Last month we went into detail about what “vendor due diligence” actually means. This month, we’ll review when (how often) you should be performing due diligence on your vendors.
When people think of vendor due diligence, the procurement process (or vendor down-selecting/finalizing) comes to mind. Yes, it’s important to perform due diligence at the start of a new vendor relationship, but it doesn’t stop there!=
Vendor due diligence should be performed throughout the life of your vendor relationships. It’s the way in which you evaluate your vendor’s financial condition, operational soundness, security/privacy practices, compliance with applicable laws or regulations, and other information in order to spot red flags. Below we’ll break down two main phases of due diligence – initial and ongoing:
Initial Due Diligence
- Before Vendor Selection: While often overlooked, performing some level of due diligence when you’re identifying prospective vendors (but have not yet selected one) can go a long way. Why would you want to go through the trouble of evaluating a vendor’s proposal if, let’s say, they were identified on a government watchlist? Essentially what you’re aiming to do here is spot “non-starters” right at the beginning – things that might prevent you from working with a vendor. Due diligence activities to consider include:
- OFAC or other watchlist screening
- Conflicts of interest evaluation
- Insurance verification
- Anything else your organization may consider a “non-starter”
- Prior to Contracting: This stage in the process is what most people think of regarding vendor due diligence. You’ve identified a finalist (in a competitive situation), or you simply selected a prospective vendor you know you want to work with – Now you need to put them through your organization’s vendor due diligence process to spot potential risks. These could be risks that might prevent you from working with the vendor, or risks that could be managed or remediated. Identifying risks before signing a contract allows you to address those risks contractually (i.e. including additional provisions) and might even give you some leverage over your vendor to have certain risks remediated.
Ongoing Due Diligence
- When scope changes occur: If you choose to utilize a vendor for additional services (let’s say they currently perform some consulting work for you, but now you’re thinking of outsourcing an entire business function to them), you need to reassess the vendor relationship. Just because you’ve performed a risk assessment and risk-based due diligence on your vendor for one scope of work, doesn’t mean those same assessments apply to any additional work.
- On a Periodic (and Continuous) Basis: It’s critical that vendor risks don’t go unnoticed. Ongoing monitoring is a core component of the vendor management framework. Depending on a vendor’s criticality and inherent risk, your organization should establish a schedule for performing ongoing due diligence (i.e. Critical or high-risk vendors are reassessed annually, medium-risk vendors are reassessed every other year, etc.). Also, it’s important to note that point-in-time methods of due diligence, such as reviewing results of a vendor due diligence questionnaire, are not the only tools in your arsenal. Business intelligence technology can be utilized to perform real-time continuous monitoring of your vendor relationships, providing you with metrics and indicators on financial condition, corporate health, negative news, etc… You might choose to continuously monitor your critical vendors and other vendors who present a heightened level of risk to your organization.
Due diligence is not a one-and-done activity. But it doesn’t need to be overwhelming either. Make sure your staff understand their roles and responsibilities, ensure your policies/standards/procedures define the type (and frequency) of due diligence activities your organization performs, and utilize technology to help automate due diligence workflows and processes.