TS-RDC-03
Trust & Stewardship
Risk, Data & Compliance
CORE
Compliance
v2.9.7
Due-diligence on delivery partners
This criterion assesses whether the organization conducts proportionate, risk-based due diligence on delivery partners, sub‑grantees, and implementing agents. It covers verification of identity, legal status, governance, financial controls, competence, safeguarding, and data protection. It requires explicit go/no-go gating, operational AML/CTF controls, and a risk-tiered monitoring system to protect funds, beneficiaries, and reputation in line with Islamic values.
Assessment Questions
- What is the organization's formal process for conducting due-diligence on potential delivery partners before establishing a relationship?
- How does the due-diligence process assess a partner's competence, financial stability, reputation, and alignment with the organization's Islamic values and ethical standards?
- Show examples where a partner was rejected or paused—what evidence and rationale were recorded and who approved?
- What trustee/SMT reporting exists (dashboard, exceptions register) and how often is partner risk reviewed at governance level?
- How are partners risk-tiered (e.g., geography, activity, value, beneficiary risk) and what triggers enhanced DD?
- What PEP/sanctions screening is performed at onboarding and continuously (tools, frequency, evidence)?
- How are GDPR roles determined (controller/processor/joint controller), and are Art.28/26 clauses and transfer mechanisms (IDTA/TRA) in place?
- What safeguarding/PSEAH capacity checks and complaint mechanisms are required of partners?
- How are conflicts of interest identified and managed in partner selection and oversight?
Evidence Requirements
- Partner due-diligence policy and procedure documents.
- Go/No-Go criteria & exceptions register with trustee oversight.
- Completed due-diligence reports and risk assessments for a sample of partners.
- AML/CTF red-flags checklist + MLRO escalation/SAR decision log (where applicable).
- Sanctions/PEP match-handling log and adverse media checks.
- Partner contracts containing clauses on ethical conduct, compliance, and right-to-audit.
- Records of ongoing partner performance reviews and compliance monitoring.
- Conflict of interest declarations and decision rationales.
- Safeguarding/PSEAH policies, training records, and reporting/whistleblowing mechanisms for partners.
- International Transfer Risk Assessments (TRAs) + IDTA/Addendum documents.
- Corrective action plan (CAPA) with SLAs and closure evidence.
- Site/virtual visit reports and beneficiary feedback samples.
Scoring Guidelines
| Level | Rating | Description |
|---|---|---|
| 5 | 5/5 | Best-in-class, risk-based due diligence fully integrated with strategic sourcing; predictive triggers (adverse media, anomalies) and closed-loop corrective actions; strong Islamic values alignment. |
| 4 | 4/5 | Consistent, data-driven DD with KPIs; includes tiered monitoring plan and rescreening schedule compliance; minor gaps. |
| 3 | 3/5 | Standardized DD covering core risks with defined go/no-go criteria and documented decision rationale; limited monitoring/analytics. |
| 2 | 2/5 | Basic/partial checks inconsistently applied; limited records. |
| 1 | 1/5 | Ad-hoc selection; no formal DD. |
Related Criteria
Version
2.9.7
2025-11-05
Discussion (1)
Administrator
2026-03-07 11:07:50.777058
📋 **Version updated: 1.0.0 → 2.9.7** **Changes:** Updated islamic_references from mizan-297.json
Sign in to post a comment.