Performing due diligence on your third parties is an essential part of managing third-party risk. Your organization must be confident that they’re entering a relationship with a legitimate company with a good reputation. Moreover, when the risks are escalated, you must be sure that your third party has the necessary controls to mitigate the inherent risks of providing the product or service. Failure to validate both the company and the controls can lead to all sorts of problems, including financial loss, regulatory fines, harm to your reputation and brand and negative impacts on your operations or your customers.
6 Tips for Conducting Effective Third-Party Due Diligence
When performed well, due diligence will ensure that your organization’s third-party relationships are protected from risk. Keep these six tips in mind to maintain consistency and effectiveness:
- Modify to the risk level: All third-party relationships are not the same; therefore, the due diligence required will vary, but should always be scaled in proportion to the risk. To state this a different way, you’ll need to make sure that all third parties undergo some level of due diligence and that as the risks increase, the more robust the due diligence must be. Your critical and high-risk third parties should be subject to the highest level of due diligence.
- Always document processes: Your due diligence process should be formalized and documented, including the specific types of evidence (documents and information) you’ll be requesting from prospective third parties.
- Utilize subject matter experts: Determining if a third party’s controls are sufficient requires expertise. Ensure that subject matter experts (SMEs) review the controls and provide a documented qualified opinion. Suppose you don’t have this capability in-house. In that case, you can outsource this process to professional third-party risk experts.
- Remediate issues as they’re found: If the SME finds the controls to be insufficient, or they discover any gaps or other issues, a formal remediation plan should be put in place. If the remediation is allowed to continue post-contract execution, make sure the remediation requirements are timebound and included in the contract.
- Finalize due diligence before signing the contract: Don’t sign your contracts until third-party due diligence is complete. Should issues be discovered, and you have already signed a contract, you’ll have little power to obligate the third party to fix the problem.
- Repeat the due diligence process as needed: Remember, third-party due diligence is periodically repeated throughout the relationship; it’s never done. If you have legacy third parties who never underwent due diligence, make sure they undergo the process ASAP. The risk profile for any third party can change for better or worse, and your organization must have a good handle on what risks are present in the relationship.
3 Common Obstacles to Overcome
While most third parties fully cooperate with due diligence requests, you may find that obtaining the correct information to assess the third party’s controls can be challenging for some of the following reasons:
- The third party is a relatively new organization and doesn’t have the required documents. For example, an independent third-party audit of their controls (SOC document) or audited financials. In this case, work with your SMEs to determine what other methods may be used to validate the controls. In some cases, your SME may determine sufficiency through a phone interview with the third party or you may request a signed attestation. Whatever method is used, make sure it’s documented and that the appropriate level in your organization approves the process exception.
- The third party is very large and doesn’t fill out questionnaires or provide documents for due diligence. In this situation, you may be able to find their key documentation within the organization’s webpage. Many large firms will either post a public version of a SOC (standard operating controls) on their website or provide a list of certifications stating that they must meet specific standards.
- The third party is hesitant or unwilling to share documentation with you. When this happens, don’t hesitate to ask “why” directly. Most third parties understand that due diligence is a normal business protocol, so refusing to participate can be interpreted as potentially hiding issues. In some cases, the organization requires a non-disclosure agreement (NDA) before sharing the information, which is a simple fix. However, if there is no compelling reason for them not to share, it could very well be a red flag, and your organization should proceed with extreme caution.
3 Mistakes to Avoid
Effective third-party due diligence can be a challenging process with many different components. It’s important to take a proactive approach in identifying and preventing common mistakes that can diminish the effectiveness of your due diligence, such as:
- Performing the same level of third-party due diligence on all vendors, regardless of the risk level. The higher the risk, the more due diligence is necessary.
- Failing to periodically review third-party risk after the initial round of due diligence is complete. This may lead to new and emerging risks remaining undetected until there is a major problem.
- Using residual risk ratings in place of inherent risk ratings. Some organizations will calculate a residual risk score after due diligence is complete. The residual risk score essentially indicates if the controls are believed to be effective or if more needs to be done to mitigate risk. The residual risk score should never be used to determine the required contract language, timing of periodic risk reviews or the frequency or level of performance monitoring as those must be aligned to the inherent risk rating only.
Third-party due diligence is a good business practice and a foundational part of third-party risk management. While it may be time and effort-intensive, the payoff is that your organization can move forward into a third-party relationship with confidence. Knowing your vendor starts with initial due diligence and should continue through periodic risk reviews until the relationship ends.