Request a demo

How Higher Education Institutes Can Better Carry Out Third Party Supplier Due Diligence Checks

Author: Andrew Booth
Date: March 2021

This week I shared an article that had been published in main stream UK press which referenced money laundering risk across UK universities: (

Although the content of the article was eye-watering, personally, and professionally, the timing of the publication was perfect.

In general, regulated industries are light-years ahead of those in unregulated industries for all the obvious compliance reasons. My concern around third-party risk management in the traditionally unregulated industries is related to what is a universally understood theory in policing: crime displacement.

The theory says, in its most basic of terms, if an offender cannot find a suitable target in a preferred location, they’ll offend somewhere else.

This troubles me greatly. If the regulated markets are so water-tight in their due diligence, why would an individual or organisation with a less-than-satisfactory integrity record try their luck there?

The Higher Education Statistics Agency (HESA) have published data relating to 2018/19 higher education expenditure totalling more than £14.2bn and incoming exceeding £44.8bn. That is a significant contribution to local and national economies. Furthermore, amongst the billions of pounds worth of transactions annually, the universities are surely carrying a significant third-party risk?

Deloitte (2021) draw a causal link between the efficacy of third-party risk management programmes and business success, yet Gartner (2019) found that eight in ten businesses discover issues with their suppliers following the due diligence and onboarding process.

Surely then, this is research-worthy and a problem worth solving:

  • Do we comprehensively understand the people that are supplying us goods and services?
  • Are their businesses buoyant and credit-worthy?
  • Is it the case that this prospective supplier has declared their successful business, but neglected to declare the other five that are in financial difficulty?
  • Where did the cash come from for the philanthropic donation?
  • Who are the people who own the hostel where the students are staying on that field trip?
  • Do any of our staff have connections to that business we’re about to place a substantial order with?
  • Do we really understand where our conflicts of interest lie?
  • And finally, who has the time to understand all this?

It is on that basis that last year I submitted a research proposal to the University of Portsmouth to join their DBA programme and to research the existence and maturity of third-party risk management programmes in the higher education sector. Frankly, as eye-watering as the press article was, it was perfect timing and vindicated the decision to research this subject.

Professionally, Synalogik have already developed a third-party risk management tool. Our software, Scout®, searches for data relating to companies, people, postal and email addresses, telephone numbers and vehicles.

The data is rapidly aggregated from a variety of disparate data sets (consented, financial or open source) in to one consolidated report. Scout® intuitively allows the user to re-search, any new information that has been identified in the first search, saving precious time.

Whilst this resolves the first problem relating to knowing-your-customer or knowing-your-third party, we’ve gone one step further to solve the issue that Gartner highlighted. What’s the point of running snapshot in time due diligence if the following week the Director of the business goes to court for fraud and we don’t know about it for the lifetime of the contract?

Do we really understand where our conflicts of interest lie?

To combat that problem, in addition to all the snapshot in time searches, Synalogik have created functionality to run these queries in bulk, overlay risk assessments and crucially, to monitor commercial entities for the lifetime of the contract.

When thinking about the maturity of third-party risk management, the commercial monitoring function tells you proactively when something changes. Three Directors of your supplier left the business? Scout® will tell you. Supplier submitted filings late? Scout® will tell you.

who has the time to understand all this?

Supplier suddenly changes address? Scout® will tell you. The operational challenge Gartner identified then evaporates; we are being proactive and managing our third-party risk, not reacting to that costly, reputation sapping event we didn’t see coming.

So, are we doing enough to understand the operational challenges in the university sector? Perhaps. Do we have the tools, now, to support an increase in efficacy of third-party risk management across multiple sectors? Yes, we can do that, right now.


Deloitte. (2021, February 8). Third party governance and risk management, turning risk in to opportunity.

Gartner. (2019). More than eight in ten organisations discover third-party risks after due diligence period. Gartner.

HESA. (2021).

Andrew Booth
Andrew is a security and risk specialist with experience in intelligence, investigations and transformational IT projects in security critical environments.