Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

What Is Third-Party Due Diligence?

8 min read
Featured Image

Third-party vendor due diligence is an essential vendor risk management process, not just before you begin a business relationship, but throughout that relationship as well. Due diligence provides your organization the data to validate that the vendor can reasonably mitigate the risks associated with the product or service provided and has a solid reputation. But, the due diligence process is not a “one-and-done” process. Instead, it’s a continuous part of the vendor-risk management lifecycle. Per many regulatory requirements and overall best practices, it should be a standard component in your ongoing monitoring routines.

It’s recommended that all vendor relationships undergo vetting and review before a contract is signed. And, after that, the vendor should have periodic due diligence reviews. So, what does that mean? How often should you review the vendor and what is required to do that effectively? A few factors determine the answer, including risk level, type of service or product provided and if there have been any regulatory changes.

The Basics of Third-Party Due Diligence

Let’s cover some of the basics so you’ll have a good understanding of what, when, and why of collecting third-party due diligence.

Collecting Third-Party Due Diligence

The due diligence documents you’ll need to collect will vary depending on your organization type, industry regulations and various other factors. The following is simply a guideline with examples, not all inclusive, of what many organizations should expect to collect from their vendors.

  • All risk levels: Certain baseline information and documents should be collected on all vendors, regardless of their risk level. Consisting of basic information, including:
    • Legal name, address, website, tax ID, etc.
    • State, and articles, of incorporation
    • Secretary of State check
    • Dun & Bradstreet report (if available)
    • A list of any subcontractors/fourth parties they will use to service your company
    • OFAC check
  • Moderate Risk: Collect all baseline documents and information plus the following:
    • Three years of audited financials
    • Insurance certificates
    • Third-party management processes
    • SOC reports
    • Information security policy
    • Reputational review using internet search and/or Better Business Bureau
  • High Risk: You’ll want to collect all of the baseline documents, all moderate risk items and add the following:
    • All policies and procedures, especially concerning business continuity/disaster recovery, regulatory compliance and training, incident management and data classification and handling
    • Penetration and vulnerability testing results
    • Reports of previous outages and SLA violations
    • Complaints and resolution (if they interact with the customer)
    • Litigation summaries for the last five years and any current or pending litigation

When to collect: Initial vs. Ongoing

  • Initial: Due diligence information and documents must be collected and reviewed before you negotiate or sign a contract. Persons with relevant subject matter expertise should evaluate the vendor information and control environment to determine they’re sufficient. If the subject matter experts should identify any issues for mitigation, legal should include them in the contract.
  • Ongoing: Once your vendors are under contract, they enter the ongoing monitoring phase. The vendors under ongoing monitoring must go through regular due diligence reviews to confirm that their control environment remains sufficient and look for any new or emerging risk. Primarily the risk rating assigned to the relationship determines how frequently due diligence is required. However, other factors can trigger a review, such as pending contract renewal, declining vendor performance or new regulatory requirements.

Guidelines Related to the Type of Information to Gather and Frequency

Here are some guidelines related to the type of information to gather and how often to collect it.

Risk level Due diligence collection frequency Performance and emerging risk reviews
Critical and high risk

Annually: First, confirm that all baseline information is still current. You'll then need to gather new documentation or ensure the versions you have are the most recent. New documentation, financials, complaints tracking and BC/DR plans and testing require an updated SME review which includes the following:

  • Review all existing documentation to determine if anything has expired
  • Request current versions of expired documents and confirm that your existing documents are the latest version
  • Update insurance certificates
  • Review financials, D&B reports
  • Collect and review BC/DR plans and test results
  • Information security SOC documents, penetration testing, certifications, third-party audits

Quarterly: At a minimum, you should conduct quarterly risk and performance reviews with your critical and high-risk vendors. These reviews should focus on all aspects of the vendor's performance and identify and address any new or emerging risk issues. The information and reporting you gather will vary depending on the relationship; however, the data must be able to identify and measure issues related to the following: 

  • Overall performance and SLA adherence
  • Complaints management and trends
  • Negative news events
  • Change of control (merger, acquisition, divestiture, name change, management change)
  • Change of personnel
  • BC/DR planning events, drills, tests and test results
  • Addition of new products and services for your organization or added their business
  • Any event or transactions that could materially affect their financial condition
  • Process or procedure changes
Moderate risk

Every 18-24 months: You should update and request all baseline information and any document you asked for during essential due diligence and take the following actions:

  • Doublecheck reputation, BC plans and tests and confirm documentation is current
  • A SME review may be required depending on the risk level of the product and service

Every 6-8 months: The information and reporting you gather will vary depending on the relationship; however, the data must be able to identify and measure issues related to the following:

  • Overall performance and SLA adherence
  • Negative news events
  • Change of control (merger, acquisition, divestiture, name change, management change)
  • Change of key personnel
  • BC/DR events, drills, tests, and test results
  • New products and services for your organization or added their business
  • Any event or transaction that could materially affect their financial condition.
  • Process or procedure changes affecting your products or services

Low risk Confirm that you're still actively engaged with the vendor, confirm all baseline information, and, if necessary, do a reputation check.

Not required, but if time and resources allow, it’s a good practice for you to do a check in via phone or email at least once a year.

 

 

 

 

 

 

 


Due Diligence Red Flags

Performing regular due diligence is a simple and straightforward way to identify any problem areas with your existing or potential vendors.

Here are a few issues to watch out for in your collection and review process:

  • Business continuity/disaster recovery plans are outdated: Do not take an outdated, untested or incomplete BC/DR plan lightly. It’s crucial to ensure that your third-party vendor has a proper plan in place to prepare for any business disrupting event.
  • Financial statements have inconsistencies between net income and sales: Identify and review inconsistencies between net income and sales. If these two factors don’t align, this could indicate a variety of issues with the vendor. You should also be aware of a negative net cash flow and unusually high dividends.
  • Cybersecurity plans are incomplete or untested:  Cybersecurity third-party audits have expired or vulnerability testing has not been done, is incomplete or issues were revealed through testing.
  • Declining performance, increasing complaints or slower response times. These issues can signal financial decline, change of management priority, staff cut and other problems the vendor may not admit openly.

Practicing regular third-party due diligence is the best way to systematically identify, assess and manage vendor issues before they potentially become significant problems for your organization. Due diligence efforts should reflect the risk and complexity of the product and service. Ensuring you practice regular performance and risk reviews is an excellent way to seek out and find new and emerging risks in between due diligence cycles.

Vetting your vendors is an important step of third-party due diligence. Are you doing everything you should be when vetting them? Download the eBook.

vendor vetting things you should be doing

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo