Vendor due diligence is a business discipline used to identify and mitigate risks with vendors. Among other benefits, due diligence reviews provide assurance that a vendor is financially stable, ethically sound and has an effective corporate structure. They also provide comfort to the board, customers and regulators that processes are in place and risks are being proactively managed.
The length and complexity of a due diligence review will vary by vendor. Here’s an overview of the types of due diligence reviews most organizations perform, and a process you can follow to implement them in your organization.
Two Types of Vendor Due Diligence Reviews
There are generally two types of due diligence reviews: An Initial Review that’s performed when you are evaluating a relationship with a new vendor, and a Periodic Review that’s performed to routinely evaluate and manage risk with existing vendors Let’s take a look at both.
Initial Due Diligence Review
The initial review is performed on prospective vendors and is typically done in concert with the Request for Proposal (RFP) evaluation process. Combining these two activities allows you to gauge the vendor’s technical ability to deliver on their proposal and evaluate the soundness of their operations and their potential fit as a business partner.
Periodic Due Diligence Reviews
Periodic reviews are performed on existing vendors. They help validate the vendor’s continued ability to provide the goods and services for which they’ve been contracted. They are also used to re-evaluate risk levels, especially if your relationship with the vendor has changed significantly since the last review.
Aligning Review Questions with Vendor Risk
The level of work required for a due diligence review should be driven by the operational, financial, compliance and security risks presented by a given vendor. In order to determine the right review activities, it’s best to categorize vendors by function and design the review accordingly.
Here are examples of three different vendor categories, and how you might modify your review procedures based on the nuances of each.
Outsourced Vendors
Outsourced vendors typically require thorough due diligence reviews given the risk associated with the activities they perform, and the impact on your operations should something happen with the vendor. Many of these vendors handle non-public information on your behalf, or may interact directly with your customers.
These vendors may also require on-site visits to evaluate operations, controls and procedures. Areas of focus for your review might include:’
- Organizational structure, capacity and operating procedures
- Security of data and systems (SSAE 16 or similar audit)
- Security of building and/or personnel
- Insurance and bonding coverages
- Compliance with regulatory agencies
- Overall financial strength, legal problems and company stability
Technology Vendors
Many technology vendors are high-risk, especially as the combination software and service offerings grow bigger and more complex. The level of due diligence depends on the type of product, service or combination thereof that the vendor provides, and how deeply that product integrates with your operations. Areas of focus for your review might include:
- Security of data and systems (SSAE 16 or similar audit)
- Disaster recovery and back-up relationships and procedures
- Protection of intellectual property
- Compliance with regulatory agencies
- Overall financial strength, legal problems and company stability
Non-Essential Vendors
Vendors that don’t provide business critical services or technology may be considered non-essential, and may or may not require a periodic diligence review. Examples might include general office and janitorial supplies, and non-essential services like cleaning or waste removal. For those that do qualify for a periodic review, you’ll want to focus on basic risk areas like general financial stability and insurance.
Selecting an Appropriate Review Frequency
Similar to aligning review procedures with a vendor’s risk, the same holds true for selecting the frequency of your due diligence reviews. While an annual review is sufficient for many vendors, some may require reviews on a quarterly or semi-annual basis. More frequent reviews might be required when:
- The vendor provides mission critical technology or services, or carries a high level of risk
- Items discovered in the last due diligence review need to be monitored
- External sources identify risks such as bankruptcy, material layoffs and lawsuits
Getting Your Process Going
Strong due diligence processes and ongoing monitoring for critical third-party vendors is a must for any organization looking to manage and mitigate risk. Some organizations place this responsibility with the vendor management office (when one exists), while others place responsibility within an existing business unit like finance, operations, risk management or IT. The best fit for your organization will depend on your organizational structure, culture and resources (both skill and capacity) in each individual business unit.
Regardless of who’s responsible, the important point is to ensure vendor due diligence reviews are happening. If you’re just getting started, begin with your most risky vendors and work your way down from there. If you have a mature process in place, take an opportunity to evaluate it and make refinements to make it even stronger.
Remember, proactively managing risks with your vendors is no longer an option. Your board, customers and regulatory agencies all expect it.
Paul Boone is VP Vendor Reviews at BBVA Compass. He is a contributing writer for VendorRisk, a cloud-based vendor management software solution, and guest blogs from time-to-time on the topics of vendor management and vendor management software.