Understanding Due Diligence Data and Insight
Security professionals looking into the due diligence market should understand the different categories that are available, and then make an assessment as to what fits best.
Since the United States Department of Justice and Securities and Exchange Commission required companies to conduct adequate due diligence on third parties in order to meet their compliance obligations under the Foreign Corrupt Practices Act and other similar legislation, there has been an explosion of due diligence providers entering the market.
These providers have come from all walks of life — from ex-police officers and military intelligence to magazine and newspaper publishers — who have vast amounts of data that they have repackaged as “due diligence.” It is very tough for a company to really understand what they are buying and how to sort out the best fit for their company.
In most large companies, the legal and compliance departments will ask the procurement department to help select a new provider for this due diligence. While involving procurement can be beneficial from certain perspectives, it does create some challenges as typically the department doesn’t really understand the depth of advice that they are purchasing or how to differentiate various providers.
Procurement teams are on a steep learning curve as a result of their relative inexperience. Due diligence is a crowded marketplace, with many people referring to themselves as “due diligence providers”; however, the term has several different meanings.
Without going into every competitor and assessing every product, the due diligence marketplace can be divided broadly into three main categories (excluding the categories that are really software companies). These categories are:
Data with some insight
Data with meaningful, specific advice
The data obtained in a common due diligence report from many providers is just that: data. For this to be beneficial, it has to be combined with something valuable: the insight and advice needed to make actionable decisions. The due diligence providers that just provide data without insight or analysis are providing access to a large dataset through an annual subscription, or perhaps through a simple computer-generated due diligence report. The insight and analysis are still required to glean any meaning from the data.
In the oil industry, this would be similar to buying crude oil by the barrel load. To make the purchase effective, the oil will need to be refined and then used in a company’s product. Caution and effort are required to refine the information from the data in these due diligence reports, requiring an in-house team with experience on corporate risk tolerance, legal issues and multiple compliance areas, as well as the risks, trends and enforcement regimes of more than 150 countries and 40-odd languages.
Data purchasing through web subscriptions are an easy option, but it comes with a large burden to make it useful. For example, many data providers simply provide lists of sanctioned companies.
Data with Some Insight
Due diligence data is often consolidated from public websites and lacks any real value until one develops insight after reviewing the data and applying it to a business decision. This next level of service is often still a bit of a commodity and, to use the oil industry example, is probably akin to refined crude oil: it has been refined in some way but is still broadly a commodity.
An example of the type of insight that could be gained is discovering from the data that a subject company has significant litigation in a country. Some may be concerned and think that this is cause for concern; however, when the data is put in context (business size in that market versus other markets, litigation type, size of claims, company size , country itself, etc.), the litigation could end up not being a red flag but, in fact, a positive.
Data needs insight to be useful. Typically, this is provided by a specialist experienced in compliance and risk. The providers tend to write due diligence reports that contain a large amount of data but with minimal insight.
Data with Meaningful and Specific Advice
Even refined data with some insight must be placed in the context of the company and the industry, their risk tolerance, and how they are engaging the third party and for what purpose.
A memorable quote attributed to Howard Schultz, the founder and CEO of Starbucks, demonstrated a key insight for his business. He said, “We are not in the coffee business serving people, but in the people business serving coffee.” That concept changed everything that Starbucks did. It helped the company and its employees understand that it was not about the coffee, but about the experience that it offered to people. The same applies to the due diligence business when giving meaningful advice.
The hardest part about this category is that it not only requires experience in compliance risk, but also demands knowledge of the specific company and use of the third party. While this is generally referred to as experience, it is probably better described as judgement — a rare ability.
Companies looking into the due diligence market should understand the different categories that are available, and then make an assessment as to what they specifically seek. There are valid needs for all three categories, and many companies need to buy products and services from all three, depending on the situation and task at hand. However, all three have very different price points and, as you move from data to meaningful advice, you are moving from commoditized data to professional services.