4 Third-Party Document Collection Efficiencies

Third-party due diligence is fundamental to effective third-party risk management. The adage, "look before you leap," is not only good advice; it's necessary to protect your organization and its customers from risks associated with its relationships with third parties (or vendors). 

So, what is due diligence? It’s thoroughly vetting your third parties before you enter into a business relationship with them. And conducting third-party due diligence is more than a best practice. It's a regulatory requirement for many industries. 

The Importance of Third-Party Due Diligence Documentation 

Due diligence typically involves collecting and reviewing detailed information about a vendor's risk management practices and control environment. That information is then carefully evaluated to determine if the third party's controls are sufficient to manage the risks associated with the product or service and relationship. Your third party must provide your organization with the requested information and documents for review. As simple as that sounds, the document collection process can be challenging and time-consuming if you’re disorganized or unprepared. 

Here are some practical tips for making due diligence document collection more effective and efficient.

4 Third-Party Document Collection Best Practices for Efficiency 

1. Identify stakeholder responsibilities. Multiple stakeholders' participation and proactive efforts are required in due diligence. Let's examine how each of these stakeholders participates in the due diligence process:
   
   
   • The third-party risk management team collaborates with subject matter experts to create the vendor risk questionnaire and the list of standardized documents that must be collected from the vendor/third party. They also often issue the vendor risk questionnaire and requests for documentation.
   • The vendor owner is responsible for ensuring the third party/vendor submits all requested information on time, including a completed vendor risk questionnaire and all required documentation.
   • The vendor completes the vendor risk questionnaire and provides the requested documentation. 
   • Subject matter experts review the third party's risk management practices and validate the adequacy of the vendor's controls by assessing the vendor risk questionnaire and the documents provided. They also provide a written report with their qualified opinion regarding the sufficiency of the third party's controls.
2. Create a standardized list of due diligence documentation. Each identified risk requires evidence of appropriate controls. To streamline the processes, create an itemized list of documents that can be used to evidence the controls in each risk category or domain. 
   
   Here are some examples:
   
   • Compliance
     
     • Compliance policy
     • Employee training
     • Background checks
     • Privacy policy
   • Business Continuity
     
     • Business continuity plans
     • Testing results
   • Finances
     
     • Audited third-party financials
     • Audit letter/opinion
   • Information Security
     
     • Information security policy
     • Penetration Testing
     • Access management policy and procedure
     • Encryption Standards
     • Data retention and destruction policy and schedule
   • Independent third-party audits and reports, such as a SOC 2 Type II report, can be 
     
     • Business continuity
     • Information security
3. Use tools specifically designed for third-party risk management. Manual processes, such as Excel spreadsheets, are inefficient and error prone. Also, manual processes can lead to many challenges with document collection. For example, document tracking via email can cause confusion amongst the stakeholders involved and provide little to no clear direction on how to proceed or who is responsible. A dedicated third-party risk management (SaaS) tool or platform can help alleviate these challenges. Some benefits of a third-party risk management (SaaS) tool or platform include:
   
   •    Automated notifications to vendors and stakeholders
   •    Documentation management and version control
   •    A single collection point for notes, issues, and comments
   •    Collection and organization of documents
   •    Issue tracking and management 
   •    Audit readiness 
4. Hold vendor owners accountable for missing or incomplete third-party/vendor documentation. Risk management and issue mitigation are the responsibilities of your vendor owners. Whenever a third-party vendor fails to respond to a request for documentation or has missing documentation, involve the vendor owner to follow up and ensure the timely delivery of documents.

Due diligence requires a careful review of third-party/vendor information and documentation. Obtaining the right documents is much easier when you create standard document requests and keep the returned documents managed and organized. If there are any issues, put your vendor owners on point to ensure the third parties return the information as requested. This will ensure a more efficient process and shorter cycle times for reviewing the information.