Ongoing Monitoring: Why Onboarding Due Diligence Is Only the Beginning

Due diligence conducted at onboarding is a snapshot of a relationship at a single moment in time. The relationship does not stay still.

The design of most third-party due diligence programmes is weighted heavily toward onboarding. The risk assessment, the questionnaire, the database screening, the document collection, the review and approval — all of this happens before the relationship begins, when the compliance function has the greatest leverage and the clearest line of sight into what it is authorising. This is right, and the investment in onboarding due diligence is well-placed.

But the compliance exposure that a third-party relationship carries does not crystallise at the moment of engagement and then remain fixed. It evolves. The third party's ownership structure changes — through acquisition, restructuring, or the quiet addition of a politically connected investor. Its operational focus shifts into new geographies or new activities that were not part of the original relationship. Key personnel who provided compliance assurances at onboarding are replaced. An investigation in a connected jurisdiction creates adverse media that a monitoring system would have surfaced immediately — but that the compliance function does not learn about for months.

The third-party relationship that was assessed as medium-risk at onboarding and cleared without conditions may, two years later, carry a very different risk profile. A programme that has not built ongoing monitoring into its architecture is managing the risk profile that existed at a point in the past — not the risk profile that exists now. And in the context of an enforcement inquiry, the question is always about now.

Event-based and periodic monitoring serve different purposes and both are necessary.

Event-based monitoring is triggered by developments that change the risk profile of a specific relationship. Ownership changes, including acquisitions of the third party by a new parent and the addition of new shareholders with government connections or political exposure, are among the most significant triggers. Legal or regulatory proceedings — investigations, charges, settlements, or debarments — affecting the third party or its key personnel require immediate review. Adverse media coverage that raises concerns about conduct or integrity warrants rapid assessment. Personnel changes at senior level, where the individuals who provided compliance assurances at onboarding have been replaced, trigger a review of whether those assurances remain valid.

Periodic monitoring operates on a defined cycle, independent of specific events, and ensures that all material relationships in the portfolio are reviewed on a schedule calibrated to their risk tier. High-risk relationships should be reviewed at least annually, with a full refresh of due diligence including updated database screening, reconfirmation of representations, and a reassessment of the risk tier. Medium-risk relationships should be reviewed on a two-year cycle at minimum. Low-risk relationships require periodic confirmation that the original risk assessment remains valid — which may be a lighter-touch process, but must be documented.

The combination of event-based and periodic monitoring creates a programme that is responsive to specific developments and systematic across the portfolio. Event-based monitoring without periodic monitoring creates gaps in the relationships that do not generate visible alerts. Periodic monitoring without event-based monitoring creates a programme that is slow to respond to developments that warrant immediate attention.

Monitoring at scale requires systems, not only processes.

For organisations with large third-party portfolios — measured in hundreds or thousands of relationships — ongoing monitoring cannot be a manual process. The volume of relationships, the geographic diversity of the portfolio, and the breadth of events that could constitute material changes in risk profile make systematic monitoring dependent on tools that provide continuous, automated coverage.

Automated adverse media monitoring — configured to track relevant third parties across multiple sources and languages and to alert the compliance function when coverage emerges that warrants review — is the minimum infrastructure for a portfolio of any meaningful size. Database screening tools that alert on ownership changes, sanction additions, and enforcement actions provide the event-based triggers that make monitoring responsive rather than retrospective.

The human judgment layer remains essential. Automated tools generate signals. The compliance function assesses those signals, determines which warrant action, and manages the review and response process. The risk is that the signal volume generated by automated monitoring creates a noise problem — too many alerts to manage, leading to alert fatigue and the functional equivalent of no monitoring at all. Calibrating the monitoring infrastructure to generate actionable signals rather than undifferentiated volume is a design challenge that many organisations have not resolved.

The most important element of the monitoring infrastructure is not the technology. It is the governance: a defined process for managing monitoring findings, clear ownership of the review and response function, and a documented record of what was found, what was done, and why. That documentation is the evidence that the programme is functioning — and it is the evidence that will be reviewed if the programme's adequacy is ever tested.