Your third-party management footprint is exploding, and the term “business resilience” is echoing in Zoom meetings … but your vendor due diligence processes are still being ironed out. Rest assured that you’re not alone. In this post, we’ll introduce three approaches to get you on the right track.
Before working with a new vendor, supplier or other third party, you’ll want to conduct due diligence prior to onboarding. The due diligence process should not only assess a vendor’s financial and operational stability, but also gauge any potential risks they could introduce to your organization.
Third-party vendors pose numerous risks including information cybersecurity concerns, operational risk, supply chain disruptions, and compliance concerns. Having a thorough vendor due diligence process that enables vendor selection based on risk can dramatically speed up vendor onboarding while mitigating the chance of a major disruption or data breach.
The due diligence process usually involves a combination of contract review, vendor-completed assessments, and external intelligence gathering on the target company and their subcontractors. All of this is ultimately weighed against your organization’s level of risk tolerance.
Recently, vendor due diligence to-do lists have been getting a lot longer for procurement, risk management, and security teams. Given COVID-19's impact on third-party operations – combined with other health, environmental and geopolitical challenges – many organizations are expanding their vendor due diligence efforts beyond simple IT security assessments. This includes gathering information related to manufacturing, business continuity, transportation, non-IT products, and other domain areas that comprise today’s complex supply chains.
Information security and data privacy compliance requirements are also driving organizations to conduct additional due diligence on potential vendors. Regulations such as GDPR, HIPAA, and CCPA require organizations to ensure that PHI and PII are adequately protected and not misused. A data breach can be devastating in this environment, particularly if financial information or protected company information is compromised. Building an effective vendor due diligence program can help reduce your organization’s cyber risk while strengthening your business relationships.
Whether you’re formalizing a vendor due diligence program for the first time, or need to evolve your existing program, it’s important to take a step back and consider your overall strategy. At Prevalent, our customers typically take one or more of the following approaches to due diligence: In-house, Shared or Outsourced.
Many companies seek to internally manage vendor data collection and analysis. However, even if your organization is well-staffed and funded, DIY due diligence can be a burden if you use disparate, manual tools (e.g., spreadsheets) to manage the process. Bringing in an automated third-party risk management platform can help. Here are some capabilities you’ll want to look for:
One key to success with an internal approach is you have to make it as easy and painless as possible for vendors to respond to assessment questionnaires. The solution should also include a vendor-facing portal for viewing survey completion status, threat intelligence reports, and suggested remediations. It should also maintain a complete audit trail for future assessment validation.
Finally, you’ll want to be sure that the solution is able to automatically trigger workflow tasks based on assessment attributes, risk scores, and recommendations. For instance, triggers can initiate activities related to vendor profiling and tiering, risk correlation across assessment responses, and normalization of assessment and monitoring intelligence. This will make it much easier for you to focus more on risk management and spend less time worrying about content collection.
As due diligence requirements expand to supply chain vendors and outsourced supply chain management providers, vendor management processes can be taxing on under-resourced teams. In my experience, an assessor can juggle around 150-200 concurrent assessments before they become overloaded. What happens when your board asks for supply chain risk data to inform decisions, and you have 15,000 vendors to assess?
Communicating with vendors and collecting risk data usually accounts for the largest share of time in the due diligence process. If all you have is spreadsheets and de-coupled assessment and monitoring data to work with, then you are headed for a burn-out situation! Compounding this issue is the shifting regulatory landscape, which requires expertise to interpret compliance reporting obligations.
Vendor risk intelligence networks can help when resource-constrained teams need to scale their programs. In this approach, network members and vendors pool their resources and share completed risk content to streamline risk analysis and mitigation. They offer on-demand access to readily available risk scores and content backed by industry-standard questionnaires. They’re perfect for SMBs that need benchmark data or larger organizations that need a quick way to tier vendors and identify those requiring more in-depth assessments.
Prevalent offers the following vendor risk intelligence networks:
Our customers typically find about 40% of their vendors in our networks. They also report an average time and cost savings of 44% when using a Prevalent vendor risk network vs. conducting assessments on their own with manual tools.
A popular option is to outsource third-party evidence collection and analysis to vendor risk assessment services. This approach frees your in-house team to focus on risk identification and remediation, rather than on chasing down assessment responses and verifying their accuracy.
This approach can deliver a faster time-to-value for risk reduction. It’s also a solid option for extremely resource-constrained teams – or those with limited internal skillsets. Here are a few of the ways your risk management program can leverage outsourced due diligence:
Managed services have become increasingly popular as Covid-19 has restricted companies from performing onsite risk validation. While you can conduct virtual due diligence using in-house resources, an established managed service provider can deliver the expertise, process and resources necessary to supplement and scale your program.
Many Prevalent customers opt to take advantage of two – or all three – of the above approaches to accelerate and automate their third-party risk management programs. For instance, some customers tap into our networks for initial due diligence checks and then work with our services team to conduct assessments of vendors that aren’t yet in the network or that require more in-depth analysis.
Everything is managed in our centralized vendor risk management software, which in-house teams can use to conduct periodic follow-up assessments – either on their own or with the support of Prevalent services – while continually monitoring third parties for cyber, business and financial risk.
Procurement Risk Playbook: How to Win the Third-Party Game
As in many sports, third-party risk management requires a team effort. Our strategy paper, "The Procurement Risk Playbook: How to Win the Third-Party Game," lays out 5 critical plays for your team.
Collecting basic business information for every vendor is critical. This information can help you determine whether the organization is in compliance with applicable local laws and regulations as well as help identify the potential for performance issues down the road. Any vendor worth working with will be happy to provide you with the following information:
Business certificate or license
Basic information about the CEO, other executives, and board members
Location (confirming security with an onsite visit)
Character references from multiple companies and sources of information
Incorporation documents (or similar corporate charter)
An overview of the company's corporate structure
Data breaches traced to third parties are becoming more frequent, and they are among the most costly forms of cyberattacks. While determining third-party cyber risk often left until after procurement, there is a compelling case for including a third-party cyber risk assessment in the due diligence phase. Here is what to look for regarding third-party cybersecurity risk:
Data breach history
Compliance reports (such as SOC2 and ISO)
Security awareness test results for end users
IT system diagram
Results of penetration tests
You need to determine whether the vendor you are evaluating is vulnerable to operational threats that could damage the business as part of the third-party due diligence process. These threats include things like a SaaS provider outage that could cause disruptions in your company's ability to deliver its products and services. Here are some things to look for in an operational risk assessment:
Past litigation and settlements
Markers of a negative workplace culture, unfair work practices, bias and discrimination
Employee code of ethics
Disaster preparedness plan
Business continuity plan
Employee retention rates
Determining whether prospective third-party vendors are financially sound and up to date with their tax obligations is a critical step in the due diligence process. It is pointless to put in the time and effort to build a relationship with a vendor who will be bankrupt in a few months. Here are a few categories of financial information to consider for your due diligence surveys:
List of major assets
Loans and other obligations
Balance and accounting sheets
Important tax documents
Vendors who may have access to sensitive information or systems must be closely scrutinized. Corruption or political vulnerabilities could be dangerous for your business reputation. Any controversies they are involved in could easily resul in bad press for your organization, especially in today's politically charged climate. Be sure to evaluate these reputational factors for each new vendor you onboard:
Check the business’s name against key watch lists, global sanctions lists, and regulators' lists
Check important employees against PEP (politically exposed persons) and law enforcement lists to see if they are politically exposed
External processes and practices relating to risk
Reports from government departments such as the Consumer Financial Protection Bureau
Company and employee litigation history
News stories that are negative
Negative feedback and complaints on review sites