How to Conduct Effective Third-Party Due Diligence

What is third-party due diligence? To begin with, it’s an essential element of managing third-party risk. Well-executed third-party due diligence can help your organization be confident they're entering (or maintaining) a relationship with a legitimate company with a good reputation.

But there is more to third-party due diligence than investigating a vendor's character and legal status. Your organization must be sure that your third party has the right risk practices and controls to effectively mitigate the risks inherent to the product or service they are providing. A failure to thoroughly vet both the vendor organization and its controls can result in all sorts of problems, including financial loss, regulatory fines, damage to your brand and reputation, and negative impacts on your operation or customers. Third-party due diligence is a best practice, but it is also a regulatory expectation for many industries.

6 Tips for Conducting Effective Third-Party Due Diligence

Well-executed third-party due diligence is key to helping safeguard the organization against third-party risks. Keep these six tips in mind to maintain consistency and effectiveness:

• Scale due diligence to reflect the risk: Due diligence requirements for third-party relationships will vary, but they should always be proportional to the risk. To put it another way, you'll need to ensure that all third parties undergo some level of due diligence and that as the risks increase, the more robust the due diligence must be. Third parties that pose a high risk or are critical to your business must be subjected to the most comprehensive due diligence.
• Document your process: Make sure your due diligence process is formalized and documented and includes the types of evidence (documents and information) you require from prospective third parties based on the types of risk in the engagement.
• Utilize qualified subject matter experts: Evaluating the controls of a third party requires considerable expertise and skill. SMEs should have appropriate credentials and certifications in the risk domain they are assessing. Ensure that subject matter experts (SMEs) review the controls and provide a documented qualified opinion. Suppose you don't have this capability in-house. In that case, you can outsource this process to professional third-party risk experts.
• Remediate issues as they're discovered: Should the SME discover any gaps or inadequacies; a formal remediation plan should be implemented. If the remediation is allowed to continue post-contract execution, make sure the remediation requirements are specific, timebound, and included in the contract. Always ensure a SME reviews the evidence of remediation before considering the issue closed.
• Finalize due diligence before signing or renewing the contract: Don't sign or renew your contracts until third-party due diligence is complete. If problems arise after the agreement is signed, you may be unable to compel the third party to fix the problem.
• Repeat due diligence periodically: It's never enough to perform third-party due diligence once; it should be repeated periodically throughout the relationship. Due diligence only ever represents a point in time, and any third party's risk profile can change for better or worse. Your organization must maintain a good understanding of what risks are present in the relationship at any time. If you have legacy third parties who never underwent due diligence, make sure they undergo the process ASAP.

3 Mistakes to Avoid

Conducting effective third-party due diligence can be challenging due to its many components. However, you should take a proactive approach to identifying and preventing mistakes that can undermine your diligence, such as:

• Performing the same level of third-party due diligence on all vendors, regardless of the risk level. This approach is not only ineffective but puts a strain on your resources as well. Make sure your third-party due diligence process is scaled proportionately to the risk; that way, you can be confident that the right energy and focus are directed toward the highest risks.
• Failing to periodically review third-party risk after the initial round of due diligence is complete. Vendor risks change constantly, so periodic due diligence is necessary to identify, assess, manage, and monitor risk. Failing to periodically risk reassess and perform third-party due diligence can lead to new and emerging risks remaining undetected until a major problem arises.
• Using residual risk ratings in place of inherent risk ratings. Some organizations will calculate a residual risk score after due diligence is complete. A residual risk score indicates if the controls are believed to be effective or if more must be done to mitigate risk. The residual risk score should never be used to determine the required contract language, timing of periodic risk reviews, or the frequency or level of performance monitoring, as those must only be aligned to the inherent risk rating.

The practice of third-party due diligence is a good business practice and a foundational aspect of third-party risk management. Even though it takes time and effort, due diligence can help your organization confidently move forward with (or continue) its third-party relationships. As long as it's understood that third-party due diligence is instrumental at the beginning of and throughout the lifetime of any third-party engagement.