3 Approaches to Vendor Due Diligence

Is your vendor due diligence process keeping pace with rapidly evolving risks? Here are three approaches to assessing vendor resilience in today’s changing business environment.
Brenda Ferraro
Vice President of Third-Party Risk
October 23, 2020
Blog 3 approaches to vendor due diligence 1020

Your third-party management footprint is exploding, and the term “business resilience” is echoing in Zoom meetings … but your vendor due diligence processes are still being ironed out. Rest assured that you’re not alone. In this post, we’ll introduce three approaches to get you on the right track.

What Is Vendor Due Diligence?

Before working with a new vendor, supplier or other third party, you’ll want to conduct due diligence prior to onboarding. The due diligence process should not only assess a vendor’s financial and operational stability, but also gauge any potential risks they could introduce to your organization. The due diligence process usually involves a combination of contract understanding, vendor-completed assessments, and external intelligence gathering on the target company and their subcontractors. All of this is ultimately weighed against your organization’s level of risk tolerance.

Why Due Diligence Requirements Are Expanding

Recently, vendor due diligence to-do lists have been getting a lot longer for procurement, risk management, and security teams. Given the coronavirus pandemic’s impact on third-party operations – combined with other health, environmental and geopolitical challenges – many organizations are expanding their vendor due diligence efforts beyond simple IT security assessments. This includes gathering information related to manufacturing, transportation, non-IT products, and other domain areas that comprise today’s complex supply chains.

Three Approaches to Vendor Due Diligence

Whether you’re formalizing a vendor due diligence program for the first time, or need to evolve your existing program, it’s important to take a step back and consider your overall strategy. At Prevalent, our customers typically take one or more of the following approaches to due diligence: In-house, Shared or Outsourced.

1. In-house Due Diligence: The DIY Approach

Many companies seek to internally manage vendor data collection and analysis. However, even if your organization is well-staffed and funded, DIY due diligence can be a burden if you use disparate, manual tools (e.g., spreadsheets) to manage the process. Bringing in an automated third-party risk management platform can help. Here are some capabilities you’ll want to look for:

  • Normalized risk intelligence from inside-out assessments and external risk monitoring
  • Configurable risk impact and likelihood scoring
  • Automated workflow and task management
  • Centralized document and evidence management
  • Customizable vendor communications
  • Configurable risk remediation guidance for vendors
  • Risk remediation management tracking and reporting

One key to success with an internal approach is you have to make it as easy and painless as possible for vendors to respond to assessment questionnaires. The solution should also include a vendor-facing portal for viewing survey completion status, threat intelligence reports, and suggested remediations. It should also maintain a complete audit trail for future assessment validation.

Finally, you’ll want to be sure that the solution is able to automatically trigger workflow tasks based on assessment attributes, risk scores, and recommendations. For instance, triggers can initiate activities related to vendor profiling and tiering, risk correlation across assessment responses, and normalization of assessment and monitoring intelligence. This will make it much easier for you to focus more on risk management and spend less time worrying about content collection.

2. Shared Due Diligence: The Network Approach

As due diligence requirements expand to supply chain vendors and outsourced supply chain management providers, vendor management processes can be taxing on under-resourced teams. In my experience, an assessor can juggle around 150-200 concurrent assessments before they become overloaded. What happens when your board asks for supply chain risk data to inform decisions, and you have 15,000 vendors to assess?

Communicating with vendors and collecting risk data usually accounts for the largest share of time in the due diligence process. If all you have is spreadsheets and de-coupled assessment and monitoring data to work with, then you are headed for a burn-out situation! Compounding this issue is the shifting regulatory landscape, which requires expertise to interpret compliance reporting obligations.

Vendor risk intelligence networks can help when resource-constrained teams need to scale their programs. In this approach, network members and vendors pool their resources and share completed risk content to streamline risk analysis and mitigation. They offer on-demand access to readily available risk scores and content backed by industry-standard questionnaires. They’re perfect for SMBs that need benchmark data or larger organizations that need a quick way to tier vendors and identify those requiring more in-depth assessments.

Prevalent offers the following vendor risk intelligence networks:

Our customers typically find about 40% of their vendors in our networks. They also report an average 44% time and cost savings when using a Prevalent vendor risk network vs. conducting assessments on their own with manual tools.

Procurement Risk Playbook: How to Win the Third-Party Game

As in many sports, third-party risk management requires a team effort. Our strategy paper, "The Procurement Risk Playbook: How to Win the Third-Party Game," lays out 5 critical plays for your team.

Read Now
Feature procurement risk playbook 0221

3. Outsourced Due Diligence: The Managed Services Approach

A popular option is to outsource third-party evidence collection and analysis to vendor risk assessment services. This approach frees your in-house team to focus on risk identification and remediation, rather than on chasing down assessment responses and verifying their accuracy.

This approach can deliver a faster time-to-value for risk reduction. It’s also a solid option for extremely resource-constrained teams – or those with limited internal skillsets. Here are a few of the ways your risk management program can leverage outsourced due diligence:

  • Questionnaire distribution and response collection
  • Documentation and evidence collection
  • Threat intelligence verification
  • Risk mitigation management
  • Virtual validation testing and reporting

Managed services have become increasingly popular as Covid-19 has restricted companies from performing onsite risk validation. While you can conduct virtual due diligence using in-house resources, an established managed service provider can deliver the expertise, process and resources necessary to supplement and scale your program.

Bonus: The Hybrid Approach to Vendor Due Diligence

Many Prevalent customers opt to take advantage of two – or all three – of the above approaches to accelerate and automate their third-party risk management programs. For instance, some customers tap into our networks for initial due diligence checks and then work with our services team to conduct assessments of vendors that aren’t yet in the network or that require more in-depth analysis.

Everything is managed in our centralized SaaS platform, which in-house teams can use to conduct periodic follow-up assessments – either on their own or with the support of Prevalent services – while continually monitoring third parties for cyber, business and financial risk.

Next Steps

Learn more about our approach in our best practices guide, or request a demo to see how Prevalent can take the pain out of your vendor risk management initiatives.

Leadership brenda ferraro 2
Brenda Ferraro
Vice President of Third-Party Risk
Brenda Ferraro brings several years of first-hand experience addressing the third-party risks associated with corporate vendors, services and data handling companies. In her quest to economize third-party risk, she organized a myriad of stakeholders and devised an approach to manage risk, receiving recognition from regulators and a multitude of Information Security and Analysis Centers (ISACs). In her role with Prevalent, Brenda works with corporations to build single-solution ecosystems that remove the complexities of Third-Party Risk Management by way of a common, simple and affordable platform, framework and governance methodology. Prior to joining Prevalent, Brenda led organizations through control standardization, incident response, process improvements, data-based reporting, and governance at companies including Aetna, Coventry, Arrowhead Healthcare Centers, PayPal/eBay, Charles Schwab, and Edwards Air Force Base. She holds certifications in vBSIMM, CTPRP, ITIL and CPM.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo