7 Steps of Risk-Based Vendor Due Diligence

Video Transcript

Have you ever considered how risk-based vendor due diligence can save your organization time and resources in your vendor risk management program? Let’s walk through how to do it in seven steps.

Step one. Not all vendors have the same level of risk, so you must first determine each vendor’s inherent risk and criticality. Each vendor should have its own inherent risk rating from low, moderate, to high, and be deemed critical or non-critical. That risk rating will help you to determine the amount and frequency of due diligence you need to perform with each vendor. 

Step two. To begin, you’ll validate the vendor's legitimacy and good standing and request baseline information. 

Step three. To help accomplish these tasks, do things like research any negative news that might be linked to the vendor and gather standard company information from every vendor, regardless of risk level or type, such as address, articles of incorporation, and tax ID. 

Step four. Additionally, have the vendor complete a risk questionnaire, asking specific questions about the vendor's risk management practices and controls and obtaining detailed information for consideration during due diligence.

Step five. Request additional information as needed. Let’s start with your low-risk vendors. You really only need to do the basics. For example, confirm their reputation and good standing using reports from agencies, such as the Better Business Bureau.

Your moderate vendors need a bit more work. You’ll need to review items like financials, compliance, or cybersecurity. And of course, be sure to get all the basic information, too, just like you did with your low-risk vendors!

Now, it kicks up a notch with high-risk vendors. You should be doing a pretty robust review, looking at the same things you looked at with your low- and moderate-risk vendors. But now you’ll also need to look at items like business continuity and disaster recovery planning and testing, do a full cybersecurity evaluation, and more!

And then you have your critical vendors. A vendor is critical if their failure or closure would have a significant impact on your organization. Critical vendors should have the most rigorous due diligence because they are so important to your organization.

Step six. Don’t forget to have a qualified subject matter expert review the due diligence information provided.  

Finally, step seven. And always repeat the process! You need a formal due diligence review at the highest-risk level and on all critical vendors at least annually. Moderate-risk vendors need to be re-assessed every 18-24 months, depending on the vendor's product or service. Low-risk vendors every two to three years, also depending on the product or service, or before contract renewals.

Knowing how to define and manage the risk levels helps you direct your energy and effort where it’s needed the most.