If you’re an organization that collects due diligence on an ongoing basis, that’s great. If you’re an organization that collects due diligence on an ongoing basis and just files it away, then that’s a recipe for disaster!
Due diligence is one of the most critical elements of third party risk management. When you reach out to the vendor, you’re likely requesting documents such as SOC reports, financial statements, insurance certificates, business continuity plans and other pertinent information that really gives you a deep understanding of how much risk is present by doing business with that vendor. Gathering due diligence is just the first step.
The second step is thoroughly analyzing due diligence. It won’t do you any good, or hold value with examiners, if you have the right SOC report but have no clue the controls in place are ineffective because you didn’t take the time to sift through the documentation and draft a comprehensive analysis.
5 Reasons Why Analyzing Due Diligence Is Critical
Here are five reasons due diligence is a critical component of third party risk management.
- Exposure to substantial risk is often the result of due diligence left unanalyzed
- Regulators expect due diligence to be analyzed (reference guidance like OCC Bulletin 2013-29 and FDIC FIL 44-2008 to learn even more)
- Letting risk slip through the cracks is a real probability as you may find a check-the-box mentality would have led to risk going unnoticed
- There’s an opportunity to verify the vendor is still the right fit as you may discover issues that you can’t get on board with and will lead to you walking away from the vendor relationship or searching for a replacement vendor
- It’s a best practice and makes good business sense
Since due diligence is so critical, there’s nothing more dangerous than receiving a document and filing it away without a proper review.
What Can Go Awry: 3 Examples of Due Diligence Peril
Here are some real-life examples showing what can happen if you cut corners with your analysis.
1. Vendor Financial Report
Understanding a vendor’s financial viability is very important. That’s exactly why you should always request their 10-K report or statement of financial condition. If you don’t analyze their financial statement, you may not realize if there’s a decline in financial condition.
You may be thinking, “big deal, sometimes vendors have a couple of bad months financially.” However, the scary truth is that a decline in financial condition can be an indication of other underlying problems such as cutting costs and reducing their staff, a decline in service levels, sunsetting products and more. All of these are early warning signs of coming risk that you’ll want to be aware of as soon as possible.
2. Vendor Business Continuity Plan and Disaster Recovery Plan
A vendor’s business continuity plan gives you an understanding of the vendor’s plan to ensure that their business’ operations and products/services can continue to be delivered in a full, or at a predetermined and accepted level of availability. A disaster recovery plan summarizes the processes and procedures the vendor must perform up to resumption of standard operations.
These two documents go hand-in-hand. Without analyzing the business continuity and disaster recovery plans, you can’t confirm the vendor has tested them. If they haven’t fully tested their plans, then there’s no guarantee the plan will actually work like they’ve anticipated. Like a domino effect, if the vendor experiences a business impacting event, this could wreak havoc at your organization.
3. Vendor Cybersecurity Policies and Procedures
A cybersecurity plan helps you understand the vendor’s access levels to your confidential information, exactly how they store the information, the vendor’s incident response plan, their breach notification policy and more. If it’s not properly analyzed, then there’s a greater chance you could be breached and also a greater chance if your vendor is breached that they won’t notify you in a timely manner because you haven’t verified that their notification policy meets your expectations.
This can lead to not having ample time to come up with an action plan. It could also mean you won’t be able to notify your customers of the breach as soon as you should. And, if the words “reputation risk” are flashing before you right now... good job. You called it!
These are just a few examples of what can go amiss if you don’t analyze due diligence but, as you can see, there’s a lot at stake. Analyzing due diligence helps protects you, your organization and your customers from unwanted risk.
Do you know which due diligence items you need to collect? Download this checklist to help.