Vendor Site Visits: When, Why, and Examples

We all know the due diligence process can be a bit tedious and time-consuming. Still, it's an absolute must before onboarding and monitoring your vendors. The due diligence process generally involves collecting and reviewing vendor information based on the vendor's inherent risk.

Virtual or on-site visits may also be part of your due diligence process and can be especially valuable when you're dealing with critical or high-risk vendors. Site visits may seem like yet another task to add to your endless to-do list, but they can play an important role in your due diligence process and your overall third-party risk management program.

What a Vendor Site Visit Is and Why It’s Necessary

A vendor site visit is essentially an opportunity to check in on your critical or high-risk vendors and get a point-in-time assessment of their risk management practices. It's important to note that a site visit isn't intended to be a surprise inspection focusing solely on a vendor's issues. Rather, it's a scheduled event requiring proper planning and coordination between the vendor and your organization. 
Whether site visits are conducted virtually or in person, they can reveal useful information about the vendor that might not be discovered through regular document collection. They also open the door for more genuine and trustworthy relationships with your vendors. 

Common Red Flags to Watch for in a Vendor Site Visit

When performing a vendor site visit, you should be aware of several red flags to document and report on as needed. You'll want to discuss any issues with the vendor and confirm how and when they'll resolve them. If necessary, you can then provide your findings to your organization's senior management and the board. 

Some common red flags during a site visit include:

• Poor cybersecurity practices. Unsecure passwords, outdated penetration testing reports, and a lack of acceptable encryption standards are just a few examples of poor cybersecurity practices you might discover during a site visit.
• Lack of safety protocols. Emergency first aid stations and accident or incident logs are especially critical for vendors within the manufacturing industry. A site visit can reveal whether these safety protocols are adequate. 
• Minimal security controls. Physical security is sometimes overlooked during site visits, but it can be just as critical as cybersecurity. Non-working cameras, open access to restricted areas, and poor basic security protocols are other red flags you may discover during the visit.

Remember that a vendor site visit should be used as a supplement, not a substitution, for your overall due diligence activities. It’s helpful to visit your vendor to get first-hand insight into controls that can't be validated through desktop research. Site visits also allow you an opportunity to directly address any issues that arise and create a plan to resolve them. Virtual and on-site vendor visits can also create a more open relationship between your organization and the vendor.