If you’re in the market for a used car, there are likely some key steps you’ll take before you agree to make a purchase (i.e. go on a test drive, review the CARFAX report, have an independent mechanic inspect the car). If you’re in the market for a home, the same applies – you’ll go on a detailed walk-through, get it appraised, perform a home inspection, etc.). The same should be true for entering into a new vendor relationship. You want to perform the appropriate vendor due diligence to reach a level of comfort that the vendor can be trusted.
Simply put, vendor due diligence is the way in which organizations vet their vendors to spot potential red flags, both before entering into a contractual relationship as well as throughout the course of that relationship. Here are the core components of what it means to perform vendor due diligence:
1. Identify Inherent Risks
You can’t talk about due diligence without also referencing inherent risk. Your vendors provide all kinds of products and services to you, with each vendor relationship carrying its own level of risk. For example, some of your vendors will have access to your corporate network while others won’t, some will collect your customers’ NPI (non-public information) while others won’t. Knowing which categories of risk your vendor may expose you to (i.e. operational, reputational, financial, etc.) will dictate what type of due diligence needs to be performed.
- Helpful Tip – Use a standard method/tool to identify inherent vendor risks. This will allow you to consistently classify inherent risk from vendor to vendor. Here are 8 best practices for performing inherent risk assessments.
2. Collect Information
Before you send that 300-question due diligence questionnaire to your vendor, take a moment to figure out if all of those questions actually apply to the vendor relationship you are assessing. Chances are, you may be asking your vendor questions that don’t need to be asked, contributing to vendor fatigue and adding to the length of time it takes to complete the due diligence process.
Going back to #1 above, the inherent risk assessment process should have highlighted which categories of risk your vendor may expose you to. Knowing this will allow you to “scope” your due diligence questionnaire so that you only ask your vendor to provide the relevant documentation and answer applicable questions.
- Helpful Tip – Scoping could mean that your organization maintains several due diligence questionnaires (DDQ) that cover specific topics (i.e. an Information Security DDQ or a Business Continuity DDQ), sending only the relevant questionnaires when they apply. Or, scoping could mean the incorporation of technology, such as a vendor management system, which can automatically ask your vendor the applicable questions based on their inherent risk rating.
Also know that the “question and answer” format (i.e. due diligence questionnaire) is not the only way to collect information about your vendors during the vendor due diligence process. While the self-reported information obtained through the use of a DDQ is helpful, you should also utilize third-party intelligence tools that search for negative news, ascertain financial and corporate health, or verify that vendors are not on any sanctions lists (such as OFAC).
3. Evaluate the Impact of Potential Risks
Obtaining information and documents from your vendors during the due diligence process is only half the battle. Next, you need to see what the information/documents are saying! Vendor due diligence should not be a check-the-box exercise. In order to ensure that risks are adequately being assessed, the right people with the appropriate expertise need to be involved in the review process – “trust but verify.”
This is where your organization utilizes its subject matter experts (SMEs) to make educated decisions about risk. Perhaps the vendor’s responses to IT and data security due diligence question are always sent to your information security team for review, or the vendor’s financial statements are always sent to someone with a background in reviewing balance sheets/cash flow statements.
Since the vendor due diligence review process can often be time-consuming, some organizations even choose to hire a third-party to perform outsourced due diligence review services.
4. Determine How to Proceed
You’ve gone through the due diligence process and have learned that the new vendor you are evaluating does not encrypt data at rest. Due to the type of confidential information your organization will be providing the vendor during the course of the business relationship, this is a risk that can’t be ignored. What do you do?
Questions like this will come up all the time during the vendor due diligence process, so it’s a good idea to have a standard approach for responding to identified risks. When you need to determine the best way to proceed, take the following into consideration:
- Remediate – The risk has been identified, but it can be removed through proper remediation. For example, let’s say your vendor does not provide security awareness training to its employees – your remediation plan may state that your relationship will proceed under the assumption that the vendor provides security awareness training to its employees within three months.
- Mitigate with controls – The risk exists, but they are managed through the appropriate controls. For example, a vendor’s infrastructure might not allow them to securely store your data, so you may establish internal controls (access privileges/data provisioning) limiting the type of data the vendor has access to.
- Accept the risks – The risk may be below your organization’s risk appetite, and you may choose to accept the risk but ensure proper ongoing monitoring is performed.
- Find an alternate vendor – The risk may outweigh the benefit of working with a particular vendor, and you may choose to simply pursue an alternate vendor.
5. Continue Monitoring
Oftentimes when people think of “vendor due diligence,” the procurement process (or vendor down-selecting/finalizing) comes to mind. Yes, it’s important to perform due diligence at the start of a new vendor relationship, but it doesn’t stop there.
Performing point-in-time due diligence – such as reviewing answers to a due diligence questionnaire – are necessary, but risks are constantly evolving. Your relationship with vendors (and the level of risk they expose you to) can change overtime as well. It’s important to perform some level of ongoing monitoring, the frequency of which is often dictated by the vendor’s level of inherent risk and criticality to your organization, to stay in front of risks before they impact you.
For example, a few months after you evaluated a vendor’s due diligence questionnaire, your third-party intelligence tool alerts you that the same vendor is marching towards insolvency. Without proper ongoing monitoring, you would have been left in the dark.
Vendor due diligence can be a daunting task, but that shouldn’t stop you from performing it! If you need someone to review your due diligence process to identify areas of improvement, take over some of the due diligence tasks for you, or even just be a sounding board to ask questions about the due diligence process, Vendor Centric is here to help.
Author: Josh Angert
Job Title: Consulting Manager
Organization: Vendor Centric