What is third-party due diligence? To begin with, it’s an essential element of managing third-party risk. Well-executed third-party due diligence can help your organization be confident they're entering (or maintaining) a relationship with a legitimate company with a good reputation.
But there is more to third-party due diligence than investigating a vendor's character and legal status. Your organization must be sure that your third party has the right risk practices and controls to effectively mitigate the risks inherent to the product or service they are providing. A failure to thoroughly vet both the vendor organization and its controls can result in all sorts of problems, including financial loss, regulatory fines, damage to your brand and reputation, and negative impacts on your operation or customers. Third-party due diligence is a best practice, but it is also a regulatory expectation for many industries.
6 Tips for Conducting Effective Third-Party Due Diligence
Well-executed third-party due diligence is key to helping safeguard the organization against third-party risks. Keep these six tips in mind to maintain consistency and effectiveness:
- Scale due diligence to reflect the risk: Due diligence requirements for third-party relationships will vary, but they should always be proportional to the risk. To put it another way, you'll need to ensure that all third parties undergo some level of due diligence and that as the risks increase, the more robust the due diligence must be. Third parties that pose a high risk or are critical to your business must be subjected to the most comprehensive due diligence.
- Document your process: Make sure your due diligence process is formalized and documented and includes the types of evidence (documents and information) you require from prospective third parties based on the types of risk in the engagement.
- Utilize qualified subject matter experts: Evaluating the controls of a third party requires considerable expertise and skill. SMEs should have appropriate credentials and certifications in the risk domain they are assessing. Ensure that subject matter experts (SMEs) review the controls and provide a documented qualified opinion. Suppose you don't have this capability in-house. In that case, you can outsource this process to professional third-party risk experts.
- Remediate issues as they're discovered: Should the SME discover any gaps or inadequacies; a formal remediation plan should be implemented. If the remediation is allowed to continue post-contract execution, make sure the remediation requirements are specific, timebound, and included in the contract. Always ensure a SME reviews the evidence of remediation before considering the issue closed.
- Finalize due diligence before signing or renewing the contract: Don't sign or renew your contracts until third-party due diligence is complete. If problems arise after the agreement is signed, you may be unable to compel the third party to fix the problem.
- Repeat due diligence periodically: It's never enough to perform third-party due diligence once; it should be repeated periodically throughout the relationship. Due diligence only ever represents a point in time, and any third party's risk profile can change for better or worse. Your organization must maintain a good understanding of what risks are present in the relationship at any time. If you have legacy third parties who never underwent due diligence, make sure they undergo the process ASAP.
3 Common Due Diligence Obstacles and How to Overcome Them
While most third parties fully cooperate with due diligence requests, you may find that obtaining the correct information to assess the third party's controls can be challenging for a variety of reasons, including:
- The third party is a relatively new organization without the necessary documents. For example, the organization has not yet engaged an independent third party to audit its controls or financials. In this case, work with your SMEs to determine if there are other methods to validate the controls. In some cases, the SME may interview the third party over the phone to determine sufficiency. Or, as a last resort, you may request a signed attestation from the third party regarding the sufficiency of their controls. Whenever alternative validation methods are used, make sure they are documented. If the risk is significant, make sure your organization's management approves any exceptions to the process.
- The third party is very large and doesn't fill out questionnaires or provide documents for due diligence. In such cases, you may be able to find the organization's key documentation on its webpage. Many large firms will either post a public version of a SOC (standard operating controls) on their website or provide a list of certifications stating that they meet specific industry standards. It’s also common to find copies of privacy and other policies on an organization's website.
- The third party is hesitant or unwilling to share documentation with you. If this happens, don't hesitate to ask "why" directly. Most third parties understand that due diligence is a normal business protocol, so refusing to participate can be interpreted as potentially hiding issues. Sometimes, the organization may require a non-disclosure agreement (NDA) before sharing the information, which is a simple fix, or they may be willing to share a highly redacted document. A lack of compelling reasons for them not to share is a red flag that your organization should take seriously.
3 Mistakes to Avoid
Conducting effective third-party due diligence can be challenging due to its many components. However, you should take a proactive approach to identifying and preventing mistakes that can undermine your diligence, such as:
- Performing the same level of third-party due diligence on all vendors, regardless of the risk level. This approach is not only ineffective but puts a strain on your resources as well. Make sure your third-party due diligence process is scaled proportionately to the risk; that way, you can be confident that the right energy and focus are directed toward the highest risks.
- Failing to periodically review third-party risk after the initial round of due diligence is complete. Vendor risks change constantly, so periodic due diligence is necessary to identify, assess, manage, and monitor risk. Failing to periodically risk reassess and perform third-party due diligence can lead to new and emerging risks remaining undetected until a major problem arises.
- Using residual risk ratings in place of inherent risk ratings. Some organizations will calculate a residual risk score after due diligence is complete. A residual risk score indicates if the controls are believed to be effective or if more must be done to mitigate risk. The residual risk score should never be used to determine the required contract language, timing of periodic risk reviews, or the frequency or level of performance monitoring, as those must only be aligned to the inherent risk rating.
The practice of third-party due diligence is a good business practice and a foundational aspect of third-party risk management. Even though it takes time and effort, due diligence can help your organization confidently move forward with (or continue) its third-party relationships. As long as it's understood that third-party due diligence is instrumental at the beginning of and throughout the lifetime of any third-party engagement.
Related Posts
What Is Third-Party Risk Management?
Third-party risk management is the process and practice of identifying, assessing, managing, and...
How Do You Manage Third-Party Risk for a Health Organization?
Due to the extensive personal information in healthcare records, the healthcare sector remains an...
What Is Vendor Tiering?
All vendors can expose your organization to third-party risk, but those risks aren’t necessarily...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.