Once Bitten, Twice Shy: Due Diligence on Third Parties

Fikret Sebilcioğlu
  • Fikret Sebilcioğlu          CFE, CPA, TRACE Anti-Bribery Specialist         
  • Managing Partner
  • E-mail to Fikret

History shows that mismanagement of third-party ethics and compliance risks may cause significant damages for companies. By taking lessons from old mistakes, you get plenty of reasons to take preventative, detective and monitoring actions in managing your third-party risks.

I have conducted many forensic accounting and fraud investigation projects to date, and my experience has clearly shown that most of the ethics and compliance issues such as bribery, corruption and fraud were directly or indirectly related to the third parties with whom the victim companies had some form of business relationship. It is also not surprising to observe that the top 10 FCPA settlements which involved bribery shows that bribery results from the company itself and is directed outside by third parties including consultants, agents and joint venture partners.

In many fraud investigations I have carried out to date, I have seen that there are two sources of ethics and compliance risks related to third parties: issues originated by third parties and by the company itself. For this reason, focusing exclusively on external third parties in fighting against ethics and compliance challenges is not enough unfortunately. Companies should also take a deep look in the mirror.  

In order to avoid such ethics and compliance risks and challenges arising from third parties, companies should consider due diligence activities as a key defence mechanism. We have seen that many large international companies have anti-corruption and ethics and compliance procedures in place which require conducting risk-based due diligence. Therefore, before entering into relationships with third parties, companies should take active steps to ensure that potential ethics and compliance risks flowing from those relationships are evaluated and managed.

Due diligence enables companies to identify red flags to avoid association with third parties which could lead to financial, reputational and legal risks. It is a systematic, periodic process carried out when entering into business relationship.

Many surveys show that although due diligence on third parties commonly receives the greatest attention in managing ethics and compliance risks regarding third parties, companies struggle to design and implement an effective due diligence process due to large numbers of third parties, variations in their forms and activities, the multiplicity of risks and uncertainty on how to best assess the risks.

As there is no getting away from those risks, companies have to find a suitable methodology for screening their third parties to ensure they obtain the proper information to identify red flags and assess the level of integrity and compliance of a third party against pre-determined criteria. Moreover, while companies focus on identifying high risk third parties, the due diligence methodology should be capable of managing a large number medium and low risk third parties with proportionate time and effort.   

The methodology should be based on the company’s third-party bribery risk assessment including risk categories for types of third parties and other bribery risk factors to structure decision-making for individual third parties as stated in my previous articles. These predetermined risk criteria allow the company to assess individual third parties for inherent risk and determine the level of due diligence accordingly.

Moreover, the methodology should also consider the risk approach of the board and guidance from regulators, professional advisors and anti-corruption initiatives. The companies can also learn from past cases and releases by authorities such as the UK Serious Fraud Office, UK Financial Conduct Authority, the US Department of Justice and the US Securities and Exchange Commission.


The steps of due diligence may include the followings and can be implemented by companies according to their risk profile and the size and nature of their third party population:

  • All third parties are categorized with a risk rating.
  • Information and documentation from the third party and business unit are obtained.
  • Further information is researched, gathered and assessed in accordance with the level of assigned risk.
  • Any identified risks are mitigated, if possible.
  • A decision on whether to proceed to contract is made.

In my next article I will further delve into those procedures.

A Turkish proverb says that the person who carelessly drank hot milk and get burned their tongue will always blow on yogurt before eating it. It is similar to the idiom “Once bitten, twice shy” in English. History shows that mismanagement of third-party ethics and compliance risks may cause significant damage for companies. I believe that by taking lessons from old mistakes, you get plenty of reasons to blow on your yogurt before eating it; namely, to take preventative, detective and monitoring actions in managing your third parties.

Smart and proportionate measures will always prevent your tongue from burning!   

What the law says

US Foreign Corrupt Practices Act (FCPA)

Under the FCPA, an organization or individual may be held liable for making a payment to a third party while knowing that all or a portion of the payment will go directly or indirectly to a foreign official. According to US Department of Justice guidance issued on the FCPA, the term “knowing” includes conscious disregard, deliberate ignorance and wilful blindness. To avoid being held liable for corrupt third-party payments, the US Department of Justice encourages companies “to exercise due diligence and to take all necessary precautions to ensure that they have formed a business relationship with reputable and qualified partners and representatives”.

What the law says

UK Bribery Act

In its Adequate Procedures Guidance to the UK Bribery Act, the UK Ministry of Justice states that “a commercial organisation will be liable to prosecution if a person associated with it bribes another person intending to obtain or retain business or an advantage in the conduct of business for that organisation”.

An “associated person” is defined as an individual or entity that “perform services for or on behalf” of an organization. In the event of failure to prevent bribery by an associated person, the UK Bribery Act provides that it is a “defence” for an organization “to prove that [it] had in place adequate procedures designed to prevent persons associated with [it] from undertaking such conduct”.