Tue, Sep 10, 2019

Supply Chain Due Diligence - What, Why, How

In today’s globally connected world, companies no longer simply compete company-to-company, rather they compete supply chain-to-supply chain. Modern companies are discovering that third-party relationships are a cornerstone of most of their day-to-day operations, providing them with critical edge over their competitors. Whether you’re buying raw materials, outsourcing software development or hiring a consultancy service, third parties provide an effective means for enlisting necessary expertise and resources without making costly investments needed to bring those capabilities or services in-house.

However, working with external partners comes with potential risk. One area of concern is increased exposure to corruption carried out by third parties. As organizations increasingly rely upon third parties for a variety of reasons, the risk of running afoul of international anti-corruption and bribery regulations increases, and is often swiftly followed by reputational damages. 

Proactively conducting third-party due diligence can help your company minimize its exposure to corruption risks. Furthermore, developing an objective, risk-based approach can also ensure that your firm minimizes its third-party risk in a cost-effective manner. 

What is Supply Chain Due Diligence?

At its basic level, supply chain or third-party due diligence describes the efforts taken to investigate a potential business partner. Third parties in a modern supply chain are diverse. They can include anything from suppliers, distributors, agents, advisors and consultants, and even customers. Third-party due diligence applies both up and down the supply chain. Any external partner, be it entity or individual, that a firm works with is a third party and therefore a potential corruption risk.

The objective of third-party due diligence is to discover any corruption risks associated with the potential partner.1 Ultimately, an effective due diligence screening program allows a firm to make an informed decision about whether it is safe to proceed with a proposed business partnership. As such, proper due diligence should begin before engaging with a third party–such as through an onboarding questionnaire–and continue throughout the relationship through monitoring. The level of effort that a firm invests in conducting a due diligence investigation on a third party should correlate with the level of risk the third party potentially presents.

Best Practices for a Successful Supply Chain Due Diligence Program

While each firm should tailor its due diligence program to its specific needs and resources, some common best practices exist to help guide your efforts:

  1. Understand your firm’s third-party universe: Understanding your existing third parties is paramount to implementing an effective due diligence program. Failure to understand your firm’s various third-party relationships will undermine your efforts to establish a rigorous, risk-based due diligence program. Only with a good understanding can you begin to develop risk categories, the next step.

  2. Assess your third-party risk: A one-size-fits-all due diligence program is neither effective nor efficient, as not all third parties are equally risky. Developing a risk assessment system allows you to segment your third parties according to their risk profiles and focus your limited resources on your riskiest relationships. When developing a risk assessment, use objective criteria relevant to your company that includes, at a minimum: the industry sector, jurisdiction and type of the third party; the nature of your relationship; and, especially, the third party’s relationship, if any, with government entities.

  3. Perform the relevant level of due diligence screening: Due diligence assessments can be thought of as a tiered approach, with the higher-risk third parties requiring more thorough due diligence. Standard options for due diligence include the following, ranked from simplest to most in-depth:
    • Database Screening – This type of basic screening runs companies and individuals against various types of sanctions, global watchlists and politically exposed person (PEP) lists to uncover any adverse results. This cost-effective type of due diligence is best for your lowest risk third parties.
    • Open Source Review – This level of due diligence seeks to identify potentially adverse information, or “red flags,” in online media and other internet sources. Depending upon the third party’s jurisdiction, foreign language checks may also be required to ensure a wide-enough net is cast.
    • Public Record Review – This level builds upon the open source review by also investigating local and national civil and criminal litigation, bankruptcy or insolvency records and general, consumer- and industry-specific regulatory records. If relevant, it should also seek to verify an individual’s education and license claims.
    • Reputational Review – Up to this point, the due diligence efforts have consisted of desktop research. 
      But the riskiest supply chain relationships may require going the extra step of enlisting local human intelligence to conduct discrete inquiries into the third party. These types of inquiries evaluate the third party’s reputation and validate potential risks identified using online searches. 
  4. Establish an ongoing monitoring plan: Third-party risk unfortunately does not end with the onboarding process, as a third party’s risk profile is likely to change over time. Stay ahead of third-party risk by continually monitoring your existing third-party relationships to rapidly identify emerging risk-relevant developments.

  5. Use a third-party management system: Third-party management systems help improve the efficiency of your staff, consequently reducing your firm’s operating costs. They also ensure objectivity and consistency of your due diligence efforts, thus reducing the likelihood of human misconduct or error. Furthermore, centralized control of all due diligence records will help your company in the event of an audit of your third-party management program.

  6. Re-evaluate due diligence processes over time: As your business grows and changes, it may face new needs or challenges surrounding its third-party relationships. Risk profiles can also change, and your due diligence program needs to effectively address new points of concern. Conduct regular reviews of your third-party due diligence process to make sure you’re always focused on the risks that are most relevant to your business.


As business relationships with third parties increase, mitigating the inherent corruption risks in your supply chain will become more central to a successful business strategy. If your organization is looking to uncover or remediate supply chain risks, contact Kroll’s compliance experts to discuss how to implement or improve your third-party due diligence processes.

Do you know what level of due diligence you need? Use our simple and quick Due Diligence Wizard to understand what due diligence solution works best for your unique situation.


1 Although there are different types of due diligence, each with its own objective, the focus of this article is on anti-corruption and anti-bribery due diligence. 

Compliance Risk and Diligence

The Kroll Investigations, Diligence and Compliance team partners with clients to anticipate, detect and manage regulatory and reputational risks associated with global ethics and compliance obligations.

Compliance Portal

Your Process. Our Technology.

Due Diligence Wizard Tool

Determine which due diligence product best fits your needs.