Running worldwide businesses requires effectively recognising, analysing and managing risks and ensuring compliance. We have identified that many organisations with third-party relationships conduct inadequate due diligence that might pose significant risks. In this article, we look at the possible risks and the best practices for conducting adequate due diligence and third-party risk management effectively such as:

  1. Planning
  2. Documentation
  3. Culture

Continuous risk management

Today’s global business requires efficiently managing a network of third-party partners that supply product components, run operations in foreign markets, operate call centres, or act as outside consultants or agents.

A well-maintained third-party network’s vast array of capabilities and specialised skill sets make operations easier for both the organisation and its customers. But many organisations, from small businesses to multi-national corporations, can rarely afford the time and effort required in-house to manage these often complex third-party relationships.

Because of this, the risk of unethical business practices, bribery and other business corruption potentially increases if inadequate due diligence is conducted on third-party partners. The ramifications of a scandal related to a third-party partner can easily take down an organisation, resulting in such risks as a damaged reputation and brand devaluation, regulatory violations, legal proceedings and possible fines and jail terms for directors. Therefore, a strong and viable third-party risk management program is the only way to fully protect the corporation’s assets.

Building a third-party risk management program is not a passive process. It continually requires time and effort, as the risks associated with third-party partnerships evolve.

> Explore Third-Party Risk Management Solutions

Consider the recent events, during which the legislators of three separate nations signed new compliance regulations and standards into law. If your organisation’s third-party risk management program is unable to quickly adjust to these new regulations (or is not designed to anticipate future legislative movements) your organisation is truly at risk.

Cutting Corners Not Worth the Risk: Adequate Due Diligence

Certainly, building a strong risk management program requires a significant investment of time and resources (both internally and from the outside). Still, the consequences of not doing it right could be dramatically severe. Still, far too many organisations are willing to tempt fate by cutting corners on developing and implementing their third-party risk management program.

Organisations attempt to cut corners by relying on outdated or stagnant tools to monitor, detect, and prevent risks. Hiring outside industry professionals with proven track records of successful due diligence experience is necessary.

Relying too heavily on “desktop” due diligence is another dangerous shortcut. Desktop due diligence is an important initial step of the investigative process, involving background checks, lien searches, regulatory filing investigations and environmental reports. And while it is a vital component of any effective due diligence program, it’s not nearly enough to thoroughly evaluate a third-party.

Truly understanding a potential partner’s business requires a considerable amount of time spent face-to-face with the outside organisation’s leadership, operations management and even current customers. This “boots on the ground” process will detect potential risks, often hidden from a distance, and undetectable via web-based discovery tools.

The “boots on the ground” approach also help to establish a relational dynamic required for ongoing negotiations and provides a clear insight into two of the fastest-growing issues in third-party risk management: Bribery and Labor Management.

Bribery As a Compliance Issue

Anti-bribery and anti-corruption compliance is a fast-moving target. New anti-bribery laws and regulations are being decreed worldwide at a relentless pace. Complicating matters further, many countries may have laws in place but lack the ability to enforce them adequately. When this happens, the responsibility falls to your organisation’s adequate due diligence program to ensure detection and protection.

High profile investigations in recent years have contributed to the rapid emergence of bribery and corruption as a societal issue. Never before has such a contrast been drawn so dramatically on a global stage between those that engage in bribery and those that suffer as a result. Any organisation that finds itself mixed up in a scandal involving bribery has more than a legal mess to contend with. It has a long battle to win back the trust of its shareholders, employees, customers and the public.

Conducting sufficient and adequate due diligence surrounded by such varying factors is work that must be conducted in person. Gaining insight into a potential partner’s company culture requires a level of immersion with the organisation’s leadership, management and staff. When it comes to evaluating bribery risk, some warning signs can only be discovered on-site.

This e-book explores some critical questions being posed to business leaders today: Has your organisation implemented reasonable and proportionate measures to prevent bribery? How will you know if your anti-bribery and anti-corruption controls are effective? Are you aware of the latest best practices in preventing bribery? Download our eBook to find out! READ NOW

Labour Matters and Compliance

From overtime issues and under-age workers to unsafe working conditions and improperly documented accidents, labour compliance represents a major component of any strong third-party risk management program.

Once again, inadequate attention to risks related to labour compliance can bring on considerable penalties. Understanding which industries, geographic regions, and management structures elevate the organisation’s risk is key to operate an adequate due diligence program efficiently. This understanding is nearly impossible to guarantee via ‘desktop’ due diligence. Spending the necessary time in person is the only way to ensure a potential supplier is properly compensating and managing employees while providing a safe workplace environment.

Make no mistake, even if your agreement with a third-party partner places the responsibility of payroll issues firmly upon the vendor, your organisation — as a joint employer — can still be held accountable in many countries. After all, the labour being conducted at your partner’s facility benefits your organisation’s bottom line.

What are the best practices?

The demands of identifying and measuring third-party risk, monitoring those potential risks on an ongoing basis, and making recommendations based on empirical research are best met by a dedicated team of outside professionals. And while no two organisations are alike in terms of risk profiles, several factors have become consistent in building a strong, effective and adequate due diligence program:

1. Planning: Without a well thought out plan outlining ongoing monitoring efforts with assigned roles and responsibilities, measures to mitigate risk will be haphazard at best and dormant at worst. With a thoroughly established, management-advocated program that identifies specific risk factors for each affiliation, a process for addressing red flags, and an established mechanism for continual revision, the organization will remain vigilant in its efforts to protect itself from liability.

2. Documentation: Due diligence efforts are only as good as the information and data gathered and secured. Meticulous documentation and reporting enable the organisation to recognise trends, communicate analyses, and sustain efforts during any future personnel changes. Effective risk management programs feature established guidelines for capturing data, contracts and research with uniformity.

3. Culture: An organisation where leadership, management and workforce do not take the third-party risk seriously will never be adequately protected from risk. Successful organisations in this respect dedicate themselves to building a culture in which every employee feels personally invested in the operation’s risk management. Employees must feel empowered and encouraged to report red flags. Passive engagement is simply not enough.

Done correctly, third-party risk management can effectively save the organisation from risk, liability, and other perils often associated with outside entities wanting to engage and transact with your business.

A TPRM customised solution that best suits your needs

CRI® Group’s own exclusive, expert-developed 3PRM™ services help you proactively mitigate risks from third-party affiliations, protecting your organisation from liability, brand damage and harm to the business. Whether your organisation has a large, well-established third-party program, is in the early stages of development, or is anywhere in between, the 3PRM™ solution can improve the health of your program and future-proof your entire business in many forms.

Our 3PRM™ solution streamlines the third-party risk management process through scalability, and efficiencies – from third-party risk identification to assessment what sets us apart is that our 3PRM™ solution includes:

  • Due Diligence
  • Screening & Background Checks
  • Regulatory Compliance
  • Business Intelligence: Information Management
  • Investigations: i.e. IP, Fraud, Conflict of Interest, etc
  • Anti-bribery & Anti-Corruption (ABAC) Compliance
  • Employee auditing training & education
  • Monitoring & reporting

Where should TPRM sit within an organisation?

TPRM can sit within various business units depending on your organisation’s structure. Many organisations involve multiple departments such as procurement, information security, operational risk and compliance to provide input to manage the risks related to engaging third parties. Depending on your business’ internal structure, you may choose to apply a centralised, mixed or decentralised model when focus on TPRM. At CRI® Group we observed a trend with many of our clients implementing a centralised model when managing their third-party relationships, given the required input from their multiple business lines. A centralised model allows you as an organisation to track common risks across departments and identify emerging trends that may require a response from more than one department.

Risk management goes beyond TPRM

CRI® Group provides the knowledge required to navigate unfamiliar markets and mitigate third party risk by assessing the backgrounds, integrity and character of those with whom you do business. Our 3PRM-Certified™ program is therefore key for managing an organisation’s third party risk levels. However, this is only one of the several vital steps towards a robust risk management strategy implementation.

Risk management is the identification, evaluation, and prioritisation of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimise, monitor, and control the probability or impact of unfortunate events or to maximise the realisation of opportunities. Risks can come from various sources including your employees.

Getting Started with ISO 31000 Risk Management? Learn more with our “ISO 31000 Playbook”

At CRI® Group, we understand that managing compliance and risk activities might be a daunting task. That’s why we present you with the insights library where you can dive deep into these topics to make your job easier. If you can’t find what you are looking for, just get in touch – we would love to have a chat!


Who is CRI® Group?

Based in London, CRI® Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk ManagementEmployee Background ScreeningBusiness IntelligenceDue DiligenceCompliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI® Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle.

In 2016, CRI® Group launched the Anti-Bribery Anti-Corruption (ABAC®) Center of Excellence – an independent certification body established for ISO 37001:2016 Anti-Bribery Management SystemsISO 37301 Compliance Management Systems and ISO 31000:2018 Risk Management, providing training and certification. ABAC® operates through its global network of certified ethics and compliance professionals, qualified auditors and other certified professionals. As a result, CRI Group’s global team of certified fraud examiners work as a discreet white-labelled supplier to some of the world’s largest organisations. Contact ABAC® for more on ISO Certification and training.


Meet our CEO and Author

Zafar I. Anjum is Group Chief Executive Officer of CRI® Group (, a global supplier of investigative, forensic accounting, business due diligence and employee background screening services for some of the world’s leading business organisations. Headquartered in London (with a significant presence throughout the region) and licensed by the Dubai International Financial Centre-DIFC, the Qatar Financial Center-QFC, and the Abu Dhabi Global Market-ADGM, CRI® Group safeguards businesses by establishing the legal compliance, financial viability, and integrity levels of outside partners, suppliers and customers seeking to affiliate with your business. CRI® Group maintains offices in UAE, Pakistan, Qatar, Singapore, Malaysia, Brazil, China, USA, and the United Kingdom.

Contact us to learn more about the third-party risk management strategy program and discover an effective and proactive approach to mitigating the risks associated with corruption, bribery, financial crimes and other dangerous risks posed by third-party partnerships.


Zafar Anjum, MSc, MS, CFE, CII, MICA, Int. Dip. (Fin. Crime) | CRI® Group Chief Executive Officer

t: +44 207 8681415 | m: +44 7588 454959