Why You Need to Do Vendor Due Diligence

Your organization likely has a handful of third-party vendor relationships that provide a lot of value. Some vendors may even be essential to your operations. However, it’s important to remember that these vendor relationships can also expose your organization to different types of risk. These risks aren’t always apparent, so vendor due diligence is a must.

What Is Vendor Due Diligence, Really?

Vendor due diligence is the process of collecting and reviewing vendor information and controls to determine whether you want to proceed with a new engagement or continue with an existing one. A vendor that is high risk or critical should undergo the highest level of due diligence, in terms of frequency and amount. 

Vendor due diligence should include at a minimum, a review of basic information like tax ID, an OFAC check, and financial health. For critical and high-risk vendors, you may also need to review information from SOC reports, information security policies, and business continuity and disaster recovery plans. The vendor due diligence process should always include qualified subject matter experts (SMEs) who can provide opinions on the effectiveness of a vendor’s controls.  

There are two types of vendor due diligence that you should be performing:

• Initial vendor due diligence – This is essentially a background check of the vendor and performed prior to signing the contract. It’s important to analyze the vendor and identify any risk that will be exposed to your organization. Initial vendor due diligence also helps determine if the vendor will meet your strategic and financial goals.
• Ongoing vendor due diligence – It’s critical to perform due diligence even after you’ve signed the contract. This ensures documents are current and can help identify any changes in the vendor’s risk and performance. All vendors should undergo ongoing due diligence, but the frequency should be greater for high-risk and critical vendors. The frequency may also need to increase because of other factors such as performance issues or updated regulatory guidance. 

Effective vendor due diligence can help your organization solidify the right vendor partnerships and stay aware of any new or emerging risks.

3 Triggers for Ongoing Vendor Due Diligence

Remember that due diligence shouldn’t be a one-time activity. Vendor due diligence reviews should be scheduled at least annually for critical and high-risk vendors. Moderate-risk vendors should be reviewed every 18 months to two years and low-risk vendors should be reviewed at least every two to three years.

Here are three other occasions that should initiate due diligence, regardless of risk level:

• Contract renewals – Make sure you allow plenty of time to perform due diligence on a vendor prior to signing the contract renewal. For critical vendors, a general guideline is to review at the midpoint of the contract term.
• Performance issues – If you’ve noticed that a vendor’s performance is declining, it’s a good idea to initiate another due diligence review. This may help reveal the cause of the performance issue and whether it’s significant enough to reconsider the vendor relationship.
• New or updated regulatory requirements – It’s essential to stay informed of regulatory requirements to ensure that you and your vendors remain in compliance. Collect and review vendor due diligence as new or updated regulations are released.

3 Strategies for Successful Vendor Due Diligence 

Collecting and reviewing vendor due diligence documents can be a challenge, but it’s an important practice that protects your organization.

Here are a few tips that can help create a successful strategy:

• Consider contractual provisions. It’s important to ensure that your vendors are contractually obligated to periodically provide due diligence documents. You may also want to consider a right to audit clause, which can obligate your vendor to provide documents at any time, even in between regularly scheduled reviews.  
• Use a standardized process. Vendor due diligence often includes a lot of simultaneous activities, such as requesting, collecting, and reviewing documents. These activities are typically performed by different individuals so the overall due diligence process can quickly become hectic. A standardized process can help eliminate confusion over which documents to request from each vendor and who’s responsible for collecting them. 
• Collaborate with subject matter experts. Internal or external subject matter experts (SMEs) should always be involved in the vendor due diligence process, specifically during the review stage. These individuals should possess certifications or other credentials in their risk domains that demonstrate their qualifications. For example, a CPA would be qualified to review a vendor’s financial documents.

Vendor due diligence provides many benefits all throughout the vendor risk management lifecycle. From the early stage of selecting a vendor and establishing an ongoing monitoring standard, to structuring a better contract and preventing unwarranted risk to your organization and its customers, due diligence is a necessary component in each activity.