The Value of On-Site Vendor Visits

Podcast Transcript

Hi - this is Jill with Venminder. 

In this podcast, you'll learn six reasons why on-site vendor visits are still incredibly valuable, even in today's increasingly remote working environment. 

Here at Venminder, our certified industry professionals provide expert advice on what to include in your vendor due diligence process, depending on the vendors relationship and risk. When necessary, this can include an on-site visit. 

As you collect due diligence information to assess your vendor's risk, you may consider performing an on-site visit. Just as you can tell a lot about a person by visiting their home, on-site visits to your vendor's offices and facilities can provide valuable insight about the vendor that you just can't get from viewing due diligence documents. 

Six reasons why on-site vendor visits can be a valuable part of your due diligence practice: 

• The first advantage of an on-site vendor visit is that you can observe and verify specific security controls. While on site, you can verify that your vendor's physical security controls match their written security policies and procedures. You can also evaluate the identification and access controls to protect their data centers or other privileged work areas. A walkthrough of the premises can help you validate that cameras are installed to monitor the sensitive areas of the facilities. If necessary, you can request to see live feeds or footage to ensure the cameras are working correctly. Spending time on site also allows you to see if any data, documents, or other devices are left exposed or unattended. Any gaps in physical or information security can be addressed to your vendor immediately.
• Second, you may be able to gather additional information from your vendor that has otherwise been difficult to obtain. Some vendors may be uncomfortable sharing too much information by answering a questionnaire, sending documents, or during virtual meetings. Most vendors will allow you to review sensitive information in person while on the premises. If not, that could be a red flag and something to consider in your risk assessments and due diligence reviews.
• Third, an on-site visit allows you to build a relationship with the vendor. During an on-site visit, vendors commonly introduce you to their staff and management, allowing you to form connections you might not have otherwise been able. Throughout these interactions, you can convey that your organization takes vendor risk management seriously. Those conversations can also help you learn more about the vendor's business and hear their ideas for improving products or services. There is no substitute for meeting people in person and giving them your time and attention.
• Fourth, observing the general working conditions, facilities, and employees can help you discover important information about the vendor's company culture. Even though many organizations are moving to remote or to hybrid work solutions, it’s easy to gather clues about what a company values from their physical locations. Suppose workspaces and common areas are untidy and disorganized, or basic safety precautions aren't being followed. What if employees don't appear to be doing much, seem extremely stressed out, or are just not very happy to be there? These could all be indicators of underlying organizational, financial, or management problems that could affect the vendor's delivery of products and services to your organization.
• Fifth, you can address complex or sensitive concerns in person. Conference calls and virtual meetings have challenges like technical difficulties, outside interruptions, and distracted participants. Poor performance, long-overdue issue mitigation, or troubleshooting personnel problems can be addressed more effectively when you have a captive audience with undivided attention.  
• Finally, a remote or virtual visit simply can't replace an on-site visit. We all know the pandemic forever changed the business environment. During the height of outbreaks and infection, it was necessary to substitute virtual meetings for on-site vendor visits because something was better than nothing at the time. But, while many organizations may have successfully transitioned to remote or hybrid work for their employees, the same can’t be said for remote vendor visits. The fact is there is no good substitute for an on-site visit, especially when it’s for one of your critical vendors.

While on-site vendor visits are extremely valuable, they do require your time and resources. Make sure you plan for the visit and have a prioritized list of controls to verify and objectives to meet and remember that sometimes you may need a subject matter expert on hand to review and assess specific controls. If time and resources limit the number of on-site visits you can make, focus on your critical vendors, as they should always be your priority.

Overall, on-site visits are an important due diligence tool to help you verify security controls, address sensitive issues, and build relationships with your vendors.

Thank you for tuning in; catch you next time!