Vendor Due Diligence Strategy Guide and Checklist

Is your vendor due diligence process keeping pace with rapidly evolving risks? Here are three approaches to assessing vendor resilience in today’s changing business environment, plus a checklist to use in your due diligence surveys.
Brenda Ferraro
Vice President of Third-Party Risk
October 23, 2020
Blog vendor due diligence 0521

Your third-party management footprint is exploding, and the term “business resilience” is echoing in Zoom meetings … but your vendor due diligence processes are still being ironed out. Rest assured that you’re not alone. In this post, we’ll introduce three approaches to get you on the right track.

What Is Vendor Due Diligence?

Before working with a new vendor, supplier or other third party, you’ll want to conduct due diligence prior to onboarding. The due diligence process should not only assess a vendor’s financial and operational stability, but also gauge any potential risks they could introduce to your organization.

Third-party vendors pose numerous risks including information cybersecurity concerns, operational risk, supply chain disruptions, and compliance concerns. Having a thorough vendor due diligence process that enables vendor selection based on risk can dramatically speed up vendor onboarding while mitigating the chance of a major disruption or data breach.

The due diligence process usually involves a combination of contract review, vendor-completed assessments, and external intelligence gathering on the target company and their subcontractors. All of this is ultimately weighed against your organization’s level of risk tolerance.

Why Vendor Due Diligence Requirements Are Expanding

Recently, vendor due diligence to-do lists have been getting a lot longer for procurement, risk management, and security teams. Given COVID-19's impact on third-party operations – combined with other health, environmental and geopolitical challenges – many organizations are expanding their vendor due diligence efforts beyond simple IT security assessments. This includes gathering information related to manufacturing, business continuity, transportation, non-IT products, and other domain areas that comprise today’s complex supply chains.

Information security and data privacy compliance requirements are also driving organizations to conduct additional due diligence on potential vendors. Regulations such as GDPR, HIPAA, and CCPA require organizations to ensure that PHI and PII are adequately protected and not misused. A data breach can be devastating in this environment, particularly if financial information or protected company information is compromised. Building an effective vendor due diligence program can help reduce your organization’s cyber risk while strengthening your business relationships.

Three Approaches to Vendor Due Diligence

Whether you’re formalizing a vendor due diligence program for the first time, or need to evolve your existing program, it’s important to take a step back and consider your overall strategy. At Prevalent, our customers typically take one or more of the following approaches to due diligence: In-house, Shared or Outsourced.

1. In-house Vendor Due Diligence: The DIY Approach

Many companies seek to internally manage vendor data collection and analysis. However, even if your organization is well-staffed and funded, DIY due diligence can be a burden if you use disparate, manual tools (e.g., spreadsheets) to manage the process. Bringing in an automated third-party risk management platform can help. Here are some capabilities you’ll want to look for:

  • Normalized risk intelligence from inside-out assessments and external risk monitoring
  • Configurable risk impact and likelihood scoring
  • Automated workflow and task management
  • Centralized document and evidence management
  • Customizable vendor communications
  • Configurable risk remediation guidance for vendors
  • Risk remediation management tracking and reporting

One key to success with an internal approach is you have to make it as easy and painless as possible for vendors to respond to assessment questionnaires. The solution should also include a vendor-facing portal for viewing survey completion status, threat intelligence reports, and suggested remediations. It should also maintain a complete audit trail for future assessment validation.

Finally, you’ll want to be sure that the solution is able to automatically trigger workflow tasks based on assessment attributes, risk scores, and recommendations. For instance, triggers can initiate activities related to vendor profiling and tiering, risk correlation across assessment responses, and normalization of assessment and monitoring intelligence. This will make it much easier for you to focus more on risk management and spend less time worrying about content collection.

2. Shared Due Diligence: The Network Approach

As due diligence requirements expand to supply chain vendors and outsourced supply chain management providers, vendor management processes can be taxing on under-resourced teams. In my experience, an assessor can juggle around 150-200 concurrent assessments before they become overloaded. What happens when your board asks for supply chain risk data to inform decisions, and you have 15,000 vendors to assess?

Communicating with vendors and collecting risk data usually accounts for the largest share of time in the due diligence process. If all you have is spreadsheets and de-coupled assessment and monitoring data to work with, then you are headed for a burn-out situation! Compounding this issue is the shifting regulatory landscape, which requires expertise to interpret compliance reporting obligations.

Vendor risk intelligence networks can help when resource-constrained teams need to scale their programs. In this approach, network members and vendors pool their resources and share completed risk content to streamline risk analysis and mitigation. They offer on-demand access to readily available risk scores and content backed by industry-standard questionnaires. They’re perfect for SMBs that need benchmark data or larger organizations that need a quick way to tier vendors and identify those requiring more in-depth assessments.

Prevalent offers the following vendor risk intelligence networks:

Our customers typically find about 40% of their vendors in our networks. They also report an average time and cost savings of 44% when using a Prevalent vendor risk network vs. conducting assessments on their own with manual tools.

3. Outsourced Due Diligence: The Managed Services Approach

A popular option is to outsource third-party evidence collection and analysis to vendor risk assessment services. This approach frees your in-house team to focus on risk identification and remediation, rather than on chasing down assessment responses and verifying their accuracy.

This approach can deliver a faster time-to-value for risk reduction. It’s also a solid option for extremely resource-constrained teams – or those with limited internal skillsets. Here are a few of the ways your risk management program can leverage outsourced due diligence:

  • Questionnaire distribution and response collection
  • Documentation and evidence collection
  • Threat intelligence verification
  • Risk mitigation management
  • Virtual validation testing and reporting

Managed services have become increasingly popular as Covid-19 has restricted companies from performing onsite risk validation. While you can conduct virtual due diligence using in-house resources, an established managed service provider can deliver the expertise, process and resources necessary to supplement and scale your program.

Bonus: The Hybrid Approach to Vendor Due Diligence

Many Prevalent customers opt to take advantage of two – or all three – of the above approaches to accelerate and automate their third-party risk management programs. For instance, some customers tap into our networks for initial due diligence checks and then work with our services team to conduct assessments of vendors that aren’t yet in the network or that require more in-depth analysis.

Everything is managed in our centralized vendor risk management software, which in-house teams can use to conduct periodic follow-up assessments – either on their own or with the support of Prevalent services – while continually monitoring third parties for cyber, business and financial risk.

Procurement Risk Playbook: How to Win the Third-Party Game

As in many sports, third-party risk management requires a team effort. Our strategy paper, "The Procurement Risk Playbook: How to Win the Third-Party Game," lays out 5 critical plays for your team.

Read Now
Feature procurement risk playbook 0221

Vendor Due Diligence Checklist

Basic Company Information

Collecting basic business information for every vendor is critical. This information can help you determine whether the organization is in compliance with applicable local laws and regulations as well as help identify the potential for performance issues down the road. Any vendor worth working with will be happy to provide you with the following information:

  • Business certificate or license

  • Basic information about the CEO, other executives, and board members

  • Location (confirming security with an onsite visit)

  • Character references from multiple companies and sources of information

  • Incorporation documents (or similar corporate charter)

  • An overview of the company's corporate structure

Third-Party Cybersecurity Risks

Data breaches traced to third parties are becoming more frequent, and they are among the most costly forms of cyberattacks. While determining third-party cyber risk is often left until after procurement, there is a compelling case for including a third-party cyber risk assessment in the due diligence phase. Here is what to look for regarding third-party cybersecurity risk:

  • Data breach history

  • Compliance reports (such as SOC 2 and ISO)

  • Security awareness test results for end users

  • IT system diagram

  • Results of penetration tests

Operational Risk

You need to determine whether the vendor you are evaluating is vulnerable to operational threats that could damage the business as part of the third-party due diligence process. These threats include things like a SaaS provider outage that could cause disruptions in your company's ability to deliver its products and services. Here are some things to look for in an operational risk assessment:

  • Past litigation and settlements

  • Markers of a negative workplace culture, unfair work practices, bias and discrimination

  • Employee code of ethics

  • Disaster preparedness plan

  • Business continuity plan

  • Employee retention rates

Financial Information

Determining whether prospective third-party vendors are financially sound and up to date with their tax obligations is a critical step in the due diligence process. It is pointless to put in the time and effort to build a relationship with a vendor who will be bankrupt in a few months. Here are a few categories of financial information to consider for your due diligence surveys:

  • Compensation structure

  • List of major assets

  • Loans and other obligations

  • Balance and accounting sheets

  • Important tax documents

Political and Reputational Risk

Vendors who may have access to sensitive information or systems must be closely scrutinized. Corruption or political vulnerabilities could be dangerous for your business reputation. Any controversies they are involved in could easily result in bad press for your organization, especially in today's politically charged climate. Be sure to evaluate these reputational factors for each new vendor you onboard:

  • Check the business’s name against key watch lists, global sanctions lists, and regulators' lists

  • Check important employees against PEP (politically exposed persons) and law enforcement lists to see if they are politically exposed

  • External processes and practices relating to risk

  • Reports from government departments such as the Consumer Financial Protection Bureau

  • Company and employee litigation history

  • News stories that are negative

  • Negative feedback and complaints on review sites

Next Steps

Learn more about our approach in our best practices guide, or request a demo to see how Prevalent can take the pain out of your vendor risk management initiatives.

Leadership brenda ferraro 2
Brenda Ferraro
Vice President of Third-Party Risk

Brenda Ferraro brings several years of first-hand experience addressing the third-party risks associated with corporate vendors, services and data handling companies. In her quest to economize third-party risk, she organized a myriad of stakeholders and devised an approach to manage risk, receiving recognition from regulators and a multitude of Information Security and Analysis Centers (ISACs). In her role with Prevalent, Brenda works with corporations to build single-solution ecosystems that remove the complexities of Third-Party Risk Management by way of a common, simple and affordable platform, framework and governance methodology. Prior to joining Prevalent, Brenda led organizations through control standardization, incident response, process improvements, data-based reporting, and governance at companies including Aetna, Coventry, Arrowhead Healthcare Centers, PayPal/eBay, Charles Schwab, and Edwards Air Force Base. She holds certifications in vBSIMM, CTPRP, ITIL and CPM.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo