I was in a meeting with a client a few weeks ago talking about third-party due diligence. We were discussing the types of due diligence they were considering on a few of their consulting vendors and a question came up that I hear pretty often: “Does a one size fits all approach make sense when it comes to performing due diligence on your third parties?”
When you think about third-party risk you can’t help but think of data privacy and cyber security as being the two getting the most attention right now. But those are only some of the risks we highlighted in our recent post titled Six Important Risks to Manage with Your Vendors.
The bottom line is that third-party due diligence is no longer optional – it’s required for every company regardless of size or industry. But does that mean you need to treat every third-party the same when performing due diligence?
From both a best practice and practical standpoint we believe firmly that the answer to this question is NO. Every vendor relationship is not created equal, and your due diligence needs to take that into account.
To shape the issue, let’s look at two entirely different types of vendor relationships.
Provides a SaaS based software solution that is one of the core platforms used in your business operations. Personally Identifiable Information (PII) is processed and stored in the system, and if something goes wrong with the application it will cause serious problems in providing services to your customers.
Is a consulting firm providing independent research for your organization. The outcome of their work will be incorporated into a major study you are releasing, but they are gathering all of the information independently. They have no access to confidential information and they do not perform or support any operational functions.
There is clearly a significant gap in the complexity and risks associated with the two relationships, and your due diligence should be aligned accordingly. Information and IT security are going to be critical areas you’ll want to evaluate for Vendor #1, while expertise, research methodology and use of subcontractors (i.e. fourth parties) will be important for Vendor #2.
So when you perform due diligence on your third parties, it’s crucial that you not use a one size fits all approach. Take a practical, risk-based approach, and align your due diligence activities with the identified areas of risk.