significant number of deals and have a consistent process they deploy from deal to deal. Other companies may do things on a more ad-hoc basis. Even for acquisition targets that might not have a physical presence in a high-risk market, they may still utilise an agent or other intermediary in certain of these markets, and it is crucial to understand what that potential exposure may be as the activities could ultimately impact a target’s valuation.

Arweiler: Through the years, I have noticed that some companies are very consistent in their due diligence approach whereas others are more selective. I think the first step relates to awareness, acknowledgement and then maintaining a level of consistency. Executive teams must acknowledge the importance of third-party risk management responsibilities. It should be a normal course of business. A durable risk management programme should be supported by technology and a team of qualified professionals enabling consistency, transparency and effective controls throughout the duration of the relationship with TPIs. Understanding who you are conducting business with is the first step, but to have a programme in place that also continuously monitors your TPIs adds more value because it will enable a company to have control over a potential adverse situation.

FW: Companies in certain industries may have TPIs located in jurisdictions where desktop research may be of limited use because records are not available online and they may be sparse or incomplete even through on-site searches. What are the challenges and advantages to developing reliable information through reputational inquiries, or ‘human intelligence’, on these TPIs?

Woglom: As with all challenges, reputational inquiries through on-the-ground sources is a critical piece of the puzzle and is frequently necessary for companies to properly assess potential risks. While the provider may always face certain challenges, such as a politically sensitive target or even significant security concerns, the biggest challenge is often understanding whether they can do one-stop shopping for source inquiries or whether they need a specialist firm. Ultimately, this boils down to their understanding exactly who comprises the on-the-ground networks and just how well-placed those sources are. The advantage to well-placed human sources is that they can fill in significant gaps left courtesy of an opaque public record environment, but companies need to take the time to really understand what jurisdictions a firm specialises in. Many firms claim they can capably deliver that intelligence across the globe, but it is very rare for a firm to be equally strong across all these markets.

Arweiler: A robust and sophisticated due diligence programme will include an established network of investigative resources and in-depth research experience in a region. It is commonplace for seasoned researchers to often utilise a vast network of in-country agents and local intelligence resources in order to obtain the most relevant and accurate information. In certain countries, records are difficult to obtain through easily accessible databases and public sources. In these instances, a network of in-country agents and intelligence sources can be leveraged. Experienced and knowledgeable local agents can obtain records and source commentary that is only available at the local level. Overall, human intelligence plays an integral role in the makeup of a strong due diligence programme. If a record identified is unclear, if the status is unknown, or if additional information is needed, direct contact with the issuer of the record or other local resource is paramount to ensuring a thorough investigative process. Clients should pair themselves with a due diligence team that understands the varying reliability of records, the possibility of underlying corruption, geopolitical concerns, but more importantly demonstrates their knowledge in a particular region.




Pete Woglom is a managing director in BDO’s investigative due diligence practice, focusing on business growth opportunities with the firm’s clients involved in capital markets transactions and involved in complex opportunities throughout the Americas. He plays a key advisory role supporting clients assessing complex transactional and geopolitical risks in developing and developed markets. He has more than 20 years of experience leading complex investigations spanning multijurisdictional asset tracing engagements to FCPA investigations to corporate contests. He can be contacted on +1 (212) 885 8072 or by email: pwoglom@bdo.com.

Joann Arweiler leads BDO’s investigative due diligence practice. She provides domestic and global business intelligence services relating to prospective business, pre-investment and M&A transactions, as well as internal investigations. She has been serving clients for over 15 years by identifying risks and exposing disclosure issues, pertinent details, and anomalies developed during the course of an investigation. She provides meaningful intelligence to her clients in order to ensure they are positioned to make an informed business decision. She can be contacted on +1 (212) 885 8181 or by email: jarweiler@bdo.com.

© Financier Worldwide


THE PANELLISTS

Pete Woglom

Joann Arweiler

BDO


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.