Managing Third-Party Risk: Due Diligence and Evaluation
December 23, 2020
Managing Third-Party Risk: Due Diligence and EvaluationDownload Article
In Risk & Compliance magazine’s latest expert forum, Bryant Aaron from Novartis moderates a panel with Withers' Jamal Saleh and FTI Consulting’s Andrew Durant, Wayne Anthony and Shahin Shamsabadi on the red flags to be aware of when conducting third-party due diligence.
This is an extract from Risk & Compliance magazine, published in their January-March 2021 edition. The entire publication is available at https://riskandcompliancemagazine.com/managing-third-party-risk-due-diligence-and-evaluation
Aaron: What steps should a company take if there is any refusal or hesitancy by a third party to disclose its owners, partners or principals?
Shamsabadi: A third party’s refusal or hesitancy to disclose ownership is typically the exception and not the rule. Put simply, such a refusal should be treated as a red flag and be investigated further. The compliance team should escalate the matter and the relevant team would make a decision on the next steps, such as seeking to identify the ownership independently or potentially engaging a service prover to conduct a due diligence investigation. There could be several reasons why a third party is hesitant to disclose this information. A common situation, for example, is that point of contact is not comfortable requesting the information internally or is unwilling to provide the corporate details due to cultural sensitivities. Even so, the third party should be made aware that the requested information is mandatory for onboarding and approvals, so as to encourage them to be forthcoming and explain their position. Ultimately, the onus is on the third party being considered to supply the requisite documentation and information for onboarding and review. Their cooperation to do so should be viewed as a willingness to abide by their partner’s standards and legal obligations. If, ultimately, they decline to provide the requested information, they should not be onboarded.
Reprinted with permission from Risk & Compliance Magazine, January- March 2021 Issue