Due Diligence: issues and challenges
After the Haiti earthquake in 2010, the international community engaged various non-governmental organisations (NGOs) to deal with the humanitarian crisis and deputise for central government in what was then considered a failed state.36329d801a8a The governance of NGOs, as well as the effectiveness of international response efforts to support civil society, came under scrutiny in the wake of numerous scandals and shortcomings.fb273b45c5ca How can we ensure that funds allocated to partners will be used for their stated purposes, and not diverted towards corrupt practices or personal enrichment?
To get an understanding of partners and in particular their ethical standards, Due Diligence is a necessary step towards forming a judgement about their integrity. Due Diligence is a method of identifying, flagging, preventing, and mitigating the real and potential negative impact of a partner relationship, as well as identifying possible ways of dealing with that impact.9ad639ffb772
The Due Diligence process consists of five essential steps:
1. Gathering information;
2. Reviewing the information obtained;
3. Identifying red flags or warning signs;
4. Implementing measures to minimise risk;
5. Following up on the measures taken.
In this paper, we will set out the process for carrying out Due Diligence to identify and reduce corruption risks. We will use examples drawn from the experiences of the French and Swedish development agencies (AFD and Sida), before highlighting the limitations of Due Diligence.
Using Due Diligence to assess a partner's integrity
Learning to differentiate between partners
For donors, assessing a potential partner's assurances and/or guarantees as to their integrity is one way to reduce corruption risk on large or important contracts. ‘Partner’ is a generic term that could refer to NGOs, voluntary organisations, central government, local and regional authorities or private-sector entities.
The different realities and functions of partners
NGOs in particular constitute a sub-field of their own, as they are made up of entities of all shapes and sizes who operate in a wide variety of areas, largely free from specific legal and regulatory requirements unlike, to take one example, the financial sector. Large NGOs, such as Oxfam or Médecins sans Frontières, have a presence on multiple continents. They enjoy a high level of visibility by way of websites, communication resources, press releases, thematic research and annual reports that give progress updates on their projects.
Although active and recognised worldwide, NGOs do not apply the same operating method to each field of operations. Events and developments within countries and their associated risks, social and societal challenges, an organisation's level of reach, the personality of its local directors and many other factors can all influence the specific approach taken by an NGO's country office, which donors should consider.
On the opposite end of the spectrum, small NGOs may only consist of a few volunteers and have limited resources for communication. Finding information about these organisations can prove difficult.
Objectivity requirements
As a result, donors face a paradox: the more difficult information is to obtain, the more crucial that information is, as a way of identifying members of the NGO, their management team, their field of operations, how they are funded, their articles of association, their track record (past projects) or possible connections to high-ranking politicians, to give a few examples.
It is also important to note that all NGOs must be subject to checks and scrutiny, regardless of their level of prestige. This means not forming an assessment of a partner based on reputation alone, which, while potentially reassuring and giving the impression of transparency, is unethical and lacking in integrity. Due Diligence must be carried out objectively, as much for NGOs with a presence in multiple countries as for NGOs with limited local operations.
A very specific approach for different partners
A single, standardised approach (eg providing a list of documents, standard questionnaires) may not be relevant to organisations unable to meet every condition and may fail to identify risks specific to the project context in question.
By adopting a more targeted approach, it is easier to appraise a partner's level of risk, particularly in relation to:
- industry sector (some sectors, such as heavy industry, mining, and other extractive industries, pose a greater corruption risk);8fffe18cc5ae
- the nature of third-party involvement (eg service provider or acting on behalf of an organisation);
- level of responsibility (eg whether partners outsource their activities);
- the local situation (eg corruption risk is higher in a particular country);
- concentration of power (eg influential intermediaries with significant authority).
Due Diligence is central to anti-corruption laws and regulations
FCPA – a breakthrough in anti-corruption law
Under the 1977 Foreign Corrupt Practices Act (FCPA), bribing foreign public officials became a prosecutable offence for the first time. Companies could be held liable under the FCPA for acts of corruption carried out by or through a third party. This created an incentive for organisations to scrutinise the details of transactions and third parties connected to them, to identify risks and prevent third parties from engaging in corrupt actions on their behalf.
International conventions in the fight against corruption
International conventions, such as the 1997 OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, also known as the OECD Anti-bribery Convention and the 2003 UN Convention Against Corruption, also known as the Merida Convention, have been ratified by many countries. While these conventions do not confer sanctioning powers, they impose a series of obligations on signatories to implement anti-corruption measures.
Both the OECD and UN stress the importance of factoring in scale and available internal resources when conducting Due Diligence. In its Due Diligence Guidance, the OECD recommends developing formal Due Diligence rules that should be incorporated into internal regulations on detecting and mitigating social, environmental, terrorism or money laundering risks.
In their dealings with NGOs, bilateral development agencies such as the AFD and Sida must adhere to the laws applicable in their own countries and those in which they operate, which are often based on the UN Anti-corruption Convention or OECD convention.
Case study in domestic anti-corruption legislation: the AFD and the Sapin 2 Act
In France, the Sapin 2 Act of 2016 on transparency and anti-corruption practices applies to public- and private-sector entities, subject to threshold conditions such as having a turnover above €100 million and 500 or more employees. Organisations are required to implement tangible anti-corruption policies and procedures, set out in eight pillars, one of which is Due Diligence.
The AFD is subject to the Sapin 2 Act and as such is required to implement an anti-corruption mechanism that includes a third-party integrity assessment (or Due Diligence) component before contracts can be agreed.
The French Anti-corruption Agency is responsible for scrutinising capital, human and organisational resources under the Sapin 2 Act. For example, where an investigation is launched in connection with embezzlement involving an AFD project or programme, it falls on the AFD to provide documented evidence that it did everything it could to find out about the potential partner, identify the risks and take the necessary measures. However, Due Diligence is not a guarantee of outcome; instances of corruption may still occur even if all checks are carried out.
Assessing a partner's integrity
Finding out about a potential partner's shortcomings in relation to integrity gives donors a good idea of their risk exposure.
Risks faced by a donor
Take, for example, an NGO that engages in corruption in its business dealings. This may take the form of facilitation payments to acquire customs documents, bribes to obtain permits to do business, or clientelism with local authorities. Donors must anticipate and prepare for these situations, as each presents its own type of risk, including:
- reputational risk;
- legal (including criminal) risk;
- informational risk, where important information is retained or withheld;
- operational risk in the achievement of objectives;
- budgetary risk when faced with increasing costs; but especially
- risks to people, the environment, and society.
Sanctions that a donor may face
We should bear in mind that funds from donors is public money: poor management (eg overbilling, misappropriation of funds, etc.) could reduce the donor's available budget.
Where a donor subject to anti-corruption laws (eg AFD) has allocated funding to an NGO found to have engaged in corruption, but cannot demonstrate that it did appropriate Due Diligence to establish that the NGO had the necessary integrity and reliability, the donor, and in some cases its directorate or management team, could be held liable.
Determining the scope of integrity assessments
As discussed above, domestic and international law imposes requirements in terms of human and organisational resources to ‘get to know’ partners.
Donors are responsible for establishing the focus of their research and have discretion over how information about a partner, its business activities and board of directors should be collected. On that basis, they can judge whether the organisation and its stakeholders meet the required ethical and anti-corruption standards. The most important element is demonstrating that structured, consistent research has been undertaken and that the donor made every effort in this respect.
These actions must be documented to ensure that the donor can justify its decisions over where to allocate resources. In other words, all research undertaken and all documents acquired must be kept in secure folders and shared only with authorised individuals (in line with privacy and confidentiality rules) to substantiate research carried out on a partner and the identified risks. Documentation that is kept should serve as proof of good faith and Due Diligence undertaken on a potential partner.
The most effective way of justifying the allocation of resources is by mapping corruption risks. Using this process, donors can rank the corruption risks they face in order of importance. Consistent with this approach is to divert time and resources to those areas or projects that require them, as identified by corruption risk mapping.
Two different approaches to Due Diligence: the experience of the AFD and Sida
There is no one-size-fits-all approach to Due Diligence. Donors can adopt the most suitable methodological framework in view of resource constraints, operational challenges and the nature of projects. Below, we outline two different methodological approaches, applied by the AFD and Sida respectively.
AFD – a vertical approach
The AFD has adopted a vertical methodological framework, whereby all information gathered on a partner, through field work or other means (eg online, investigations, documents provided by the partner), is handled centrally by the agency's Compliance division at its head office in Paris, before any project gets underway. This makes it possible to generate red flags consisting of the identified risks, past instances of corruption and a reputational risk assessment. This formalised approach to information collection is based on the role of Due Diligence as a tried and tested component in efforts to combat terrorism and money laundering. As such, the inclusion of corruption as a project-related risk alongside terrorism, money laundering and social and environmental risks is in line with OECD recommendations.
The role of field-based staff is to relay information on a routine basis, before, during and after the project (eg by closely following reports in local media). These efforts feed into the work of Compliance at head office, whose focus is on reviewing and updating the information they receive. The AFD has made a list of information about NGOs that should be collected that includes the identity of directors of partners, board members and beneficiaries, with an emphasis on the presence of public officials, conflicts of interest, and any other third parties connected with the NGO (particularly regarding the potential return of unallocated funds). The NGO's area of operations and expertise are also examined, as well as country riskde9b7dbcc616 and standards of governance. Lastly, a series of financial documents are also required and may include balance sheets, transaction logs and payment arrangements (eg cash, bank transfers, instalments).
The assessment seeks to identify warning signs or red flags, which determine the level of risk. There are four warning levels: low to very high. Where a partner is classed as a very high risk, and where a contractual relationship has still been entered into, the assessment is repeated annually. Conversely, the time between assessments extends to four years for partners classed as low risk.
The AFD's approach requires significant organisational resources, in the field and especially at the agency's head office, to conduct a thorough review of information collected. It is a structured, top-down approach, giving little latitude to those in the field. For example, one risk with such a formalised approach is that some partners are excluded because they are unable to provide the requested information, either because the information itself is too detailed or cumbersome for them to provide, or because the task is too complex for the donor to formalise the information received. It is therefore important for donors to monitor the number of finalised Due Diligence actions and the related time frames. If few Due Diligence measures are finalised or the time frames are too long, the internal procedure may be too complicated or unsuitable for, or irrelevant to, partners (eg they do not understand what is being asked of them). Tracking these indicators also makes it possible to prepare for any subsequent investigation.
This process also requires open and regular communication between the field and head office, so that any negative developments involving NGOs can be reported at the earliest opportunity. If not all necessary information is available about an NGO, particular care must be taken when communicating with local contacts about decisions taken in Paris.
Where the AFD's local contact is also the point of contact with the NGO, the Compliance division at head office must provide all the information that they need to explain positions taken centrally by the AFD to an NGO. To summarise, the AFD's approach demands significant human, financial and organisational resources to process information, identify risks and update or repeat Due Diligence actions where necessary.
Sida – a decentralised approach
Sida, the Swedish development agency, has formulated its Due Diligence process differently. It can be best described as decentralised because it gives project management staff greater responsibility for collecting information. Due Diligence forms part of a more general risk management procedure that does not focus specifically on corruption risks and which can be broken down into four stages:
1. Assessing the project and the partner;
2. Approval;
3. Delivery;
4. Project close (review).
Due Diligence is carried out at the assessment stage, which involves finding out more about different aspects of the project and the partner, including with respect to corruption. Project managers play a particularly important role within this framework. They are very familiar with the field and the NGOs operating within it. As a result, they are responsible for collecting all information and documents from the partner and carrying out field research. Sida does not require any specific formalities to be observed when collecting information, or with the type of information to be obtained, instead favouring qualitative analysis. Where Sida is looking at engaging a new partner for a project, the review process will be longer. Where this is the case, Sida makes allowance for the fact that the assessment phase for both project and partner will take more time.
The aim of this decentralised approach is to be flexible and responsive. Project managers have significant room for manoeuvre in project preparation, including Due Diligence. It is their role to establish what information they need from a potential partner.
Project managers also have the authority to decide whether they want to engage local consultants to collect information. This assumes that the local consultants themselves are reliable and understand exactly what is expected of them.
The level of autonomy that project managers have also reflects the degree of trust placed in them. However, a project manager with malicious intent could enter into an agreement with corrupt local NGOs to divide up a share of funds allocated by the Swedish development agency for a given project. In anticipating this risk, Sida has set up a national audit committee.
Sida therefore mainly works with its local project managers who have an excellent understanding of corruption risks, reflecting the fact that they have received the appropriate training, without which the Due Diligence process would not be considered sufficiently robust. Another important feature is the use of local consultants to collect information. Due Diligence must also be carried out when engaging local consultants. Gathering reliable information is also therefore key when selecting a local consultant.1d1762fc86fa
This high degree of autonomy also reflects a lack of uniform procedures. In other words, the quality of Due Diligence may vary from project to project, depending on who is responsible. Rigorous in-house training is essential to ensure that a minimum quality standard is reached for Due Diligence and that disparities are avoided.
The role of tools in Due Diligence
Human expertise is critical when collecting information. However, some tools are available to assist project staff. The AFD uses reputation screening tools such as World-Check One and Lexis Nexis. These tools draw on a range of information sources (eg news articles, sanctions lists, etc.) to quickly flag whether an individual is wanted by police or judicial authorities, has a criminal record, or is on an international sanctions list. This gives the AFD an assurance that an NGO's directors do not have convictions for breaches of probity, for example.
These tools are used to aid the Due Diligence process but are not a substitute for professional intelligence and experience of scrutinising findings from research undertaken. Furthermore, the tools may have their own limitations, such as dealing with homonymies, transcribing different alphabets (eg Latin, Cyrillic, Arabic, etc.), the possibility of, for example, changing a name between its Cyrillic and Latin form. Lastly, it should be noted that these tools come at a cost, in the form of annual licence purchases in many cases.
Reducing corruption risks through Due Diligence
Mitigating identified corruption risks
Due Diligence includes not only collecting data, but also processing the data obtained and identifying ways of managing corruption risks.
Identifying red flags
In general, the main warning sign to consider in Due Diligence operations are negative events. These are all items of information about an NGO that point to its involvement in malpractice and/or its management by individuals whose integrity has been called into question, rendering the organisation unreliable. Therefore, court rulings or reports by reputable media sources that reveal that an NGO was involved in corruption or ethics scandals, that its directors are on an international sanctions list, or that they used NGO resources to make illegal financial gains, all constitute red flags. Red flags can emerge before a project begins, but also during a project (eg high turnover, whistle-blower reports, initiation of an investigation, etc.). As a result, donors must have suitable processes in place to maintain continuous oversight and update its Due Diligence activity if necessary.
For example, a donor who intends to allocate funding to Mercy Corps would quickly unearth articles and reports in reference to the various fraud and corruption scandalsd18afb0e1760 that the NGO has faced in the Democratic Republic of Congo. The donor would log this risk on a dedicated system containing the name of individuals implicated in the scandals, their level of responsibility, the offences committed and how the NGO handled the instance of corruption. If Due Diligence were to be carried out on Mercy Corps in connection with a project in the Democratic Republic of Congo or elsewhere, the process would have to take account of these events, as they represent a major red flag. If the donor wanted to enter into a contract with Mercy Corps, they would have to document the measures taken within the organisation to ensure that the risks were regulated and monitored.
Donors must also take an interest in corruption cases involving businesses, voluntary organisations and public sector bodies in the sector and country in question, to gain insight into the operational context of a potential partner. It is vital, however, that the veracity of media sources is checked and that reports are verified. Drawing (solely) on unsubstantiated reports posted on a blog or on social media is not a valid practice.
Identifying risk processing measures for regulating corruption risks
All red flags must be investigated once identified. How red flags are dealt with depends on their seriousness, the size of the partner and the amount of funding at stake. Red flags are therefore handled differently depending on the organisation's policy (risk appetite), but also the specific project.
As discussed above, the AFD's policy is to segment risk into four categories, depending on the degree of exposure to risk involving its (potential) partners. For example, where an NGO has an anti-corruption management system (which might include, say, a Code of Conduct, training courses, communications, risk mapping, risk management procedures), this demonstrates a degree of maturity in how it manages funds overall, and therefore has an influence on that NGO's classification. However, to ensure that the system is indeed in effect and not merely window dressing, the donor may ask for evidence that the system is in operation (eg whether any of its members have faced penalties for not applying ethical practices).
How red flags are handled influences the selection of risk processing measures, which could be that the risk is processed (the most common examples are regular training and audits), residual risk tolerance, transfer of risk or no risk tolerance (ie no relationship with the NGO).
Due Diligence for navigating partner relationships
If a donor concludes that the identified risks could be managed by implementing risk processing measures, they must determine the most appropriate measures to be taken. Some measures are non-negotiable, in particular the inclusion of specific integrity and non-corruption clauses in the contract. Furthermore, these clauses may be strengthened by stipulating that audits may be conducted at any stage during project delivery. Donors can go further still. For example, the AFD makes extensive use of exit clauses, while Sida makes provision for the retrieval of funds paid out where irregularities are found to have taken place. These are best practices intended to hedge against the highest level of corruption risk.
Where risks are revealed following Due Diligence, the management of these risks does not stop before the contract begins. The development agency must also monitor progress closely, involving routine checks on how the partner is managing the project. Both Sida and the AFD consider Due Diligence and audits complementary, as both channels lead to information about what is happening. The AFD views Due Diligence as essential to understanding the level of risk that each partner presents, while audits are seen as a way of improving detection. Oversight mechanisms are therefore engaged throughout the project term (eg World-Check One) and local field operatives are also positioned to record any negative events and track any impact on reputation.
A thorough Due Diligence process will help to gauge a partner's degree of risk at all stages of a project. The OECD recommendations underline the need to update Due Diligence on a regular basis, in particular when new information comes to light, such as a change in the legal framework in the target country.786f57827b1d
The limitations of Due Diligence
The most effective systems for dealing with corruption include more than just mechanisms for assessing the integrity of third parties. Other controls must also be implemented. The instrumental role that audits play, as recognised by both the AFD and Sida, underlines the importance of actions above and beyond Due Diligence. As the AFD points out, ‘most acts of corruption are only discovered afterwards’. In many respects, Due Diligence appears flawed.
Tools that favour certain partners
One key limitation of Due Diligence as a concept is that it is more applicable to large organisations such as NGOs with greater visibility and resources – human and financial – ensuring they have the capacity to provide documents and reports requested by donors. This type of NGO has more in common with large companies. And while this does not in itself shield them from corruption risk, it does mean they can devote significant resources to preventing it. Smaller partners, such as local NGOs, are less familiar with formal information gathering processes aimed at identifying potential breaches of integrity. They may not have the necessary resources to respond to donor requests.
This may pose a problem for donors tasked with scrutinising an NGO that represents an unknown quantity in the absence of available information. NGOs may then start to view Due Diligence as an administrative burden, as a development agency will ask for a range of detailed documents that are required for the project to commence. The donor may amend or waive some requirements, depending on the partner in question. However, where the partner is unable to provide the requested information, a donor may view this as a risk, leading to demands for information that is even harder to obtain, creating a vicious cycle.
A tool viewed as intrusive
NGOs may also view information requests as an indication of suspicion towards them and an attempt at intrusion on the part of the donor and, by extension, the country administering state aid. Such misconceptions can be understood as an inherent difficulty with applying concepts and processes developed in other countries. Frameworks and benchmarks will necessarily vary in different parts of the world. As concepts, transparency or corruption can possess different properties and be perceived differently, depending on one's location. An NGO may see Due Diligence therefore as a sign of a lack of trust, within an uneven donor-recipient relationship. Some may even see Due Diligence as an attempt to impose a western perspective on the relationship.
For local NGOs, the terminology used in Due Diligence represents a form of ‘donor-speak’. The AFD refers to some face-to-face exchanges with counterparts who do not understand these measures and see them as a way to assert dominance. The AFD also points out that it plays an educational role, making clear that it does not create the laws or concepts it applies. This focus on legality has the merit of depersonalising the issue and broadening perspectives. It stresses that no NGO is singled out, but that the AFD is engaged in an anti-corruption programme that systematically applies to all partners in all countries. Moreover, the AFD may raise a red flag when confronted with sometimes hostile reactions, questioning why an NGO would be so reluctant to share information about its articles of association, area of activity and directors, and whether such reactions might suggest a risk.
It is interesting to note that the Swedish development agency tends to encounter this type of reaction less often. In Sida's experience, there is lasting trust with partners – including NGOs – who appreciate the need for transparency.
Meeting Due Diligence requirements remains a delicate matter for partners, particularly small NGOs, when a project is funded by multiple agencies. Each agency will be required to conduct its own assessment, meaning that NGOs with limited resources are required to complete the same exercise differently multiple times, because there is no uniform approach adopted by donors. There will also be duplication in audit and monitoring actions for each donor during the project. This places a demand on NGOs to have sufficient training and flexibility to respond to mandatory checks.
Continued uncertainty over tool performance
Due Diligence focuses on knowledge about a direct partner, but not partners of the partner. Where funds are "sub-contracted" to other partners operating on behalf of the partner, it can be difficult for donors to gauge this risk during the Due Diligence process if the information is not provided. The donor must monitor financial flows and ensure that funds paid out are used for their intended purpose. However, where work is sub-contracted, traceability becomes more difficult, particularly if subcontracting was not identified at the outset.
It should be noted that the credibility of Due Diligence as a process has taken a hit in the wake of multiple bribery and embezzlement scandals involving large western organisations, despite having anti-corruption management systems in place that had been audited by leading consultancies.3662b69f687a These cases illustrate the limitations of the Due Diligence process, which can sometimes struggle to detect certain corruption risks beyond the formal and institutional aspects presented by organisations.
Lastly, after undertaking desk research, no studies exist to date as far as we are aware that demonstrate a direct link between Due Diligence and reduced corruption risk. A 2019 survey by consultancy firm Gartner of 250 private-sector managers found that 83% of third-party risks were identified after Due Diligence was carried out, not during the process. In the AFD's experience, most corruption risks are discovered following audits, monitoring and assessment operations, and reports.
Due Diligence – a necessary but not sufficient condition for fighting corruption
Due Diligence makes it possible for donors to detect corruption risks. The process includes collecting a range of information about a potential partner, including directors, funding sources, organisational structure, presence, area of operations, conflicts of interest, criminal convictions, or other offences, among others. It also includes analysis of this data to guard against observed risks and prove that the donor has made every effort to mitigate the risks.
Obtaining this information is essential (or even mandatory) for donors, to establish how reliable a potential partner is and gain reasonable assurances that funds paid out in connection with a project will be used for their contractually agreed purpose, for the benefit of project recipients. Due Diligence also represents a way of identifying what follow-up measures need to be taken throughout the project cycle, such as including strengthened clauses making provision for spot checks or audits.
Methodological approaches to Due Diligence vary by organisation, which may be conditioned by available resources or organisational culture. The case of the AFD shows that it is possible to adopt a centralised approach that involves managing risk from head office, while working with local offices. The case of Sida shows that a decentralised and qualitative approach overseen by project managers is also possible. Each donor must seek to undertake Due Diligence operations in a way that aligns with their organisational culture.
However, a number of shortcomings can be levelled at Due Diligence. On its own, it is not sufficient to identify all risks. It must therefore form part of a broader anti-corruption framework. Furthermore, some partners, particularly NGOs in the global South, may view it as an intrusion and apparent lack of trust, or even a form of discrimination and a means of asserting dominance.
This then begs the question about whether Due Diligence is useful or even ethical, if it becomes a tool to favour organisations capable of meeting the pre-set criteria, unlike others who are unable to do so due to limited resources while subject to the constraints of their operating context, as is the case for some local NGOs.
Recommendations for donors
- Use all available resources to conduct thorough assessments on third parties that pose a higher risk.
- In all cases, conduct Due Diligence in advance of a project and allocate sufficient time to gather information.
- Collect information by drawing on the knowledge of people in the field.
- Maintain consistent oversight on Due Diligence processes, updating them where necessary.
- Record and archive all stages of the Due Diligence process.
- Track finalised Due Diligence indicators that can be used if an investigation is required.
- Deliver in-house training sessions on Due Diligence to ensure quality standards.
- RTL, 2018.
- France 24, 2018.
- OECD, 2018.
- Grant Thornton, 2020.
- The Transparency International perception of corruption index is the indicator most frequently used. However, other indicators, such as those developed by Maplecroft, are also available. The Corruption risk forecast is also worthy of note.
- The UNODC recommends using this type of specialist consultant.
- The New Humanitarian, 2020.
- Ibid.
- Examples include the Wirecard affair, a major financial scandal that caused the German company to go bankrupt within weeks, despite sign-off by EY on the company's accounts over years, or facilitation by KPMG and Deloitte of corruption in scandals in South Africa, in particular Guptagate.