Six Do’s and Don’ts for Due Diligence Questionnaires

Six Do’s and Don’ts for Due Diligence Questionnaires

“Wait, they want three months of the CEO’s personal bank statements?  Are they insane?”  This was a real request to one of my clients via a due diligence questionnaire.  When I called to inquire with the requesting company why they needed this, they said that they wanted to ensure that the CEO wasn’t receiving “unusual payments” that could be a bribe. 

Due diligence questionnaires are a critical tool for understanding third-parties.  But they can quickly get out of control, putting unreasonable burdens on the answering party, and at worst, invading the privacy of individuals in wholly unnecessary ways. 

How do you balance the legitimate need for information with the reality that no questionnaire can fully protect the company from the possibility that the third-party will misbehave?  Here are three do’s and don’ts when it comes to due diligence questionnaires.

1.     Don’t Ask For Information That Won’t Stop The Third-Party From Being Approved

Most due diligence questionnaires are far too overreaching.   The rule should be this: if you wouldn’t deny a third-party if the answer is negative, don’t ask the question. 

Some questionnaires ask if any employee has ever been convicted of a misdemeanor.  First of all, as many companies have thousands of employees, how could they possibly answer this in good faith?  Secondly, if a key manager had a shoplifting offense or marijuana conviction from twenty years ago, would this stop the third-party from being engaged by your company?  If the answer is yes, ask the question.  If the answer is no, don’t.

2.     Do Ask All Questions Your Require for Your Risk Ranking and Approval

You probably need to know information about the ultimate beneficial owner(s) of any higher-risk third-party working with your company.  You also probably need to know the names and titles of key managers, as well as if the company has ever been convicted of bribery or other compliance-related offense.  Ask all of the questions you need up front so you’re not going back to the third-party again and again.  Have an “if yes” methodology that allows the third-party to explain itself if it answers important questions in the affirmative.

Making Your U.S Policies or Code of Conduct Global? Avoid These Seven Mistakes

Making Your U.S Policies or Code of Conduct Global?  Avoid These Seven Mistakes

They’re already written, right?  And you’ve had a lawyer look them over in the States.  What could be easier?  Hold on right there.  It’s not always obvious that certain words, phrases or concepts may need to be changed or removed in order to meet with the expectations of your employees in the rest of the world.  Here are the top seven things to avoid in globalizing your Code, employee handbook or policies.

Reference to U.S. Law 

Referring to “local, state or federal law,” or “state laws” can immediately flag your policy as U.S.-centric.  Instead, include references “all applicable laws,” or to other in-scope jurisdictions, such as European Union (EU) law.  If your company is only in a few jurisdictions, you can write out the name of each country.  If you want to keep references to U.S. federal law in your Code or policies, try “national, state, local, or U.S. federal law.” 

Also – as Brexit approaches, please note that references relating to EU law may need to be changed to “UK and EU law,” as the Brexit process may separate UK law from EU law in the near future. 

Spark Compliance Consulting nominated as Compliance Consulting Team of the Year for the Second Year Running

Spark Compliance Consulting is delighted to announce that it has been shortlisted for the Compliance Consulting Team of the Year award for the second year in a row at the Women in Compliance Awards.  (see our press release HERE)

In addition, founder Kristy Grant-Hart has been honored with a nomination for the inaugural Mentor Award for the Advancement of Women in Compliance.   

Spark Compliance Consulting had a banner year in 2017.  The business grew 185% and Spark expanded from its offices in London and Los Angeles to a new office opened in Atlanta in the latter half of the year.    

The annual Women in Compliance Awards are “the ultimate celebration of the achievements female compliance professionals make every day in the world of compliance and business. The Awards embody the very best initiatives, individuals and teams, bringing into sharp focus the united efforts of this innovative and dynamic sector” according to organizer C-5.  The black-tie event, featuring a champagne reception, formal dinner and celebrity entertainment, will be held on March 22nd at the Sheraton Grand Hotel Park Lane, in London.


 Spark Compliance's Ramsey Kazem, Diana Trevley, Kristy Grant-Hart and Jonathan Grant-Hart at the exhibition booth, Compliance and Ethics Institute, Las Vegas, 2017.

Spark Compliance's Ramsey Kazem, Diana Trevley, Kristy Grant-Hart and Jonathan Grant-Hart at the exhibition booth, Compliance and Ethics Institute, Las Vegas, 2017.

3 things you need to know about training staff for GDPR

3 things you need to know about training staff for GDPR

This is a guest post by Patrick O'Kane, Author of "GDPR - Fix it Fast!  Apply GDPR to Your Company in 10 Simple Steps"

Staff training is a crucial part of protecting data privacy. One recent study found that human error is the leading cause of data breaches, featuring in 37% of data breaches. Providing staff training is an important part of avoiding GDPR fines.

Despite its importance, staff training is perhaps the most under-emphasised part of any GDPR project. Companies have been busy fixing their processes, working on their information security and updating their customer consents; however, there seems to be seems to be little attention paid to how staff training will need to be revamped in order to keep your company in line with the requirements of GDPR.

These are my 3 tips on staff training:

ISO 37001: Checking the Box on “Doing Compliance”

In October 2016, the International Organization of Standardization (“ISO”) published ISO 37001, the first global standard for the development and implementation of an anti-bribery management system.  The emergence of ISO 37001 was a welcomed development as it provides a universal framework for managing bribery risk that can be used by organizations of all sizes, industries, regions and risk profiles.  To date, Peru, Singapore and the Philippines have adopted ISO 37001 as their respective government’s standard, and other countries are expected to follow their lead.

A unique feature of ISO 37001 is that an organization can demonstrate compliance with the standard by obtaining a certification from an independent, accredited auditor.  The certification brings substantial value to an organization as it provides an objective means by which it can outwardly demonstrate its commitment to combating bribery.  Not only does this provide a competitive advantage over an organization’s non-certified competitors, but it also levels the playing field (from a bribery risk management perspective) for smaller organizations competing against large multinational corporations or foreign domestic firms. 

ISO 37001 is not without its critics.  The criticism, however, is generally not directed at the standard itself.  Instead, the critics take issue with the certification of the standard.  A common theme of their arguments is that the certification process is merely a check-the-box exercise where an auditor only confirms the existence of a “paper program”.  The critics argue that the process falls short because it makes no determination as to whether the program is actually put into action.  They also contend that the certification only reflects the status of the program at a given moment in time (i.e. the evaluation period) and, thus, lacks any predictive value as to how the organization will conduct itself in the future.   In short, they conclude the certification is worthless because it does not ensure that the certified organization is “doing anti-bribery compliance” or will “do anti-bribery compliance” in the future. 

There are three fundamental flaws with the critics’ argument...

How to fix your company policies for GDPR – Three things you need to know

For everyone struggling with implementation of the new European General Data Protection Regulation (GDPR), Patrick O’Kane has written a fabulous new book called GDPR – Fix it Fast: Apply GDPR to Your Company in Ten Simple Steps.  I wrote the Foreword for the book, and am so proud to be involved.  The following is a guest post by Patrick O’Kane.  The Kindle edition of the book can be found here on Amazon.  The hard-cover edition will be available Jan. 1.

How to fix your company policies for GDPR – Three things you need to know