A common question people often struggle with is, “What constitutes appropriate vendor due diligence?” Or, “What are vendor due diligence reviews”? As with any question, the official answer can be found in regulatory guidance – in this case, let’s turn to FDIC Financial Institution Letter 44-2008 for this excerpt:
Comprehensive due diligence involves a review of all available information about a potential third party, focusing on the entity's financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls.
What Does That Even Mean?
Translating that back into layman’s terms, basically that means learning as much as you can about a vendor prior to engaging in a business relationship.
Due diligence is both a science and an art – there are times where you can follow a standard checklist and gather everything, but there are times where a vendor can’t or won’t share information with you – that’s when you need to explore options and get creative.
Perhaps you can come up with an alternative or perhaps you can contractually commit them to provide it to you later. For example, a company isn’t willing to provide a very confidential document – it happens – but you may be able to request they allow you to view it on-site or even by screensharing.
4 Tips for Vendor Due Diligence Reviews
Here are four tips for your reviews:
- Due diligence should be risk based – that basically means tailor the extent of what you’re asking for to the level of risk associated with the product or service – in other words, don’t expect your vending machine provider to furnish you with the same information as your core processor. They likely won’t have a SOC report and may be confused if you request one.
- Due diligence is always ongoing and must be timely – let’s face it, there’s no way to rush everything just to hit a contract date, so start ahead of time. Documents, like the following, expire or grow stale:
- SOC reports
- Business continuity/disaster recovery plans
- Policies and procedures
So be sure to refresh them as needed.
- Do not follow a checklist mentality – certainly, you can use a checklist, but as you gather documents, make sure to subject them to the appropriate analysis (and document the results of that analysis).
Believe me, I’ve had the unfortunate experience (more than once) of gathering and filing only to realize later that I just gathered and filed without reading the details and later found very unfortunate surprises.
- Subject matter experts (SMEs) should perform due diligence analyses – You really should consider who is performing the reviews. It should be a SME – internal or external. For example, a certified public accountant (CPA) is qualified to perform a financial analysis whereas you’ll likely want a Certified Information Security Systems Professional (CISSP), or someone with extensive IT experience, performing your SOC analysis.
The Impact of Vendor Due Diligence Reviews
What you determine in the course of due diligence may cause you to re-think doing business with a vendor – that may sound like a negative, and perhaps it is – but you’d be surprised how much that short term pain may turn into avoiding long term damage. It’s far easier to end a relationship before it starts than it is when unexpected surprises happen down the road.
Vendor Due Diligence Review Logistics
I've seen all sorts of models of due diligence – from a standardized questionnaire sent to all vendors to a highly customized series of questionnaires that may require multiple rounds of answering – either one is fine, but you need to establish a process that is appropriate for your organization and follow it carefully.
You also need a path for approving due diligence when you can’t gather everything – there are certainly going to be times where “no” is the final answer. In those cases, involve your senior management team and the board to determine the appropriate next steps and make sure it's firmly documented in meeting minutes to show proof of the discussion.
Due diligence is a fundamental pillar of vendor management in every piece of the regulatory guidance. It can be difficult at times, but done well, due diligence is an exercise that can protect your organization, customers, data and shareholders.
Include vendor site visits in your due diligence process. View this on-demand webinar to learn how.