The Project Is Behind Schedule and a Senior Leader Is Pushing to Onboard a Vendor Without Completing Due Diligence. “We’ve Worked With Them for Years — We Don’t Have Time for the Full Process.” Is That Acceptable?

Quick Answer

Can a long-standing vendor relationship substitute for completing a required due diligence process — even when schedule pressure is real and a senior leader is pushing to move forward?

No. A prior relationship reduces the perceived need for due diligence — it does not reduce the actual need. Vendor circumstances change: ownership transfers, key personnel change, financial conditions deteriorate, sanctions exposure emerges, and subcontractor arrangements shift. A due diligence process that was completed two years ago assessed a vendor that may be materially different today. The DOJ’s 2024 ECCP specifically calls for timely, continuous vendor evaluation— a one-time onboarding screening. Urgency pressure is the most common rationalization for skipping due diligence, and the one regulators are most skeptical of.

The Situation

A procurement manager at a multinational manufacturing company is under pressure to onboard a logistics vendor for a critical supply chain project that is already six weeks behind schedule. The vendor in question was used extensively three years ago and performed well. The original due diligence file from that engagement is on record.

The VP overseeing the project calls the procurement manager directly and says: “We’ve worked with these people for years. I’ve spoken to their CEO personally. We don’t have time to run the full due diligence process — just use the old file and get them onboarded this week.” The project team supports moving quickly.

The procurement manager knows the due diligence policy requires a current assessment for any vendor engagement above a contract threshold — which this engagement exceeds. They also know that the vendor’s parent company was acquired 18 months ago by a private equity firm headquartered in a jurisdiction on the company’s elevated-risk list.

Choice AUse the existing due diligence file and proceed with onboarding as directed. The VP has personal knowledge of the vendor. The prior relationship is established. The schedule pressure is legitimate and delay has real business consequences.

Choice BNotify the VP in writing that the policy requires a current due diligence assessment — specifically flagging the ownership change as a material development — and initiate an expedited review. Escalate to Compliance if the VP insists on bypassing the process.

Choice CUpdate the due diligence file minimally — add a note that the existing relationship supports proceeding — and submit it as the current assessment. This satisfies the form requirement without creating the delay the full process would cause.

The Right Call

Choice B — Notify the VP in writing, flag the ownership change, and initiate expedited review.

Choice A proceeds on the VP’s authority and the prior relationship — neither of which addresses the material change in ownership or satisfies the policy requirement. Choice C is the most dangerous option: it creates a false record suggesting due diligence was completed when it wasn’t. That documentation creates liability for the procurement manager personally — a fabricated compliance record is significantly worse than an acknowledged policy deviation. Choice B is the only response that is honest, protective of the employee, and gives the organization the opportunity to make an informed decision about the risk — including whether an expedited process can be completed before onboarding proceeds.

Urgency bias is the most common rationalization for third-party risk failures — and the one regulators are most skeptical of.

The DOJ and other enforcement agencies are familiar with the “we didn’t have time” explanation for skipped due diligence. It is treated not as a mitigating factor but as evidence that the compliance program was subordinated to commercial pressure — which is exactly what regulators assess when evaluating program effectiveness. A program that bypasses controls under schedule pressure is not an effective program. It is a program that works only when it is convenient.

A prior relationship is a reason to update due diligence — not a reason to skip it.

Vendor circumstances change continuously. Ownership changes, personnel changes, financial deterioration, sanctions exposure, and subcontracting arrangements can all emerge after an initial due diligence assessment. A relationship that was clean three years ago may carry different risk today. The vendor in this scenario has undergone a material change in ownership — exactly the kind of event that triggers a mandatory reassessment under most due diligence policies. The VP’s personal relationship with the CEO does not capture that change.

The procurement manager who bypasses the process owns the risk — regardless of the VP’s instruction.

A procurement professional who knowingly submits a vendor for onboarding without a required current assessment — even at a senior leader’s direction — has participated in the policy bypass. When the engagement is later audited, the instruction from above is a context the investigator will consider. It is not a complete defense. Writing to the VP with a clear notation of the policy requirement and the ownership change creates a record that the procurement manager fulfilled their obligation — and gives the organization the opportunity to make an authorized exception or expedite the process.

What does the 2024 DOJ ECCP say about vendor due diligence?

The 2024 Evaluation of Corporate Compliance Programs emphasizes that effective programs must include timely and continuous third-party due diligence — not one-time onboarding screening. Prosecutors specifically evaluate whether due diligence is risk-based, whether it is conducted before the third party begins work, and whether the program includes mechanisms for ongoing monitoring and reassessment when material changes occur. Schedule pressure is not recognized as a valid reason for bypassing required due diligence.

Can an expedited due diligence process satisfy the requirement when time is short?

Yes — with appropriate documentation. Most compliance programs have provisions for risk-based expedited review when commercial urgency is documented and the deviation is authorized at an appropriate level. The key requirements are: the expedited process must be genuinely conducted (not a notation that the old file is sufficient), the deviation from the standard process must be formally authorized and documented, and any identified risks must be captured and mitigated before the vendor begins work. The expedited process must be a real assessment — not an acknowledgment of urgency used to substitute for one.

Does a vendor’s ownership change require a new due diligence review?

Yes — a change in beneficial ownership is one of the most significant triggers for mandatory reassessment under most third-party risk frameworks. A new parent company can introduce sanctions exposure, change the data jurisdiction, alter the financial stability picture, and modify the contractual counterparty. For vendors involved in procurement in high-risk markets or handling sensitive data, ownership changes should trigger immediate reassessment regardless of the ongoing relationship with the operational team.

How to Use This Scenario in Training

Recommended for procurement, sourcing, vendor management, and operations teams. Also valuable for senior leaders who authorize vendor engagements — this scenario makes clear that a VP’s instruction to bypass due diligence creates risk for the organization and the employee who follows it. The key recognition skill is identifying urgency as a pressure signal — not a valid compliance justification.

This scenario demonstrates the rationalization of the urgency bias pattern from the Decision Readiness Engine™. Decision-ready employees recognize that “we don’t have time” is the most common rationalization for third-party risk failures — and that the right response is an expedited process with documentation, not a bypassed process with none.

More Third-Party Risk Scenarios

Want Third-Party Risk Scenarios in Your Program?

Xcelus builds scenario-based third-party risk training covering vendor due diligence, urgency pressure, ownership changes, and the rationalization patterns that cause ECCP failures.

View the Compliance Reinforcement Kit →
Contact Xcelus