Dubai-based compliance veteran Cynthia Khumalo (LinkedIn) is heavily focused on third party due diligence. It’s a difficult task for companies in normal times, but it’s all the more difficult these days.
In this podcast she recommends starting by having a good sense of the requirements that the third party is expected to fulfill and how it will enable the business. That means understanding what the company is missing in its own capabilities and what will be required of the supplier. Looking to see if the vendor has the technical capabilities and can operate within legal parameters is an essential first step.
It’s only the start of the process, though. She advises taking the time to understand the organization’s risk appetite, parameters of the third-party’s engagement, and what can be done internally to assess the provider.
When assessing the vendor, it’s important to look at the traditional elements such as ownership. But it’s also important to go beyond desktop research, when possible and prudent, and check the things only an in-person visit can reveal.
Due diligence doesn’t end when the contract is signed. On an ongoing basis there’s a need to know what may have changed that can prove problematic, which is why audit rights can be crucial. But a softer approach can also be helpful, demonstrating that compliance isn’t there to catch the vendor doing something wrong but instead to make sure that things continue in a way that doesn’t run astray of legal and regulatory (as well as contractual) requirements.
Listen in to learn more about third party risks and management.