Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

Why You Need to Do Vendor Due Diligence

5 min read
Featured Image


Your organization likely has a handful of third-party vendor relationships that provide a lot of value. Some vendors may even be essential to your operations. However, it’s important to remember that these vendor relationships can also expose your organization to different types of risk. These risks aren’t always apparent, so vendor due diligence is a must.

What Is Vendor Due Diligence, Really?

Vendor due diligence is the process of collecting and reviewing vendor information and controls to determine whether you want to proceed with a new engagement or continue with an existing one. A vendor that is high risk or critical should undergo the highest level of due diligence, in terms of frequency and amount. 

Vendor due diligence should include at a minimum, a review of basic information like tax ID, an OFAC check, and financial health. For critical and high-risk vendors, you may also need to review information from SOC reports, information security policies, and business continuity and disaster recovery plans. The vendor due diligence process should always include qualified subject matter experts (SMEs) who can provide opinions on the effectiveness of a vendor’s controls.  

There are two types of vendor due diligence that you should be performing:
  • Initial vendor due diligence – This is essentially a background check of the vendor and performed prior to signing the contract. It’s important to analyze the vendor and identify any risk that will be exposed to your organization. Initial vendor due diligence also helps determine if the vendor will meet your strategic and financial goals.
  • Ongoing vendor due diligence – It’s critical to perform due diligence even after you’ve signed the contract. This ensures documents are current and can help identify any changes in the vendor’s risk and performance. All vendors should undergo ongoing due diligence, but the frequency should be greater for high-risk and critical vendors. The frequency may also need to increase because of other factors such as performance issues or updated regulatory guidance. 

Effective vendor due diligence can help your organization solidify the right vendor partnerships and stay aware of any new or emerging risks.

7 Reasons Why You Need to Do Vendor Due Diligence

Taking the time to perform thorough vendor due diligence will provide your organization with many benefits. Here are seven reasons why it’s a critical practice:
  1. Vendor due diligence helps protect your organization from vendor risk. Collecting and reviewing vendor due diligence allows you to make more informed business decisions and helps you steer clear from dangerous business relationships.
  2. It also helps protect your customers. Risky vendor relationships not only affect your organization, but they can also impact your customers. Without proper due diligence, your customers’ sensitive information could be at risk of a breach.
  3. It’s a strategic tool. Don’t think of vendor due diligence as an arduous check-the-box activity. Use it to your advantage as a strategic approach to vendor oversight.
  4. It’s a regulatory expectation. Vendor due diligence is referenced in regulatory guidance across different industries, including finance and healthcare. Regulators further expect that the scope of vendor due diligence is commensurate to the vendor’s risk and criticality. 
  5. It’s a best practice. Even if your organization is not in a regulated industry, vendor due diligence is a best practice that identifies risk and can help promote safer vendor relationships.
  6. You may uncover hidden risks. Utilize subject matter experts to perform a thorough analysis on the vendor due diligence you collect. They can help identify the lesser-known risks that can harm your organization.
  7. You may discover that the vendor isn’t a good fit for your organization. The initial or ongoing vendor due diligence process may reveal certain issues that your organization is unwilling to accept. This allows you to choose another vendor that better aligns with your business goals.

3 Triggers for Ongoing Vendor Due Diligence

Remember that due diligence shouldn’t be a one-time activity. Vendor due diligence reviews should be scheduled at least annually for critical and high-risk vendors. Moderate-risk vendors should be reviewed every 18 months to two years and low-risk vendors should be reviewed at least every two to three years.

Here are three other occasions that should initiate due diligence, regardless of risk level:
  • Contract renewals – Make sure you allow plenty of time to perform due diligence on a vendor prior to signing the contract renewal. For critical vendors, a general guideline is to review at the midpoint of the contract term.
  • Performance issues – If you’ve noticed that a vendor’s performance is declining, it’s a good idea to initiate another due diligence review. This may help reveal the cause of the performance issue and whether it’s significant enough to reconsider the vendor relationship.
  • New or updated regulatory requirements – It’s essential to stay informed of regulatory requirements to ensure that you and your vendors remain in compliance. Collect and review vendor due diligence as new or updated regulations are released.

vendor due diligence

3 Strategies for Successful Vendor Due Diligence 

Collecting and reviewing vendor due diligence documents can be a challenge, but it’s an important practice that protects your organization.

Here are a few tips that can help create a successful strategy:
  • Consider contractual provisions. It’s important to ensure that your vendors are contractually obligated to periodically provide due diligence documents. You may also want to consider a right to audit clause, which can obligate your vendor to provide documents at any time, even in between regularly scheduled reviews.  
  • Use a standardized process. Vendor due diligence often includes a lot of simultaneous activities, such as requesting, collecting, and reviewing documents. These activities are typically performed by different individuals so the overall due diligence process can quickly become hectic. A standardized process can help eliminate confusion over which documents to request from each vendor and who’s responsible for collecting them. 
  • Collaborate with subject matter experts. Internal or external subject matter experts (SMEs) should always be involved in the vendor due diligence process, specifically during the review stage. These individuals should possess certifications or other credentials in their risk domains that demonstrate their qualifications. For example, a CPA would be qualified to review a vendor’s financial documents.

Vendor due diligence provides many benefits all throughout the vendor risk management lifecycle. From the early stage of selecting a vendor and establishing an ongoing monitoring standard, to structuring a better contract and preventing unwarranted risk to your organization and its customers, due diligence is a necessary component in each activity.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo