What Do I Do If a Vendor Won't Provide a Document?

Consider this: you’ve already determined the inherent risk, assessed the criticality and have moved on to the due diligence stage of the third-party risk management lifecycle. You’ve requested a set of documents from your vendor, and they fail to provide one (or more) on your list. What happens next? Do you immediately cut them from your potential vendor list? Not necessarily… It may still be possible to obtain the information you need to complete your due diligence. Read on for some suggestions of what to do next.

Here are five next steps you can try:

1. Challenge the vendor to identify alternate methods of validating the controls. After all, due diligence must occur before the contract is executed and it’s in their best interest to make it possible to confirm the details requested.
2. Look for alternatives. For example, if you cannot obtain the vendor’s financial records, an accounting statement or business credit report may be acceptable instead. Get creative and think of other sources that might provide you with similar information. In some cases, coordinating a call between your subject matter expert and the appropriate vendor contact to review and discuss the control environment is a suitable substitution.
3. Request to see the document in person or virtually, without requiring that they hand over a physical or digital copy.
4. If you're in the pre-contract stage, ensure you add a clause in the contract that would require them to provide the documentation before a specified date.
5. Ask your senior management team for a waiver or exception if the vendor’s reasoning for refusal is acceptable. Communication is key to understanding why a vendor is hesitant to provide a certain document.

Collecting your vendor's due diligence isn't always an easy task. Download our eBook guide on collecting vendor due diligence to learn more.