What is vendor due diligence? Vendor due diligence is essentially the investigation phase that occurs before a company enters into a relationship with a vendor to avoid any potential “buyer’s remorse.” In vendor due diligence you learn as much as you possibly can about a vendor before a relationship begins.
You want to get to know your vendor before entering into a contract with them. Due diligence isn’t something that only happens once tough, it is should be conducted periodically throughout the vendor relationship. You want to gather key information about the vendor, get to know what risks are associated with the vendor, and evaluate the potential impacts those risks might have on your company.
This occurs at the onboarding phase, which has its own level of risk management and remediation of risk and usually takes place before any request for proposal. Generally, all pertinent stakeholders take part in this phase or at least are kept in the know, and necessary risks are managed before a vendor is taken on. Controls are put in place for the ongoing vendor relationship and some risks may be deemed acceptable going forward. Continued monitoring occurs throughout the lifecycle of the vendor relationship.
So what does vendor due diligence entail? Let’s break it down.
The 4 Step Vendor Due Diligence Process
Depending on the vendor and the level of the relationship, you may be able to cover just basics. But some vendor relationships may prompt you to conduct a more extensive due diligence to protect your business.
- Gather key information about your vendor.
You’re on the hunt for red flags now. You’ll want to have the necessary information on file about your vendor before going forward. Including your vendor’s geographical location, their body of ownership, and any past financial crises they may have faced so that you can get a better picture of their basic level of risk at the outset. Depending on the vendor relationship, items here might even include historical financial information, cash flow, debt or liabilities, and operational compliance performance.
- Screen your vendor.
It’s a good idea to screen your vendor against relevant news media and political connections for any negative press and to see if there are any watchlists and sanctions against them. This also includes screening for law enforcement lists of unknown criminal entities that may also be involved with your vendor. Also screen for conflicts of interest. This determines how significant the risk a third party is in particular as it relates to reputation risk.
- Conduct a risk assessment.
In vendor due diligence, risk assessment is a more extensive process that looks into financial corruption, stability, and other areas of IT security. The types of risk in the assessment are slightly different in a number of ways. Initially, instead of getting to know the types of risk the vendor will pose on a regular basis, you are looking for inherent and profiled risks they may pose entering in.
In assessing your vendor, it is helpful to provide a relevant security questionnaire for the vendor to answer. This questionnaire can be general, for all vendors, or can be specific to the needs of the particular vendor to which you are sending the questionnaire. You can narrow the scope of your questionnaire if you are already aware of the type of service that the vendor is going to provide to your company.
Here you may consider all of the information gathered and conduct your assessment accordingly. For example, consider your vendor’s geographic location. If their country has a high corruption rating in Transparency International’s Corruption Perceptions Index, this vendor may be ranked as a higher risk. Governmental risk due to location may also play a part. You can consider the financial information that you gathered. Here is where you consider the potential for exposure to money laundering and exposure to other financial risks, as well as the vendor’s policies and standards for handling these types of risks. You might consider assessing the atmosphere of employees, awareness training, and culture of the vendor to ensure that employees are being trained properly and that there is not a culture that rewards excessive risk-taking.
- Remediation and continual vendor risk management.
Once the information is collected in the above it can be further verified and validated. This is the step at which the impact of potential risks, which were gathered in the information above, is evaluated. Here subject matter experts can be brought in to complete evaluation of risk. For example, you might bring IT in to evaluate the cyber risk posture of the vendor. Once that is completed remediation plans come into play or the risk is deemed acceptable before making a plan for ongoing or continuous monitoring throughout the lifecycle of the vendor relationship should a request for proposal be acceptable at this time.
Once again, it is important to note that while vendor due diligence is paramount at the onboarding phase and generally performed under procurement, it must be performed periodically throughout the vendor relationship if changes should occur or as a core component of ongoing monitoring in vendor risk management. This ensures that mitigation strategies that were put in place at the beginning remain in place throughout the entire vendor relationship. How often due diligence is conducted will depend on the nature of that relationship and what service the vendor provides to your organization.
Get Compliant with Carbide
With automated compliance checks, you can quickly evaluate your current information security framework and prioritize the gaps that may put the company at risk of not complying. Carbide can assist you with compliance with various frameworks such as SOC 2, HIPAA, ISO 27001, GDPR, and more.