Building a Third-Party Due Diligence Programme That Actually Works

A due diligence programme that is not integrated into how the business operates will not function.

Third-party due diligence programmes fail in predictable ways. The most common is the design-implementation gap: a procedure that has been developed thoughtfully, approved at the appropriate level, documented in the compliance manual, and then not integrated into the commercial or procurement workflows that govern how third-party relationships are actually initiated and managed. The procedure exists. The business operates as if it does not.

A close second is the coverage gap: a programme that has been designed around the categories of third party that the compliance function identified as high priority at the time of its creation, but that does not reach the relationships that commercial teams introduce informally, the consultants that are engaged through processes the compliance function does not routinely touch, or the subcontractors that a primary supplier appoints without the company's explicit knowledge.

Both failure modes share a common root: the programme was built as a compliance function activity rather than as a business process. The compliance function owns it, manages it, and monitors it — but the commercial, procurement, and operational teams whose decisions create the third-party relationships have not been integrated into it in a way that makes compliance the path of least resistance rather than an additional step to be worked around.

Architecture, not activity.

The first component is a clear scope definition: which third parties the programme covers, determined by risk category rather than by relationship type alone. Agents, distributors, and intermediaries in high-risk markets are the obvious starting point. But the scope must also reach consultants engaged to support commercial activities, joint venture partners, subcontractors in sensitive supply chains, and any party through whom the company channels commercial activity in markets where corruption risk is elevated.

The second component is a risk-based intake process: a mechanism by which every new third-party relationship is assessed for its risk profile before due diligence is scoped and conducted. The intake process must be embedded in the workflow through which relationships are initiated — in the contract management system, in the procurement approval process, in the commercial team's onboarding checklist — so that no relationship can progress to engagement without passing through it.

The third component is a tiered due diligence methodology: a defined set of due diligence steps calibrated to the risk tier assigned at intake. Low-risk relationships receive a proportionate process — database screening, basic corporate verification, a declaration of compliance with applicable law. High-risk relationships receive a substantially more rigorous process — detailed questionnaires, financial verification, ownership and beneficial interest mapping, reference checks, and where the risk warrants it, an enhanced review conducted by a specialised provider.

The fourth component is a decision and documentation process: a defined path from due diligence output to engagement decision, with documented review of findings, a clear record of who approved the relationship and on what basis, and documented conditions where risk-mitigation measures were required as a condition of engagement.

The fifth component is an ongoing monitoring framework — which is substantial enough to warrant its own article, and which more programmes lack than have. The point here is simply that a programme without ongoing monitoring is a programme that treats due diligence as an onboarding event rather than a continuous relationship obligation.

Compliance cannot be the only function that cares about this.

The compliance function designs and owns the third-party due diligence framework. But the people who initiate third-party relationships — commercial directors, procurement managers, business development teams — are the people who make it function or fail in practice. Integrating the programme means doing something more than issuing a policy and conducting training. It means understanding the pressure points in the business's relationship-initiation process and designing the compliance process to work within them rather than against them.

It means making the risk assessment fast enough that it does not create commercial bottlenecks. It means building the intake into the systems the business already uses. It means giving commercial teams a clear picture of what they are responsible for, what the compliance function will handle, and what the timeline and expectations are — so that due diligence is understood as a shared process rather than a compliance tax on relationship formation.

It also means being honest with the business about why the programme exists — not as a compliance exercise, but as a genuine protection of the organisation's commercial interests. A third party that creates an enforcement exposure does not only create a compliance problem. It creates a reputational problem, a commercial problem, a leadership problem. The business that understands this does not treat due diligence as an obstacle. It treats it as risk management — which is precisely what it is.