I understand that “imperfect” might induce some quease. And, yes, third party due diligence should be as close to perfect as available tools and budgets permit. But risk assessments aren’t perfect and don’t need to be to be defensible. Compliance professionals rarely agree on all criteria for a risk-ranking, much less the relative weight assigned to each.

Sir Robert Alexander Watson-Watt saved thousands of lives in Britain during Second World War. He developed Chain Home, a low-frequency radar system that could detect aircraft from almost a hundred miles away. To do that, he encouraged his team to foster a “cult of the imperfect”. He knew that time was running out for Britain. The country didn't need the best radar system they could develop over five years; the country needed a workable radar system immediately. Watson-Watt instructed his team to seize on the third-best option: “the second-best comes too late . . . the best never comes."

We work with companies as they prepare to rollout risk assessments. They’ve considered deal size, geography, extent of interaction with government officials, whether compensation will be contingent on success, pace of enforcement in their industry, etc. They beta test their criterion to determine whether the results reflect their intuitive sense of the risk of bribery that they’ve observed in their market over time.

And then, too often, the whole project stalls. The many cooks in the compliance kitchen determine that their process should be more like that of the multinationals they work with. Or more like the latest international standard. Or perhaps more like their peers in their industry or region. These are all valid considerations, but in the time it will take to conduct that additional research, they also might be able to collect ownership information from all third parties and screen it against international watch lists. Or they might be able to identify at least their clearly highest-risk partners and begin their review of those, identifying ties to the government or past misconduct.

Pulling the trigger on a due diligence risk assessment can be unsettling. The process is likely to churn up unforeseen issues. Third parties the compliance team didn’t even know their colleagues had retained may be uncovered. Deal size estimates may be hopelessly out-of-date But isn’t that the point?

How should a team new to this process begin? Make a serious effort at a common-sense assessment based on all reasonably available information and … begin. Spot check your analysis and commit to revisit your approach at intervals.

If a third party pays a bribe on your company’s behalf, you will be better served by an imperfect process that has been executed than an elaborate algorithm on paper.

As the eventually knighted Watson-Watt might have argued, perfect third party risk assessments never materialize. Second best may come too late. Just get started.

Alexandra Wrage

President and Founder, TRACE