Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

resources-whitepaper-state-of-third-party-risk-management-2023
State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.

DOWNLOAD NOW

How to Conduct Effective Third-Party Due Diligence

5 min read
Featured Image

What is third-party due diligence? To begin with, it’s an essential element of managing third-party risk. Well-executed third-party due diligence can help your organization be confident they're entering (or maintaining) a relationship with a legitimate company with a good reputation.

But there is more to third-party due diligence than investigating a vendor's character and legal status. Your organization must be sure that your third party has the right risk practices and controls to effectively mitigate the risks inherent to the product or service they are providing. A failure to thoroughly vet both the vendor organization and its controls can result in all sorts of problems, including financial loss, regulatory fines, damage to your brand and reputation, and negative impacts on your operation or customers. Third-party due diligence is a best practice, but it is also a regulatory expectation for many industries.

6 Tips for Conducting Effective Third-Party Due Diligence

Well-executed third-party due diligence is key to helping safeguard the organization against third-party risks. Keep these six tips in mind to maintain consistency and effectiveness:

  • Scale due diligence to reflect the risk: Due diligence requirements for third-party relationships will vary, but they should always be proportional to the risk. To put it another way, you'll need to ensure that all third parties undergo some level of due diligence and that as the risks increase, the more robust the due diligence must be. Third parties that pose a high risk or are critical to your business must be subjected to the most comprehensive due diligence.
  • Document your process: Make sure your due diligence process is formalized and documented and includes the types of evidence (documents and information) you require from prospective third parties based on the types of risk in the engagement.
  • Utilize qualified subject matter experts: Evaluating the controls of a third party requires considerable expertise and skill. SMEs should have appropriate credentials and certifications in the risk domain they are assessing. Ensure that subject matter experts (SMEs) review the controls and provide a documented qualified opinion. Suppose you don't have this capability in-house. In that case, you can outsource this process to professional third-party risk experts.
  • Remediate issues as they're discovered: Should the SME discover any gaps or inadequacies; a formal remediation plan should be implemented. If the remediation is allowed to continue post-contract execution, make sure the remediation requirements are specific, timebound, and included in the contract. Always ensure a SME reviews the evidence of remediation before considering the issue closed.
  • Finalize due diligence before signing or renewing the contract: Don't sign or renew your contracts until third-party due diligence is complete. If problems arise after the agreement is signed, you may be unable to compel the third party to fix the problem.
  • Repeat due diligence periodically: It's never enough to perform third-party due diligence once; it should be repeated periodically throughout the relationship. Due diligence only ever represents a point in time, and any third party's risk profile can change for better or worse. Your organization must maintain a good understanding of what risks are present in the relationship at any time. If you have legacy third parties who never underwent due diligence, make sure they undergo the process ASAP.

effective third-party due diligence

3 Common Due Diligence Obstacles and How to Overcome Them

While most third parties fully cooperate with due diligence requests, you may find that obtaining the correct information to assess the third party's controls can be challenging for a variety of reasons, including:

  • The third party is a relatively new organization without the necessary documents. For example, the organization has not yet engaged an independent third party to audit its controls or financials. In this case, work with your SMEs to determine if there are other methods to validate the controls. In some cases, the SME may interview the third party over the phone to determine sufficiency. Or, as a last resort, you may request a signed attestation from the third party regarding the sufficiency of their controls. Whenever alternative validation methods are used, make sure they are documented. If the risk is significant, make sure your organization's management approves any exceptions to the process.
  • The third party is very large and doesn't fill out questionnaires or provide documents for due diligence. In such cases, you may be able to find the organization's key documentation on its webpage. Many large firms will either post a public version of a SOC (standard operating controls) on their website or provide a list of certifications stating that they meet specific industry standards. It’s also common to find copies of privacy and other policies on an organization's website.
  • The third party is hesitant or unwilling to share documentation with you. If this happens, don't hesitate to ask "why" directly. Most third parties understand that due diligence is a normal business protocol, so refusing to participate can be interpreted as potentially hiding issues. Sometimes, the organization may require a non-disclosure agreement (NDA) before sharing the information, which is a simple fix, or they may be willing to share a highly redacted document. A lack of compelling reasons for them not to share is a red flag that your organization should take seriously.

3 Mistakes to Avoid

Conducting effective third-party due diligence can be challenging due to its many components. However, you should take a proactive approach to identifying and preventing mistakes that can undermine your diligence, such as:

  • Performing the same level of third-party due diligence on all vendors, regardless of the risk level. This approach is not only ineffective but puts a strain on your resources as well. Make sure your third-party due diligence process is scaled proportionately to the risk; that way, you can be confident that the right energy and focus are directed toward the highest risks.
  • Failing to periodically review third-party risk after the initial round of due diligence is complete. Vendor risks change constantly, so periodic due diligence is necessary to identify, assess, manage, and monitor risk. Failing to periodically risk reassess and perform third-party due diligence can lead to new and emerging risks remaining undetected until a major problem arises.
  • Using residual risk ratings in place of inherent risk ratings. Some organizations will calculate a residual risk score after due diligence is complete. A residual risk score indicates if the controls are believed to be effective or if more must be done to mitigate risk. The residual risk score should never be used to determine the required contract language, timing of periodic risk reviews, or the frequency or level of performance monitoring, as those must only be aligned to the inherent risk rating.

The practice of third-party due diligence is a good business practice and a foundational aspect of third-party risk management. Even though it takes time and effort, due diligence can help your organization confidently move forward with (or continue) its third-party relationships. As long as it's understood that third-party due diligence is instrumental at the beginning of and throughout the lifetime of any third-party engagement.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo