Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

How Vendor Due Diligence Is Conducted

5 min read
Featured Image

Collecting due diligence on vendors can feel like an impossible task, comprised of document rabbit holes and infinite checklists — one big, monotonous game of tag as you constantly call, email and chase vendors to obtain the X,Y,Z report you’ve needed for weeks. Then, once you think you finally have everything you need, analyzing the documentation can become overwhelming. Sometimes, it’s difficult to determine where to begin, what to review and how to interpret what it all means. Sound familiar? We thought so…

Not to worry! We’ve put together an approachable method for how to best conduct vendor due diligence by breaking down five important documentation categories to focus on.

How to Conduct Vendor Due Diligence

1. Review Your Contracts

A contract is an agreement between parties creating a legal obligation for your organization and vendor to perform specific activities. Each of the parties to the contract are legally bound to perform the specified duties outlined within the contract. Contract reviews are a very important component of your due diligence: if the expectation isn’t set in the contract, then it isn’t in agreement between the parties.

Before you sign the contract make sure to:

  • Review the scope of services
  • Review SLA requirements
  • Confirm accuracy of contract duration
  • Consider costs and price increase language
  • Confirm security/confidentiality provisions
  • Assess audit requirements
  • Understand reporting and any associated feeds
  • Assess business continuity language
  • Analyze subcontracting policies
  • Review ownership/license information
  • Indemnification clauses
  • Review limitation of liability
  • Confirm provisions around dispute resolution
  • Include standards around complaints management
  • Review general provisions (e.g., survival, governing law, contract conflict, severability, etc.)
  • Collect all foundational vendor due diligence documentation (e.g., MNDA, tax ID, business license, credit report, etc.)

2. Review Vendor SOC Reports

SOC stands for system and organization controls. It’s an independent audit report performed by a certified public accountant (CPA) that shares additional details around the vendor’s controls in place. It’s an attestation that your vendor has a control to safeguard your data, and if the safeguards are operational, they would effectively mitigate part of the risk inherited by using the vendor.

To help you with conducting a SOC review,  from a high-level, you’ll want to:

  • Use the reporting period to confirm it’s the most current report available
  • Assess organizational and administrative set up
  • Confirm products and services
  • Gain a deeper knowledge of the information system
  • Review data center infrastructure
  • Analyze control objectives and activities
  • Review any audit findings, or control exceptions and how management responded

3. Review Business Continuity, Disaster Recovery & Pandemic Plans

Business continuity planning assists vendors (or any business) in ensuring that their significant operations and products/services continue to be delivered in a full, or at a predetermined and accepted, level of availability. The expected level of availability is typically outlined in the Service Level Agreement (SLA) that your organization has with the vendors.

When conducting due diligence around business continuity plans make sure the vendor has a formal plan that accounts for:

  • Strategy for personnel loss
  • Pandemic contingencies
  • Relocation plans
  • Breach/notification policy
  • Business continuity impact analysis
  • Recovery time objectives
  • Recovery point objectives
  • Maximum tolerable downtime
  • Data around testing and ongoing maintenance of the plan

The vendor should also consider pandemic planning, which focuses on:

  • Strategies and procedures in the event of a pandemic
  • Preventative measures
  • Implementation guidelines in the event of a prolonged health crisis

And, a disaster recovery plan, which primarily focuses on systems as well as:

  • Gathering of disaster recovery personnel at the command center
  • How the vendor will decide if the incident is a disaster
  • Salvage operations, recovery operations, communications and restoration to normal operations

You’ll want to make sure all three of these areas are accounted for.

4. Review the Cybersecurity Posture

A cybersecurity program helps protect your organization and the vendor from potential vulnerabilities like a data breach. Evaluating your vendor’s cybersecurity posture will help you identify potential weaknesses. From there, you can effectively communicate with the vendor about those weaknesses and develop strategies to strengthen controls prior to a breach happening.

Here you’ll want to be sure and account for:

  • Security testing (vulnerability, penetration and social engineering)
  • Sensitive data security
  • Data retention/destruction, declassification and privacy policies
  • Employee, contractor and vendor management team data protection training (e.g., annual security training, access management policies)
  • Incident and response plan

5. Review Financials

Financial statements should be reviewed to identify the financial health of any vendor you outsource a product or service to. This helps you determine if the vendor can continue to provide secure, safe and quality products or services that meet your organization’s expectations.

Make sure to determine/review:

  • If the vendor is a public or private company so that you know what report type to request
  • If regulatory action has been taken
  • If there are outstanding legal proceedings or lawsuits associated with the vendor
  • The vendor’s net worth (balance sheet)
  • Revenue and gross margin (income statement)
  • How the vendor funds operations (cash flow statement)
  • Likelihood of bankruptcy (ratios)

Pro-tip: It’s also important to get an auditor’s opinion on the vendor’s financial statements and internal controls; as well as to have a CPA write up the assessment.

To write up an assessment for what was reviewed, why it was reviewed and the results of the review, make sure to have a subject matter expert (SME) involved. While this process most definitely includes a lot of lists, you should never have a check-the-box mentality when it comes to due diligence. It’s easy to fall into, but a check-it-and-forget-it sort of approach which can lead to some nasty consequences.

Due diligence is a fundamental component of any third-party risk management program. When conducted effectively, it can truly be one of the most powerful tools in your risk management arsenal.

Make sure you have everything you need when collecting vendor due diligence. Download the checklist. 

New call-to-action

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo