Why do we do due diligence?
There is always the natural tension between wanting to get to market with a good idea or new service provider and the need to do your homework and make sure the opportunity is properly vetted. Regulatory guidance is clear in its firm expectation for an appropriate amount of due diligence.
Besides being a requirement, there are actually many compelling business reasons to do the work ahead of time. Things like the financials are obvious, but what about some of the easy-to-check but often overlooked opportunities, like doing a background check or references? For example, it's usually much better to discern a potential problem and determine the appropriate course of action before the problem occurs.
Let's say you're eager to sign up with this great new service provider - or at least they say they're great - but what are customers saying? Check out potential complaints through the Better Business Bureau, look them up on Google News, etc, the results will either confirm or curb your enthusiasm.
How much due diligence should we do?
The practical answer is you have hopefully determined and codified your due diligence guidelines in a board approved policy and accompanying procedures. The additional answer is you should take a risk-based approach depending on the type of service they're providing and a well-informed consideration of the risks associated with the service. Sometimes, you'll want to go beyond just what is on a piece of paper - the old saying of "trust but verify" applies. It's not enough to just receive the documentation, but make sure it's accurate and complete.
Timing is everything
Ideally, you've got everything buttoned up prior to getting the new vendor approved by committee or contract signing, but sometimes that's simply not possible. Companies may be unwilling or unable to provide certain documentation until they are certain the relationship is firm.
Consider then if you need to oblige them in the contract to provide certain information. Other times, some information may NEVER be available so you should consider making your guidelines flexible enough to consider alternatives.
Okay, we're done... but wait, there's more...
Due diligence should not be a static, one time event. It should be repeated on a regular (perhaps annual) basis, with frequency dictated by your actual experience with the vendor and the risk associated with their product, service and performance.