Utilizing third-party vendors to support business activities is nothing new. While vendors can provide tremendous value in terms of saving time and money, they can also present extensive risks. Whether your organization is searching for a brand-new vendor, or has a longstanding relationship with another, vendor due diligence is a must. You simply can’t rely on a vendor to openly divulge their risks, so it’s essential to collect and review due diligence at the beginning and throughout the relationship.
What Is Vendor Due Diligence, Really?
There are two types of vendor due diligence that you should be performing:
Initial Due Diligence – This is performed prior to entering a contractual agreement with the vendor. It’s important to analyze the vendor and identify any risk that that will be exposed to your organization. Initial due diligence also helps determine if the vendor will meet your strategic and financial goals.
Ongoing Due Diligence – A vendor’s risk and performance can change over time, so it’s critical to perform due diligence even after you’ve signed the contract. The frequency of ongoing due diligence will depend on the vendor’s inherent risk level and criticality, but this is an important process that should apply to every vendor.
Effective vendor due diligence can help your organization solidify the right vendor partnerships and stay aware of any new or emerging risks.
7 Reasons Why You Need to Do Vendor Due Diligence
Taking the time to perform thorough vendor due diligence will provide your organization with many benefits. Here are seven reasons why it’s a critical practice:
- Due diligence helps protect your organization from vendor risk. Collecting and reviewing vendor due diligence allows you to make more informed business decisions and helps you steer clear from dangerous business relationships.
- It also helps protect your customers. Risky vendor relationships not only affect your organization, but they can also impact your customers. Without proper due diligence, your customers’ sensitive information could be at risk of a breach.
- It’s a strategic tool. Don’t think of vendor due diligence as an arduous check-the-box activity. You should instead use it to your advantage in your approach to vendor oversight.
- It’s a regulatory expectation. All the major regulators expect due diligence to be performed on all third parties (and even fourth parties!). This isn’t a one-time thing. This is an ongoing effort, throughout the vendor relationship, which helps safeguard your organization long term.
- You may uncover hidden risk. Utilize subject matter experts to perform a thorough analysis on the vendor due diligence you collect. They can help identify the lesser-known risks that can harm your organization.
- It’s a best practice. Simply put, it just makes good business sense.
- You may discover that the vendor isn’t a good fit for your organization. The initial or ongoing due diligence process may reveal certain vendor issues that your organization is unwilling to accept. This allows you to choose another vendor that better aligns with your business goals.
3 Reasons for Ongoing Vendor Due Diligence
Remember that due diligence shouldn’t be a one-time activity. Vendor due diligence reviews should be scheduled at least annually for critical and high-risk vendors. Moderate-risk vendors should be reviewed every 18 months to two years and low-risk vendors should be reviewed at least every two to three years.
Here are three other occasions that should initiate due diligence, regardless of risk level:
- Contract renewals – Make sure you allow plenty of time to perform due diligence prior to signing the contract renewal. For critical vendors, a general guideline is to review at the midpoint of the contract term.
- Performance issues – If you’ve noticed that a vendor’s performance is declining, it’s a good idea to initiate another due diligence review.
- New or updated regulatory requirements – It’s essential to stay informed of regulatory requirements to ensure that you and your vendors remain in compliance. Collect and review vendor due diligence as new or updated regulations are released.
Collecting and reviewing vendor due diligence documents is a challenge, but it’s an important practice that protects your organization. To make the process a little easier, establish some contractual provisions that require your vendors to periodically provide what you need even before you partner with them.
Vendor due diligence provides many benefits all throughout the third-party risk management lifecycle. From the early stage of selecting a vendor and establishing an ongoing monitoring standard, to structuring a better contract and preventing unwarranted risk to your organization and its customers, due diligence is a necessary component in each activity.