Appendix C
RISK-BASED DUE DILIGENCE
The actions of
third parties such as sales agents, distributors, warranty stations, customs brokers, and suppliers of goods and services also can create reputational risk for the Company. Therefore, the Company has developed a robust process, setting out the
required level of due diligence that must be completed before the Company can conduct business with (or through) a third party. This due diligence process requires varying levels of (i) information from the third party, (ii) inquiry by the
Company, (iii) documentation of relationships and contractual agreements, and (iv) monitoring of the ongoing relationship. In general, the greater the potential risk, the greater the scrutiny to which the third party will be subjected
before approval will be given to enter into a business relationship with the Company.
Assessing Risk
At the heart of the due diligence process is an automated, risk-based scoring system (the Due Diligence System) that assesses and
separately scores identified risk elements, such as the type of third party (agent, distributor, supplier, etc.), the perceived risk of the location where the third party resides and where the third party would be doing business with the Company,
what the third party will be doing for the Company, how the third party will be paid, and whether they will employ sub-agents or other intermediaries that move the Company further from the end user. The score
for each risk element is then weighted and aggregated into a total risk score. This risk score is expressed as a number from 0 to 100, with 0 representing the lowest risk and 100 representing the highest risk, and these scores are further classified
into ranges of low, medium or high risk.
This Due Diligence System contains automated workflow and the data gathered during the diligence
process is maintained in a single repository. Further, the system is designed so all activities in the system are recorded electronically and leave a trail that can be audited as to identity, time and date.
Screening and Investigation
Third
parties are screened against over 800 watch lists. These lists include the Department of Commerces Denied Persons, Entity and Unverified Lists, the Department of the Treasurys OFAC Specially Designated Nationals List, the Department of
the Treasurys OFAC Consolidated Sanctions list, the General Services Administration Excluded Parties List and the Department of States Debarred List. In addition, to conducting the various screenings and collecting information and doing
reference checks, the Company performs its own investigative due diligence on each third party. This investigative due diligence falls into escalating levels, based on the risk score assigned to the third party. In the highest risk scenarios, the
Company receives a full Reputational Risk Assessment Report on the third party and its principals, from an outside investigative service with boots on the ground, and requires the third party to meet with the Companys CCO to
discuss the Companys compliance policies and procedures and how that third party is expected to conduct its business. In the event that a third party will outsource part of its responsibilities to others, the Company performs the same level of
investigative due diligence on these additional parties, as they do on the third party itself.
Continuous Monitoring and Updating Due Diligence
Once approved, each third party is entered into the Due Diligence System for continuous monitoring. Any Red Flags raised must be
escalated to the proper approval authority for resolution. Also, in accordance with Company policies and procedures, if no material changes occur before then, the due diligence process must be renewed, and each third party must be re-approved every two years.