Saturday, November 22, 2025

Third party due diligence on anti-corruption after a vendor surprise

Iratxe Gurpegui
Risk Management & Internal Controls
Third party due diligence on anti-corruption after a vendor surprise

It is 9:12 a.m. when Léa, compliance officer at a fast-growing French engineering SME, receives a worried call from procurement. A local newspaper has just revealed that one of the company’s critical subcontractors is under investigation for alleged bribery of a municipal official. The headlines spread through the office faster than the coffee aroma. Léa’s CEO wants answers today: How exposed are we? What must we do to protect the business and meet our obligations under Loi Sapin II and ISO 37001?

The scene is all too familiar. Unexpected press, lender demands, or a public tender can suddenly turn the spotlight on third party due diligence (TPDD). In this article we unpack how to run an anti-corruption TPDD at speed—without panic—using structured questionnaires, risk scoring, and proportionate remediation measures.

Why vendor surprises become compliance emergencies

  • Reputational contagion: companies often loose business opportunities after a third party scandal.
  • Contractual breach: Most large-company frameworks flow down anti-corruption clauses that require immediate disclosure of red flags.
  • Regulatory exposure: Under Loi Sapin II, obliged companies must maintain effective third-party assessment. Spanish standards UNE 19601 (criminal compliance) and UNE 19603 (antitrust) set similar expectations.

When a surprise breaks, regulators often look first at the quality of the due diligence file. A documented, risk-based process is your best shield.

A rapid TPDD framework in four moves

  1. Collect information (questionnaire + open-source checks)
  2. Score the answers against predefined criteria
  3. Decide risk-responsive measures
  4. Monitor and refresh

1 Crafting an effective anti-corruption questionnaire

Your questionnaire should be concise enough for speedy turnaround, yet deep enough to surface red flags. Key blocks include:

  • Corporate identity and beneficial ownership
  • Business rationale and scope of work
  • Existence and recurrence of government interactions
  • Corruption policy and procedures (e..g. gifts & hospitality, donations and sponsorship, interactions with public officials, political contributions)
  • Regulatory records (past sanctions, investigations)
  • Compliance program maturity (tone at the top, training, reporting lines)

Best practice tips:

  • Use closed questions (yes/no + evidence) to enable scoring automation.
  • Translate into the vendor’s working language. ISO 37001 emphasises accessibility.
  • Insert a certification statement: The undersigned certifies the accuracy of the answers and authorises audits.

2 Building a transparent scoring model

Below is an example of a simplified matrix you can adapt in Excel, your GRC tool, or platforms such as Naltilia.

Criterion

Weight (%)

Low risk (1)

Medium (2)

High (3)

Ownership transparency

20

Listed company or full disclosure

Indirect ownership layers

Unknown or PEP involvement

Government touchpoints

20

None/minor

Regular administrative licensing

Frequent high-value contracts

Corruption record

25

Clean

Allegations dismissed

Ongoing investigation/conviction

Compliance program

25

ISO 37001 certified

Policies but no audits

No formal program

Country/sector index (TI CPI, OECD risk)

10

CPI > 70

40-70

< 40

Total score = Σ(weight × level). Thresholds often fall around:

  • 1.0–1.5 → Low
  • 1.6–2.2 → Medium
  • 2.3–3.0 → High

Document the reasoning behind each weight and level once, then apply consistently. Auditors love consistency.

3 Mapping scores to remediation actions

Risk level

Typical measures

Rationale

Low

1. Contractual anti-corruption clause 2. Acceptance of your third-party code of conduct 3. Three-year refresh

Sufficient leverage, minimal costs

Medium

1. Above, plus enhanced due diligence: sanctions screening, adverse-media search, reference calls 2. Evidence of training within six months 3. Annual refresh

Moderate likelihood, manageable effort

High

1. Independent on-site audit 2. Remediation plan with milestones 3. Right to terminate or suspend until issues resolved 4. Six-month monitoring

Material exposure, regulator expectation of strong response

Story twist: In Léa’s case the subcontractor scored 2.4 (high risk). Within 48 hours, an external auditor visited the vendor’s premises, confirmed poor policy enforcement, and issued a corrective-action schedule. The supplier signed new clauses allowing termination if milestones slip.

4 Closing the loop with continuous monitoring

Post-approval, maintain a watchlist. Triggers for an early review include:

  • Change in beneficial ownership
  • New public tender involving the vendor and a government entity
  • Negative media or NGO reports
  • Deterioration on Transparency International’s CPI
A compliance officer sits at a modern desk where an AI dashboard highlights a red-flagged vendor, while the city skyline through the window suggests urgency and high stakes.

Aligning with leading standards

  • Loi Sapin II (France): Article 17 requires cartographie des risques and procedures to assess third parties proportionate to risk.
  • ISO 37001: Section 8.2 details due diligence depth linked to partner risk profile.
  • UNE 19601 & 19603 (Spain): Emphasise documentation that proves diligencia debida for criminal and antitrust compliance.
  • US DOJ Evaluation of Corporate Compliance Programs (2020 update): “Risk-tiering of third parties” and “evidence of a periodic review” are key factors during investigations.

Mapping your questionnaire and scoring table to these clauses makes external discussions far easier.

Leveraging technology without losing judgement

AI cannot sign off risk, but it can:

  • Pre-populate questionnaires with corporate registry data
  • Flag inconsistent answers (e.g., 0 employees yet €10 million turnover)
  • Suggest risk scores based on machine-learned patterns
  • Generate audit-ready reports in seconds

This frees compliance officers to focus on the why behind the numbers and to engage senior leadership when decisions matter.

A simple flow diagram showing four blocks: questionnaire, AI scoring engine, risk decision, remediation actions, color-coded green/yellow/red.

Lessons for the next surprise

  1. Anticipate: Build your questionnaire and scoring grid before the headlines hit.
  2. Calibrate: Test the model on a sample of current vendors to verify thresholds.
  3. Document: Keep the full audit trail—questions, evidence, score, decision, follow-up.
  4. Automate: Use platforms like Naltilia to schedule refresh dates and push reminders.
  5. Communicate: Share red-flag trends with procurement and leadership; TPDD is a team sport.

Léa’s company emerged unscathed, won the next tender, and her CEO now budgets for continuous monitoring rather than crisis firefighting. Preparation turned panic into process.

Frequently asked questions

Is a questionnaire alone enough to satisfy Loi Sapin II? No. The law expects a risk-based approach. For low-risk suppliers, a questionnaire may suffice, but higher-risk cases require verification, audits, and documented follow-up.

How often should we refresh third party due diligence? Good practice is every one to three years depending on risk tier, or sooner if a trigger event occurs.

Can we rely on the vendor’s ISO 37001 certificate? Certification is a positive indicator, but you must still check scope, validity, and practical implementation. Treat it as a risk reducer, not an exemption from due diligence.

What if a critical supplier refuses enhanced diligence? Escalate to management, assess substitution options, and document the rationale behind any continued engagement or termination.

Back to blog