Navigating third-party due diligence: A balanced approach to risk management for life sciences

Recent success stories in third-party due diligence illustrate the transformative impact of technology on the process. In recent years, the introduction of various tools and solutions has significantly improved efficiency, enabling teams to navigate complexities more effectively.  

A notable shift towards focusing on building risk-based vendor management programs has enhanced the precision and effectiveness of due diligence efforts. This approach not only targets key issues like anti-bribery and corruption, but increasingly also includes broader considerations such as financial due diligence and reputational risk. 

However, third-party due diligence in life sciences organizations faces substantial challenges. Many organizations struggle to advance beyond foundational assessments due to limited resources and outdated technology, often relying on basic screening processes that can overlook critical risks. While AI advancements present opportunities for automating certain aspects of due diligence, they can also create a false sense of security regarding accuracy, emphasizing the need for ongoing human oversight. 

Moreover, organizations frequently focus primarily on anti-bribery and anti-corruption measures, neglecting broader concerns like reputational and environmental, social and governance (ESG) risks. The "one-size-fits-all" approach can mask specific risks associated with various third-party relationships. Therefore, it is essential to adopt a dynamic, risk-based framework that evaluates multiple risk domains to enhance overall risk management strategies. This combination of technological advancements and a comprehensive approach is crucial for effective third-party due diligence in today’s complex environment. 

Effective third-party risk management is essential for organizations aiming to navigate complexities and mitigate potential risks associated with vendor relationships. Understanding the maturity stages of third-party due diligence programs can help organizations identify where they stand and how to advance toward optimized risk management. Below are the typical maturity stages: 

• Ad Hoc: In this initial stage, due diligence is performed only when specific situations arise, such as concerns about a vendor or regulatory requirements. This approach is reactive, lacking a structured process, and often leads to inconsistent evaluations. Organizations may rely on informal methods, which can result in significant risks being overlooked. 
• Basic: Organizations start to establish a more repeatable process for due diligence, focusing on critical vendor relationships based on risk assessments. While still primarily manual, this stage introduces a risk-based screening approach, where due diligence becomes more frequent and systematic. However, the lack of technology integration may limit efficiency and scalability. 
• Defined: At this stage, organizations implement a structured and documented program for managing third-party relationships. This includes consistent processes for conducting due diligence, often supported by a combination of technology solutions and manual screening. Organizations begin to formalize their risk criteria and ensure that all relevant risk areas are addressed consistently and subject to regular review and refinement based on due diligence results and/or changes in strategy. 
• Managed: Beyond having a defined process, organizations proactively manage all third-party relationships, utilizing automation and enhanced screening solutions to cover multiple risk areas comprehensively. They strategically use enhanced due diligence focused on specific vendors and/or geographies to augment their standard process.  
• Optimized: The highest maturity stage, characterized by a fully integrated risk management platform. Organizations leverage advanced analytics for predictive insights, enabling them to anticipate emerging risks associated with specific vendors and geographical regions. 

When conducting due diligence, several critical factors come into play to ensure a successful and efficient inquiry. By focusing on these areas, investigators can streamline their efforts, reduce risks and improve the accuracy of their findings. The key points to guide your due diligence investigations are as follows: 

• Who is the subject?: Understanding who the subject of your due diligence inquiry is critical for effective information gathering. This involves ensuring that you have accurate identifiers, especially when dealing with individuals or companies in foreign jurisdictions. It's essential to know the subject's name in the local language, rather than relying on transliterations. Accurate identification allows for more targeted investigations, ensuring that resources are allocated efficiently and effectively to gather relevant information. 
• What is the question?: Equally important is formulating the right questions to guide your inquiry. Each situation may require different questions based on various factors, so it's vital to clarify your objectives before initiating information collection. Misguided or vague questions can lead to irrelevant data and wasted efforts. A clear understanding of the specific information sought is essential for a successful investigation. 
• Exhaust easy first: Before engaging in more complex or resource-intensive inquiries, it's best to exhaust readily available sources of information. Utilize online databases, social media and traditional media to gather initial insights. By leveraging these easier avenues first, you can avoid unnecessary expenditures and mitigate risks associated with human source engagement. 
• Beware of circular information, disinformation and misinformation: When gathering information, be cautious of the risks associated with circular reporting and the potential for disinformation and misinformation. Information can easily become distorted as it circulates, especially on social media, where repeated exposure can create a false sense of credibility. Understanding the origins and context of the information is crucial to avoid relying on untrustworthy sources. 

Technology plays a crucial role in modern due diligence, offering scalability and speed that manual processes simply cannot match. Advanced tools enable organizations to screen large volumes of data quickly, facilitating efficient risk modeling and workflow management.  

With the ability to integrate into existing enterprise systems, these technological solutions provide valuable trends and insights, helping organizations identify potential risks early. By automating routine tasks, technology allows teams to focus on more complex evaluations, thereby increasing overall efficiency and effectiveness. 

While technology enhances the speed and scale of due diligence, human insight remains indispensable. Professionals are essential for checking for mistakes in automated screenings and ensuring the accuracy of data interpretations. This is particularly important in high-risk jurisdictions, where local nuances and cultural contexts can significantly impact the reliability of information.  

Beyond that, human sourced due diligence can introduce greater awareness of local market conditions and practices. Potential local reputational concerns also enable more direct access to primary sources information, such as local government records, financial filings, court documents etc. By understanding the unique challenges posed by different environments, organizations can make more informed and nuanced risk assessments. 

Achieving a balanced approach to third-party due diligence requires leveraging both technology and human insight. By integrating these two components, organizations can develop robust, efficient and contextually aware risk management strategies that are well-equipped to navigate the complexities of today’s business landscape. 

Engaging human sources for global information collection requires clear rules of engagement to ensure ethical practices. These three core principles are essential: 

1. Do no harm: This means avoiding actions that could increase risk to clients or human sources. Proper management of due diligence is essential to prevent exacerbating situations. Protecting the safety of contacts is paramount, ensuring that information-gathering efforts remain secure and ethical. 
2. Avoid unnecessary risk: It is crucial to avoid unnecessary risks. We must never place human sources in jeopardy, requiring careful consideration of the context before engaging them. Experience underscores the importance of assessing environments to protect individuals and maintain the integrity of efforts. 
3. Know what’s knowable: Understanding what information can be obtained through other means is essential. Human sources should only be engaged when additional insights are necessary; relying on them for easily accessible information is inefficient and risky. By clarifying what is knowable, resources can be optimized, enhancing due diligence effectiveness. 

By adhering to these rules, organizations can conduct human source information gathering ethically and effectively. 

Engaging in due diligence requires an understanding of the complexities surrounding electronically available records and official documents. Many assume signed documents are trustworthy, but in some jurisdictions, records can be manipulated or fabricated. It is essential to recognize that some records, like criminal histories, may not be legally accessible in certain countries, leading to wasted resources when clients pay for unavailable information. 

Additionally, understanding ultimate beneficial ownership and the broader context of influence within organizations is crucial. This involves recognizing not only ownership, but also who influences decision-making, especially amidst the interconnections between government entities and healthcare institutions.  

To navigate this effectively, human sources are invaluable for gaining insights that formal records may not reveal. Engaging knowledgeable individuals and asking the right questions ensures a deeper understanding of influence and ownership, highlighting the importance of using human sources to obtain meaningful reputation insights. 

It’s essential to ensure that the people you're consulting truly understand the business, industry and individuals involved before asking for reputation information. Simply asking a person a question is not the same as utilizing human sources to gain reputation insights. By asking the right questions and engaging with knowledgeable individuals, organizations can better understand the true nature of influence and ownership in their due diligence efforts. 

A crucial instance of due diligence involved a site visit where photographs revealed alarming storage conditions for medical equipment. In this case, boxes bearing a client’s logo were found stacked in a dirt-floor warehouse, highlighting severe risks associated with a distributor’s practices.  

This situation underscores the critical need for thorough risk management, especially in high-stakes environments where improper storage can lead to dire consequences, such as serious health complications. Conducting these on-site assessments is essential to ensure that the safety of patients is prioritized over expedience in vendor selection. 

However, the increasing sophistication of artificial intelligence poses challenges for using photos as evidence in the future. As AI-generated images become more prevalent and convincing, the trustworthiness of visual evidence may diminish. This shift necessitates a more nuanced approach to due diligence, emphasizing the need for corroboration through human insights rather than relying solely on what appears to be true in photographs.  

As the adage goes, "seeing is not believing" anymore; understanding the context and ensuring that inquiries are directed to knowledgeable sources is essential to navigate this evolving landscape. Organizations must adapt their strategies to verify the authenticity of information and discern the true nature of their suppliers in an age where visual evidence can be easily manipulated.