Third-party vendor due diligence is an essential vendor risk management process, not just before you begin a business relationship, but throughout that relationship as well. Due diligence provides your organization the data to validate that the vendor can reasonably mitigate the risks associated with the product or service provided and has a solid reputation. But, the due diligence process is not a “one-and-done” process. Instead, it’s a continuous part of the vendor-risk management lifecycle. Per many regulatory requirements and overall best practices, it should be a standard component in your ongoing monitoring routines.
It’s recommended that all vendor relationships undergo vetting and review before a contract is signed. And, after that, the vendor should have periodic due diligence reviews. So, what does that mean? How often should you review the vendor and what is required to do that effectively? A few factors determine the answer, including risk level, type of service or product provided and if there have been any regulatory changes.
The Basics of Third-Party Due Diligence
Let’s cover some of the basics so you’ll have a good understanding of what, when, and why of collecting third-party due diligence.
Collecting Third-Party Due Diligence
The due diligence documents you’ll need to collect will vary depending on your organization type, industry regulations and various other factors. The following is simply a guideline with examples, not all inclusive, of what many organizations should expect to collect from their vendors.
- All risk levels: Certain baseline information and documents should be collected on all vendors, regardless of their risk level. Consisting of basic information, including:
- Legal name, address, website, tax ID, etc.
- State, and articles, of incorporation
- Secretary of State check
- Dun & Bradstreet report (if available)
- A list of any subcontractors/fourth parties they will use to service your company
- OFAC check
- Moderate Risk: Collect all baseline documents and information plus the following:
- Three years of audited financials
- Insurance certificates
- Third-party management processes
- SOC reports
- Information security policy
- Reputational review using internet search and/or Better Business Bureau
- High Risk: You’ll want to collect all of the baseline documents, all moderate risk items and add the following:
- All policies and procedures, especially concerning business continuity/disaster recovery, regulatory compliance and training, incident management and data classification and handling
- Penetration and vulnerability testing results
- Reports of previous outages and SLA violations
- Complaints and resolution (if they interact with the customer)
- Litigation summaries for the last five years and any current or pending litigation
When to collect: Initial vs. Ongoing
- Initial: Due diligence information and documents must be collected and reviewed before you negotiate or sign a contract. Persons with relevant subject matter expertise should evaluate the vendor information and control environment to determine they’re sufficient. If the subject matter experts should identify any issues for mitigation, legal should include them in the contract.
- Ongoing: Once your vendors are under contract, they enter the ongoing monitoring phase. The vendors under ongoing monitoring must go through regular due diligence reviews to confirm that their control environment remains sufficient and look for any new or emerging risk. Primarily the risk rating assigned to the relationship determines how frequently due diligence is required. However, other factors can trigger a review, such as pending contract renewal, declining vendor performance or new regulatory requirements.
Guidelines Related to the Type of Information to Gather and Frequency
Here are some guidelines related to the type of information to gather and how often to collect it.
|Risk level||Due diligence collection frequency||Performance and emerging risk reviews|
|Critical and high risk||
Annually: First, confirm that all baseline information is still current. You'll then need to gather new documentation or ensure the versions you have are the most recent. New documentation, financials, complaints tracking and BC/DR plans and testing require an updated SME review which includes the following:
Quarterly: At a minimum, you should conduct quarterly risk and performance reviews with your critical and high-risk vendors. These reviews should focus on all aspects of the vendor's performance and identify and address any new or emerging risk issues. The information and reporting you gather will vary depending on the relationship; however, the data must be able to identify and measure issues related to the following:
Every 18-24 months: You should update and request all baseline information and any document you asked for during essential due diligence and take the following actions:
Every 6-8 months: The information and reporting you gather will vary depending on the relationship; however, the data must be able to identify and measure issues related to the following:
|Low risk||Confirm that you're still actively engaged with the vendor, confirm all baseline information, and, if necessary, do a reputation check.||
Not required, but if time and resources allow, it’s a good practice for you to do a check in via phone or email at least once a year.
Due Diligence Red Flags
Performing regular due diligence is a simple and straightforward way to identify any problem areas with your existing or potential vendors.
Here are a few issues to watch out for in your collection and review process:
- Business continuity/disaster recovery plans are outdated: Do not take an outdated, untested or incomplete BC/DR plan lightly. It’s crucial to ensure that your third-party vendor has a proper plan in place to prepare for any business disrupting event.
- Financial statements have inconsistencies between net income and sales: Identify and review inconsistencies between net income and sales. If these two factors don’t align, this could indicate a variety of issues with the vendor. You should also be aware of a negative net cash flow and unusually high dividends.
- Cybersecurity plans are incomplete or untested: Cybersecurity third-party audits have expired or vulnerability testing has not been done, is incomplete or issues were revealed through testing.
- Declining performance, increasing complaints or slower response times. These issues can signal financial decline, change of management priority, staff cut and other problems the vendor may not admit openly.
Practicing regular third-party due diligence is the best way to systematically identify, assess and manage vendor issues before they potentially become significant problems for your organization. Due diligence efforts should reflect the risk and complexity of the product and service. Ensuring you practice regular performance and risk reviews is an excellent way to seek out and find new and emerging risks in between due diligence cycles.
Vetting your vendors is an important step of third-party due diligence. Are you doing everything you should be when vetting them? Download the eBook.
Third Party Risk Q&A: Vendor Due Diligence
During our recent three day Vendor Management Bootcamp (click here to watch on-demand), we had a...
Why Analyzing Due Diligence Is Critical
If you’re an organization that collects due diligence on an ongoing basis, that’s great. If you’re...
How Vendor Due Diligence Is Conducted
Collecting due diligence on vendors can feel like an impossible task, comprised of document rabbit...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.