Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

900 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resource-whitepaper-state-of-third-party-risk-management-2021-cropped
State of Third-Party Risk Management 2021

Venminder’s State of Third-Party Risk Management 2021 survey provides insight into how organizations are managing third-party risk management in today’s increasing regulatory and risky climate.

DOWNLOAD NOW

Baseline Vendor Due Diligence Documents to Collect

6 min read
Featured Image

Due diligence is an indispensable step in the vendor risk management lifecycle. Performing due diligence on your vendors isn’t only a sensible business practice, but for many industries, is regulated by law. Of course, not all vendor relationships pose the same risks to an organization, but there are baseline or foundational documents you should be collecting to further evaluate most vendor engagements.

Have you repeatedly heard about the criticality of due diligence, but still wonder how due diligence goes from being a conceptual best practice to an actionable process? If that sounds like you, you’re not alone. Most vendor risk managers recognize the importance of due diligence to identify and assess risk, and are somewhat familiar with the due diligence process, but it’s not uncommon for vendor risk managers to be perplexed about where to start or what documents and information to request from their vendor. Defining an accurate inventory of the exact vendor due diligence information to gather and assess can be overwhelming.

How to Start Collecting Vendor Due Diligence

To simplify this process initially, it’s always wise to focus on the basics and build from there. To get started, let's review what you likely already know. Both the scope and rigor of due diligence should align with the risks associated with the vendor relationship. However, you must collect some basic information on all vendors, regardless of their risk level, criticality or business type.

No matter the relationship's risk level, verifying that your vendor is a legitimate business entity with a good reputation is the first due diligence objective. Let's take a look at what information you will need to collect from the vendor and the research you must do to meet that first objective.

The Foundational Due Diligence Documents to Collect

The process for collecting some of this data may vary depending on your organizational processes. And, in some organizations, the information for items 1-5 may be logged in your accounts payable system instead of a vendor management system. Ensure you know about parallel information systems or processes to help you avoid rework and redundant requests to the vendor.

Here are documents and information you should be collecting as a starting point:

1. Legal name: Including any “doing business as” or “also/previously known as” (d/b/a, aka, pka).

2. Basic information: Including addresses such as the corporate headquarters, physical location where all work will be performed (a picture or map view of the facility may also be required for some vendors), website URL, corporate contact information such as an email and phone number, etc.

3. Tax ID: A vendor's tax ID proves that they are registered with the IRS.

4. Ownership structure and affiliated companies: It's necessary to understand the overall structure of the organization. You may find that a parent company or an affiliate has a different risk profile than the vendor you’re vetting, which might increase or decrease the risk.

5. Biographies of key managers and owners: This may be needed when the relationship has elevated risk or reputational concerns.

Moving along, you’ll also need to collect items 6 and 7 if there is an elevated risk in the relationship.

In other words, if the vendor will be accessing any of your systems or data, reviewing your organizational business strategies, plans, code or any intellectual property these are foundational documents needed. These items are also required when the vendor collects payments, interfaces with your customers or employees, or is considered a critical vendor.

6. Confidentiality agreement: This can also be referred to as a mutual non-disclosure agreement (MNDA) or a privacy statement. It's used to protect both parties' trade secrets and confidential information. This agreement may not be necessary for low-risk, low-dollar spend relationships. However, a confidentiality agreement is recommended any time you request sensitive or confidential information from a vendor.

7. List of pertinent subcontractors/fourth parties: Suppose your vendor provides critical or high-risk products or services for your organization. It’s essential to know if they’re dependent on other vendors to complete and deliver a product or service to you. If so, you’ll need to be aware of the extended risks present because products and services (or a portion of them) for your organization are performed by a vendor with which you do not have a direct contract.

Visibility to these fourth parties (the vendors of your vendor) also alerts your organization to include specific terms and conditions to the contract, including requiring your vendor to get written before adding or changing fourth parties. A well-written contract should require your vendor to notify you if their vendors (subcontractors) have a data breach, business interruptions or any other situation that can potentially impact your organization.

When you have obtained the vendor's necessary information like the above, you’ll still need to do your homework. Doing further research allows you to identify risks that aren’t always obvious. It may give you extra data points that your vendor may not automatically provide. Research is also the best way to validate a vendor's good reputation.

All of the items below may not always be necessary for every vendor. However, they’re highly recommended.


8. OFAC check: Required by the U.S. Treasury to determine if an organization is owned or managed by a sanctioned person or nation.

9. Complaint research: Use websites like bbb.org, the CFPB (their complaints database), and ripoffreport.com to research the type and volume of customer complaints that the vendor has received.

10. Negative news search: Running a Google News search will help you avoid any surprises if your vendor has had troubling incidents in the past.

11. Secretary of State check: You can validate the vendor's authenticity by confirming that they're correctly registered in their state.

12. Business License: This is a fundamental item to ensure your vendor is licensed to provide the product/service for which you’re contracting.

13. State of Incorporation: This can easily be found online through each secretary of state's website. This information confirms that the vendor is a legitimate business and is filing tax returns.

14. Credit report: A quick credit check could identify underlying issues like a decline in the vendor's financial condition or failing business operations. You can obtain this from sites like Equifax.com, Transunion.com or Experian.com.

15. Dun & Bradstreet (D&B) report: You can obtain this business credit and trade report directly from D&B or other providers. This report can show you payment habits and trends that may not yet be revealed in audited financials.

16. Certificate of Good Standing: Your local Better Business Bureau (BBB) and state treasurers will be able to provide two different types of certificates. The state will show whether the organization is current on tax obligations. The BBB will confirm that the company is ethical and doesn’t have excessive complaints against them.

Depending on the risk associated with the product and service, you may not need to ask for some information or research every point. Each vendor is vetted differently, and it's important to carefully assess which due diligence information you’ll request from each vendor. You don't want to risk overlooking anything that may impact your organization. Still, you also don't want to spend valuable time collecting and researching data that isn't significant. That’s why tailoring due diligence is important.

For further reading, view our comprehensive Third-Party Risk Management Checklist for an in-depth look at other documentation you may want to collect during the due diligence stage. Download the checklist.

third-party risk management checklist

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo