Conducting the right level of vendor due diligence is a hot topic in vendor risk management. Here are seven tips for doing it effectively.
1. Set the right tone at the top
Senior management (as well as the board) must buy into the fact that managing vendor risk is an enterprise-wide initiative and not something that ‘comes from compliance’. This positions vendor due diligence as a required business practice, versus a nice to have, and allows for repercussions to occur if it’s not handled properly.
2. Consider a steering committee
Most organizations don’t have a formal vendor management office, and many don’t even have a central procurement department. Given the myriad stakeholders that can be involved in due diligence – procurement, compliance, risk, IT, finance and, of course, the actual business owner – a vendor management steering committee can be a way to provide governance to the due diligence process. This group can ensure the right questions are asked, and only properly vetted vendors come on board.
3. Communicate the value of vendor due diligence to your front line
The actual buyers of goods and services in your organization are most important to triggering the due diligence process. Help them understand that good due diligence will ultimately benefit them, not you.
4. Align due diligence activities with risk profiles
Not every vendor carries the same amount of risk, so due diligence should align with the risk profile of the vendor. Use a set of gating questions to initially tier your vendors based on what they do and the risks they bring. Then align your vendor due diligence activities based on those risk profiles – more risk equals more due diligence.
5. Build due diligence into the procurement process
Incorporate due diligence questions into the RFP/RFQ process with prospective vendors. This allows you to begin identifying potential risks and plan your due diligence activities early in the process.
6. Automate questionnaires and document collection
Using vendor management software to automate the due diligence process ensures consistency, provides visibility into compliance and drives the process much deeper into your organization.
7. Reassess vendors on a periodic basis
Due diligence is an ongoing activity and doesn’t end at contracting. Best practices are to perform an appropriate level of due diligence throughout the lifecycle of the vendor relationship to ensure things haven’t changed since your initial assessment.
A strong due diligence process is a must if you want to properly understand and mitigate vendor risk. Don’t skimp on the process, especially with your higher risk vendors. There are too many opportunities to regret it if you do.
This blog is part of a series on vendor management best practices and insights shared at the 2018 Third Party Risk Management Summit. More than 150 vendor management professionals from some of the most leading edge companies gathered to discuss this growing business discipline.