Risk-based third party due diligence: A guide for compliance teams

Every organisation depends on a network of third parties to operate. These third parties are the backbone of the supply chain and distribution network. However, managing a large, globally connected network involves significant risks. 

These include third parties operating in countries with unstable political environments, weak regulatory systems, or high levels of corruption. Industry risks also arise, particularly in sectors such as defence and energy which face heightened regulatory scrutiny. Similarly, incorporation risks emerge from third parties with complex legal structures, such as shell companies or entities based in tax havens. 

Companies must identify whether their third-parties fall into these risk categories, making third-party due diligence an essential part of any effective corporate compliance programme. By conducting due diligence, organisations can independently and objectively assess the risks associated with their third parties. But there’s a challenge: how can organisations determine the right level of due diligence without conducting due diligence in the first place? 

This article explores why compliance teams often struggle to take a truly risk-based approach to third-party due diligence and why success depends on having the right technology.

What is risk-based due diligence?

At its core, risk-based due diligence involves tailoring due diligence efforts to the specific risk levels associated with third parties. Compliance resources are both in demand and costly, as the role requires specialised skills. Adopting a risk-based approach to due diligence allows compliance teams to allocate their time and expertise where they are most needed. 

This ensures that:

• Low-risk entities don’t consume disproportionate resources.
• High-risk third parties receive the attention they deserve.
• Compliance efforts are efficient, strategic, and aligned with regulatory expectations.

Regulatory expectations

The risk-based approach is guided by regulations such as the UK Bribery Act and the U.S. Foreign Corrupt Practices Act (FCPA). In the UK, particular attention is given to the Section 7 offence under the Bribery Act. This section makes it a criminal offence for companies not to have adequate systems and procedures in place to prevent criminal behaviour. To avoid liability, companies must have adequate and effective procedures in place to prevent such behaviour. The adequacy of these procedures must be reviewed and updated regularly to remain effective. Failing to assess a compliance programme every three years could leave a company vulnerable to a Section 7 violation.

What does risk-based due diligence involve?

To implement a successful risk-based due diligence programme, compliance teams need to focus on assessing and categorising third parties based on their risk level. This starts with having the right processes and tools. 

1. Define third-party risk criteria 

The first step is categorising third parties as low, medium, or high risk. This might involve using a scoring system that uses predefined criteria such as geographic location, ties with government officials, and industry-specific risks. Third parties that interact with foreign officials are often considered at higher risk due to the potential for corruption or regulatory issues. For instance, third parties operating in low-risk regions with minimal government interaction might undergo basic screening, while those in high-risk jurisdictions with significant government connections require deeper scrutiny.

2. Initial third-party due diligence 

The due diligence process typically begins with screening against watchlists, PEPs (politically exposed persons), sanction lists, and corporate registries. This foundational step is often complemented by web searches using predefined keywords and criteria. However, narrow search methodologies can leave information gaps. For example, you might miss important risks that appear further down in the results (e.g. on page 40) or local or regional content not captured by primary search terms. This highlights the need for more specialised technology tools. 

3. Triage third parties by risk

Once data is gathered, compliance teams need to verify and interpret the findings. This is where the value of risk-based due diligence becomes evident—teams focus their analysis on higher-risk entities rather than spreading resources evenly across all third parties. Organisations then either conduct due diligence internally, using in-house teams and tools or outsource deeper due diligence on high-risk cases to a specialist firm or consultancy.

Where third-party due diligence programmes fall short

Many corporations structure their third-party due diligence programmes in a way that prevents a truly risk-based approach. To accurately determine a third party’s risk level, organisations must first develop a holistic understanding of the risks associated with them and then triage them based on their genuine risk level. 

While screening databases is an important first step, they are also one-dimensional. These point-in-time solutions tick a box, but give no insight into a third party’s holistic risk profile and how that has changed over time. Just because a company, individual or entity doesn’t appear on a watchlist today doesn’t mean that they aren’t risky. An individual might not have sanctions against them, but they may have associates who are known to work in criminal gangs or have a previous history of corporate fraud. Structured databases fail to capture this context.  

In short, many compliance systems for managing third-party risk today either overburden teams or hinder their ability to implement a risk-based approach. Overly comprehensive systems require due diligence teams to spend excessive time on web searches to give context to binary data, leaving little capacity to focus on higher-risk areas. Conversely, overly restricted systems that rely on databases-only fail to account for the full range of risks that a third party may pose. 

Rethinking third-party diligence systems

Manual processes can no longer meet the demands of today’s rapidly evolving business landscape. Bribery and corruption remain pervasive, but risks are now further complicated by geopolitics, global supply chains, strict human rights laws, and ESG considerations. This broader risk environment is nuanced and constantly changing, making it impossible to capture with static, structured databases.

The volume of third-party data is growing exponentially, making it harder for compliance teams to find the right information while discarding irrelevant data. This challenge will only intensify in the coming years. Without automated technology, compliance teams can’t process and analyse this data effectively.

Not using AI could soon be considered negligent

Advances in AI technology have transformed the standards of adequate compliance systems. AI empowers compliance teams to analyse unstructured data, uncover hidden risks, and maintain continuous oversight of third-party relationships. It eliminates the manual limitations that hinder traditional methodologies.

At the core of a risk-based approach is the challenge of understanding a third party’s risk level upfront. With AI-powered platforms, compliance teams can assess third-party risks in minutes. These tools enable quick clearance of low-risk third parties while flagging higher-risk ones for enhanced due diligence. This ensures compliance teams spend their time and resources where they are needed most—a true example of what a risk-based approach looks like.